In Part 3 I’ll walk-through the process of switching on and testing this policy.
These exercises are completed in a Tenant where I know the Risk and Impact will be low so please ensure you test these in an environment where are able to turn on the policy without impacting a production environment.
Microsoft have a very good guide here on how to roll out DLP Policies and the steps you should consider when doing so.
One further consideration to test before going live is that you can run tests from Security and Compliance>Classification>Sensitive Info Types. Simply select you sensitive info type, double-click it and use the option ‘Test Type‘
Use a dummy credit card number which can be generated here
Save the number to a sample text file ready to be scanned by Microsoft 365
For this example I’ll use the Credit Card Number sensitive info type
Browse to the file or drag and drop the sample text file with a sensitive info type to test the outcome
Please note that this is just testing for a credit card number, in the full DLP policy the content is detected with at least 2 pieces of information. For details see here
1. Open the ‘Security and Compliance‘ from the Microsoft Admin Center
2. Find the policy you created in Part 1 and select it
3. Edit the policy
4. Set the policy to ‘Yes, turn it on right away‘ click ‘Save‘
5. Policy status should now be set to on
The policy may take up to an hour to apply once you enable for documents and e-mail
6. Use the sample text file you created earlier with the credit card number in it
a. Create a new mail message
b. Add an external recipient
c. Add an attachment with the credit card number
You’ll notice that the policy does not detect the data inside the attachment, this is because you need 2 types of data to validate that this is a credit card
Close the email and don’t save it. Open the sample text file and add the word ‘Visa‘ before the number, with a space and save it. Carry step 6 again and notice the difference
This time you will see the Policy Tip notifying you of a problem with the data in your attachment. You have the option to override with business justification or confirm there is no sensitive data. You cannot send the email without selecting one of these options
7. You can also test this by adding the text directly to the body of the message, you’ll see the same output
Before starting with DLP define what the problem is that you are looking to solve.
Consult Microsoft’s documentation for all the information, Part’s 1-3 is just to enable some light hands on practice to get started with DLP.
Design you policies and rollout plan with you key stakeholders and users in mind and keep them involved throughout the process
Decide on some scenarios for DLP and look at testing these within a safe environment