Here’s a basic guide to start implementing some DLP policies. In this small walk-through I’ve documented how to create a basic DLP policy. 

If you currently do not have access Microsoft 365 here are some options to sign up for 30 day trial. You’ll need at least an Office 365 E3 plan

https://www.microsoft.com/en-gb/microsoft-365/business/compare-more-office-365-for-business-plans

1. Logon to https://portal.office.com 

2. Select the ‘Admin‘ App

3. Scroll down and under the ‘Admin Centers‘ select the ‘Security and Compliance Center’

4. The 2 sections you’ll need take note of for the exercise is the ‘Policy’ and ‘Sensitive Info Types’ Click ‘Policy

5. In the right-hand pane select ‘Create New Policy’

6. On the next screen select the following:

  •  Show Options for United Kingdom
  •  Privacy
  •  UK Personally Identifiable Information (PII) Data

7. Click ‘Next’

8. Give you policy an appropriate name and description

9. On the next screen you get to choose which locations in Office 365 you can apply the policy to. The default locations are:

  • Exchange email
  • Teams chats
  • OneDrive documents
  • SharePoint documents

10. Keep the default option Protect content in Exchange email, Teams chats and channel messages and OneDrive and SharePoint documents’ and click ‘Next

11. Check the Policy settings, this will protect against the following data types:

  • U.K. National Insurance Number (NINO)
  • U.S. / U.K. Passport Number

The detection will occur when content is attempted to be shared with external users outside of you organisation

12. Click ‘Next’

13. On the final screen select the following options:

  • Restrict access or encrypt the content
  • Block people from sharing and restrict access to shared content

14. On the next screen keep the default options set, click ‘Next

15. On the next screen leave the policy set with the default option ‘I’d Like to test it out first’ Click ‘Next’

16. Review your settings on the final page and click ‘Create’

Considerations:

  • When a DLP policy is created the policy can take up to 1 hour to become active, I’ve noticed in some cases the policy worked after a relatively short period but my Policy Tips took some additional time before they populated in Outlook or Office Docs

In Part 2 I’ll show you how to modify the existing policy, add additional Sensitive Info Types and setup notifications.