1. Planning Security and Compliance Roles
Within Microsoft 365, you have a lot of opportunities to assign role-based access control (RBAC permissions to people. One of those is working within the Security and Compliance Center. in the Security and Compliance Center. If I were to go in here and click on permissions, you’re going to see a lot of preconfigured roles. And I have the ability to grant people the option of, for example, being an Ediscovery person.
They can go out there and do my Discovery searches. I can make somebody a compliance manager and give them the ability to go out there and apply various retention and data loss prevention policies to my environment. And if you’re not sure what a role does, you don’t have to worry too much about it. If you come into the permissions section, let’s go in and look, for example, at a compliance administrator, and I’ll select it. Now, when you select that, it’s actually going to show you all of the various things that that role gives somebody. Because when you talk about role-based access control, we’re taking lots of individual permissions and grouping them together right into a role, which we can then assign to someone in our environment. so you can see all of the various roles that they have. You have the ability to edit the members to grant or remove someone from that right. So I can click on the edit button there, go, and we’ll edit the members here. Now, if I wanted to write, I could select a user here, say Ellen, and delete her. I could go out there and select Aminus and remove Ellen from the environment.
So now we have just Ethan as the compliance administrator. I could also, of course, go back in if I wanted to and add a user, and I would have the ability to pick somebody that I wanted to assign that role to and add them in. For example, let’s go out there, and we’ll add in our good friend Carlos and give him that role instead. We can save that. So now, next time Carlos logs in, he’ll pick up the ability to be a compliance administrator instead of Ellen, right? So if you’re not sure what a role does before you assign it, you want to learn about it and read about it. So make sure you come and select the role and read what that role actually gives that person, right? It gives you that ability. And there’s a nice, a lot of these have a nice description so you can understand a little bit more about what the role will offer that individual in terms of permissions and why you might assign it to somebody. You do have the ability, if you wanted to, to actually create your own rules.
So, if there isn’t a role that meets your requirements, if you require some type of compliance administration but not all of them, Yeah, I could go into the Compliance Admin and modify those permissions, or I could just create a new role, go out there, and we’ll just call this one our demo role here, and we’ll click Next. Now we can go out there and choose the roles that we want to add in, and you can see all of the individual permissions that are grouped together that I can go out there and assign to this role. Once I pick the roles that I want them to have and the permissions I want them to have, I can then assign them to some users. So you don’t have to use just the default ones, which are the ones that are included in the environment. If you wanted to, you could go out there and actually create your own. We’re going to go ahead and cancel that. We don’t need to because we like all the default rules that are there. But you have the ability to assign these permissions in the Security and Compliance Center for your users. Understand that these permissions are about the Security and Compliance Center and the things we do in here.
If I wanted to make someone a SharePoint Administrator and an Exchange Administrator, I’d have to do it elsewhere. And in fact, looking at the Security, Compliance, and Permissions section, for certain permissions, you may need to use some of the other features, and they actually give you a link. If you look up at the top here, you can see that you have the ability to go to the Exchange Admin Center or go to the Document Deletion Policy Center. When you click on that, what it actually does is take you to the permissions section of that environment. So I’m not actually opening up the full EAC here. I’m opening up the permission section of the Exchange Admin Center so I can give somebody role-based access control to that environment.
2. Reviewing GDPR Needs
A lot of organisations are going to have to be concerned with various compliance policies that their organisation needs to meet based on either regulatory or corporate guidelines. Fortunately, Microsoft gives us a lot to help us in our efforts to solve those compliance issues, gain information, and guide us through things that we might need to accomplish in order to achieve our goals. One place that we can actually look is if we go to the Service Trust Portal. Service providers trust Microsoft.com, right? Go and log into the Service Trust Portal, and we can start scanning and looking for information about various audit reports.
So if you’re in FedRAMP compliance and need to see the audit report that was done on Microsoft, you can gain access to all of that information. So you can actually drill deeper. Your compliance officers can see exactly what Microsoft is doing to meet those requirements. They’re also going to give us access to some stuff like pen tests and security assessments in our environment. And notice we have this thing called the Compliance Manager. Well, if we click on Compliance Manager here, it’s going to open up the Compliance Manager environment for us in this Compliance Manager, right? First off, notice that you can go into the classic look of it or you can go into the newer version of it. This one is still in the process of being modified. We’ll take a quick look at it just to see that it’s in preview right now. Basically, they’re going to change the look and feel of how this environment works. But for the most part, it’s going to provide the same services that we’re always used to.
We’re still going to be able to go in there and look at the various service offerings and see what kinds of compliance issues we actually have in this environment. But for now, let’s go ahead and dive into the classic one. And if we’re in the classic compliance manager’s office at the top, they give you a tour. Feel free to go ahead and take that tour and look around in it if you want to. But then, if you start scrolling down a little bit, you’re going to see various options that are available for you. And one of the things we can look at here is GDPR. GDPR is certainly a popular item in terms of things that people have to worry about right now, right.The general data protection rights that we have to deal with in the EU right now, the GDPR, we can look at and say, “Oh, 264 out of 626, I’m doing pretty well, right?” That’s not too shabby.
When we think about, say, the secure score, which we may have talked about in another video here, 264 out of 626 seems like you’re doing well. But in reality, what that’s saying is, “Hey, Microsoft has done everything that they can within their power to make sure their environment is GDPR compliant.” But we’ve done nothing at that score level, and I have done absolutely nothing on our side. So this is a shared approach to meeting compliance, right? Microsoft has certain obligations that they have to take care of, but on the customer side, there are obligations that we need to take care of too. But with this compliance manager, I have the ability to drill a little bit deeper into GDPR, open it up, and I can actually see things that I need to accomplish. So we can open this up, and I can see, for example, here, controls and articles identifying document purposes. I need to be able to go out there and set that up and configure it. Now, here’s the nice part about this: With the compliance manager, I can go through here and have the ability to assign these out to somebody. I can go out there and decide that I want Carlos to handle this right now. And I’ll say this is going to be a medium-priority item.
Please finish by the end of the month so that we can assign it to Carlos. So he has the instruction; he understands what our goals are there, right? And then once it’s done, we’ve got it planned. Now, in our environment, once it’s done, we have the ability to go out there and set an end date target for it, go out there and say that we’ve tested it and completed it, and then say that it is in fact completed. Once we’ve gone through all of that, we will then get the six points for having completed that added to our compliance score and increase the compliance score for GDPR. So you can go through GDPR and look at the compliance manager. And one of the other areas that we actually have is in the Security and Compliance Center. If we go down here to the data privacy section and we open that up, you’ll see we have a GDPR dashboard, right?
The GDPR dashboard is where we can go and see if we have any data subject requests where somebody has asked us to search and expose to them all the personally identifiable information that we’ve retained and, if need be, to remove some of it from our environment in compliance with GDPR. So we get access to that. We get access to the GDPR toolbox here; click on that again so we can discover personally identifiable information, go out there and auto-apply labels and dispositions, and notice they have a link right to the compliance manager for the GDPR environment as well. Out here, we’ve got the ability to apply some protections to make sure, like with data loss prevention policies that do not expose PII (personally identifiable information). Then we can go out there and respond to some of the data subject requests we have out there, as well as any legal investigations we have. So they’re giving us lots of tools so that we can meet and satisfy all of our GDPR requirements in the Microsoft 365 world.
3. Building an Ethical Wall
Sometimes, within an organization, you have either a legal or a corporate policy that dictates that certain groups are not allowed to communicate with other groups within the organization.
You may have to comply with a federal rule that requires, for example, that the marketing department and the brokers do not communicate with each other in order to avoid undue influence from one side or the other in a financial transaction. But, in any case, you can leverage and use Exchange to help you build that ethical wall. That is to say, with the Exchange, I could stop people within my organisation from communicating between two different groups if I wanted to. Now, what you have to understand is the extreme limitation of that, right? I can build this ethical wall inside Exchange Online and have the ability to stop somebody from sending something over to the brokers, for example. But I can’t stop them from going out to lunch together. I can’t stop them from calling each other.
I can’t stop them from sending interoffice memos to each other. I only have the ability to stop them in exchange. So we’re not sending emails to each other and building that ethical wall. If you wanted to do it in exchange, you would actually do it as part of a mail transport rule. So I’m going to go into the mailflow here in the Exchange Admin Center, and under my rules, I’m going to click that. I want to create a new rule, but the rule that I want to create here is to restrict messages by sender or recipient. So we’ll open that up, and we’ll give this a name. We’ll just call this our ethical wall. Right? Now we can apply this rule. To what? In this case, if the message is between members of these groups, the idea would be to create two separate distribution lists and deny the ability for those people and DLS to send to each other. So if they’re on the list, they won’t be able to send it to somebody else on the list. So we’ll go ahead and say this message is between members of these groups. Then you select the groups, right? So I’m going to go over here and I’m going to select, in this case, our brokers first. We’ll add them in, and then the second group we’ll select will be the marketing group. We’ll add them in. Now we have to decide what action we want to take. Maybe you just want to block it entirely.
You don’t want them to ever be able to send messages. And you could go out there and do something like, say, reject the message with an explanation. And, per policy, you are not allowed to email these people, one dot, two dots, three dots, or whatever, so that when the user goes to send it, they get that rejection message back. You can go out there and call it a rejection if you want to. Some of the other things that we could do instead of rejecting it are: I could forward the message to a person for approval. Maybe we want to reject most communications, but there are times when we need to communicate with each other via email. In that case, we could have somebody who is the arbiter of that, who actually receives all these messages and approves the ones that should continue on but can reject the ones that can’t. Maybe you have your corporate attorney, for example, review these, and you can go out there and stop that. So you can block it or you can forward it for approval, whichever way you want it to go out there, and we’ll just say sorry that it’s against policy and save that. And now we have an ethical wall built between our marketing department and our brokers within our mail organization.
4. Working with a Retention Policy
Sometimes you’re going to need to be able to enforce the retention of items in your organization. You can actually do this with your security, compliance, and retention policies. The retention policies will help us with any type of regulatory or corporate compliance to actually preserve data for a given period of time. We can also use a retention policy not to preserve data but to get rid of it. For example, if we are required to keep information for seven years, and after seven years, we can actually automate the process of getting rid of that so that we don’t have things that are seven years and one day old. So you can decide if you want to use it. You could also use the retention policy to delete items if you wanted to. Heck, you could even use it to delete items you’re not retaining. Right? We could just simply say, “You know what? We want to be able to clean things up a little bit.”
So if a document has been around for six years and hasn’t been modified, let’s go ahead and delete it, and we can automate the deletion of that if we wanted to in the environment. Now, if you apply a retention policy to a location, a library, your OneDrive environment, your mail, or wherever you’re applying it to teams and the item being retained is unchanged, that is, a user does not try to edit or delete the item, nothing happens to it. It stays in its original location. Right. It’s got a retention policy applied to it, but since the document isn’t being modified, it can just sit there. If, however, we go to edit the content and somebody goes to delete the content, at that point in time, the content that’s there that’s been covered by that retention policy needs to be protected and will be protected in various ways depending on where that content is located. If it’s a SharePoint or OneDrive environment, there is an actual Preservation Holds Library, which is a hidden library that the standard user would not be able to see.
If I were to open a document that had a retention policy on it from a SharePoint library or One Drive for Business and start making changes to it, it would actually take a copy of the original document and save it over to the Preservation Holds Library. When somebody were to do a content search, a legal hold search, or something like that, the items in the Preservation Hold Library would appear. They’ll be able to track them down and return them to the state they were in before the retention policy application. If you’re working with a mailbox, someone’s inbox or outbox, and we’ve placed preservation holds on the content in those boxes, as well as public folders. With Exchange, these go into a hidden folder called the Recoverable Items Folder. And again, the idea is that the items will be available to us if we were to do a search; they’re indexed, and they will return the results to us if we actually needed them in the environment. If we’re using teams with teams, it actually works a little bit differently in terms of its content.
All of the chat information in teams is actually using the Azure Power Chat service now, so it has an Azure Power Chat service, and that’s where the data is actually being stored in Azure. And by default, that data is actually there forever. Now, if we wanted to delete stuff, we would have the ability to go through and apply policies to delete things. Currently, in teams, you can’t delete things until they’re at least 30 days old, right? So even if you had a desire to get rid of it sooner, you couldn’t. Now, Microsoft is looking into the possibility of reducing that range, and you may find that they have, but for now, you have 30 days before you can delete achat from the team’s environment in there, if that’s what you wanted to do. Now, when you’re creating a retention policy, you can create organizational-wide policies that are going to go out there and apply retention to everywhere in your entire organization, but you’re limited to only ten of those policies. That’s the maximum you can have in your entire tenant account for.Orgwide.
Instead, you have the ability to also go out there and create policies that either include specific users or specific locations in SharePoint or exclude specific users or locations in SharePoint. When you’re using an inclusion or exclusion rule, there are some limits. The maximum inclusion or exclusion I can do in mailboxes is 1000 mailboxes, and the maximum sites I can include or exclude are going to be 100 sites. Right? And as you can see, I can have no more than 1,000 of this type of retention policy. That includes our retention, our exclusion, and our inclusion or inclusion in that policy. So there are some limits to how many retention policies we have, which means we may need to think about our needs. And if we’re going to exceed some of those limits, we might want to combine some of those policies into one.
5. Creating a Retention Policy
In order to retain content, you actually have the ability to create a retention policy in the Security and Compliance Center. So from the Security and Compliance Center, I’m going to go into my Data Governance section, and under Data Governance, you see I have the ability to go out there and click on Retention. Now, once you click on retention, you have the ability to create a policy.
I’m going to go ahead and just click on the create button. Here we’ll go through some of the choices. For now, let’s just say general retention. All right, give it a title there. We can put in the description if we want to, and we’ll click next. Now, you’ll notice that the first thing I have to decide is, what’s the policy’s purpose? Am I going to go out there and retain content for a given period of time so I can retain it for a certain period of time? We could retain it forever if we wanted to. I could leave it on indefinitely, but we could say keep it on for a set period of time, say seven years here. Now that we also have to tell it, when do we start counting the time? If I’m going to retain it for seven years from when it was created or when it was last modified, because that’s going to be a big difference.
We will keep a document that is frequently opened and edited for the rest of our lives. Because if it had been seven years since it was last modified, whereas if the same document had been created seven years ago, even if someone was making changes to it today, it could very well be up for retention or deletion if we choose to do so tomorrow, right? So we have the ability to go out there and make that decision. So we’ll go ahead and save, say, from when it was last modified. Now you can choose; okay, the retention policy says you have to keep it for seven years, but it doesn’t force you to get rid of it. At the end of that, we can say, “No, don’t delete it.” After that time, we’ll just leave it there, and then somebody can go through and do a disposition review. Or do we have the ability to say, “You know what?” Yeah, delete it. You may want to do that because, in certain organizations, especially if you’ve ever been involved in litigation, you may find that if you’re served with a subpoena and you’re required to provide, say, all employee personnel records, but if you’re legally only required to keep those going back seven years, then that would be all. You would think that you would return over.
But if you had a habit of keeping them forever, even though you legally only had to provide them for seven years, you may have to still provide all of the ones that you kept, even though you were legally only required to do it for seven years. People sometimes like that automated disposition because it helps them reduce their exposure in that environment. So you can choose whether you want to delete it after that or not.
Now, the other thing we can do is, instead of having this to retain content, we can use these policies simply to get rid of content. In other words, if you create something and you put it in a document library that we’re going to apply this to, we’re going to delete it after a year, but we’re not going to force you to keep it for a year. You could go in there one month after you created it and delete it, and that’s fine, right? But the policy will say that after a year, we’re going to get rid of it, and we have the ability to delete that. But for now, let’s go ahead and say we’re going to retain this and we’re not going to force the deletion, right? And we’ll proceed to click next there. Now I choose the location, right? And you can see that we have various locations that we can choose from, and we can even turn on our teams. But notice what happened there when I turned on the team’s channel messages—all of these other places turned off, right?
You cannot have a retention policy that handles your data for all other areas of 365 while also including teams. Everything else becomes unrestrainable as soon as you go out there and activate teams. What that’s telling you is that if you want to have a retention policy for teams, you need to create one for teams and one for everywhere else, okay? Because it is stored in Azure Chat, it requires a different policy to be applied to it. So that’s why we’re going to have to go out there and have separate policies. In fact, if you look at the org-wide policy, you’ll notice that the word “teams” is not mentioned at all. So Exchange has email, public folders, and OneDrive groups, whereas SharePoint does not have teams. No teams. So keep in mind that if you want to do this for teams, you’ll need to create a separate policy. For now, we’ll just do it orally, and we’re not going to worry about teams. And then we can click next, review our settings, and create a policy. Now I want to go back a little bit and take a look at another option that we didn’t choose, and that was the ability for us to go out there and use advanced retention settings, right?
So we can go out there and click on the “Advanced Retention Settings.” And now we have some choices, such as instead of only wanting to work with that based on its location, I could say, “You know what, we only need to retain things that have certain words in them.” If we have some legal requirement to keep every document that has something to do with our merger in it, Maybe we want to retain those documents. org wide. If you see the word “merger” in the document, we can go out there and do it based on a word; we can even do it based on a sensitive information type. Microsoft has lots of different sensitive information types already. If I chose that, I could goxt, and then I’d be able to go out there and find the sensitive information type I wanted to work with and set that up. And let’s say, for example, that right now we’ll just go out there and choose our GDPR here, right? So it’s going to retain this if it has any of these types of information in it. So you can go through and set that up. We’ll go back a little bit here. We could also say, just based on words, that it essentially opens a box. Okay? Now I can put a word or phrase in here, and any document that has that would have the ability to be retained, and then I can set the period for how long we want to retain it.
So we can get a little bit more advanced with this. If you wanted to be a little more specific than just using generic locations for where you wanted to keep your data, you could. And then you can create your policy for the environment. Now, after you’ve created your policy, you have the ability to go back there and edit and modify it, right? That is a choice that you have. Let me go ahead and open this back up for a moment. There we go. And you can see that I was able to edit the locations and the various places I wanted to visit. But what I wanted to show you is that there’s something down here called preservation lock, okay? and you can see it’s greyed out right now. Certain organisations have to meet federal or other regulatory guidelines that require them to maintain certain types of information. And in addition to that, the regulation requires that they not have the ability to retain it. In other words, they don’t have the ability to go in and stop that retention. If that’s the case for your organization, you create a retention policy and put it on preservation lock, okay? Once you do that, that retention policy can never be turned off.
You can ask Microsoft all you want; you can beg; you can plead; but they’re not going to be able to turn that off. When you enable preservation lock, you can never reduce the scope of that retention policy. So if it was handling all of Exchange, for example, you could never say, “Okay, only these mailboxes.” Now you can’t change the scope to a reduced scope. You can increase the scope of it. I could say, “Okay, now let’s do it for exchange in SharePoint.” And I could increase the scope of it, and then SharePoint could no longer be reduced once I’ve done that. But the preservation lot can only be turned on via PowerShell. There used to be a little checkbox there, and some people would sometimes make the mistake of not knowing what it was and checking the preservation lock box and turning it on. Unfortunately, this meant that the preservation policy would remain with that tenant indefinitely. The only way to get rid of it, literally, is to tear down the building and create a new one. All right, so there is the preservation lock option if your organisation needs it, and you can turn that on, but you have to do it via PowerShell.
6. Data Loss Prevention
One of the features that we can configure in the Security and Compliance Center is data loss prevention. Now, a lot of exchange administrators are used to applying data loss prevention to their exchange environment, but DLP is actually able to be utilised across the entire Microsoft 365 environment. In other words, I can protect documents that are being stored in OneDrive for business. I can protect documents in SharePoint chats, teams, and things of that nature.
So I have the ability to go out there and apply DLP across a broad spectrum of the Microsoft environment. Now, what data loss prevention does for us is go out there and look for certain types of information that we want to prevent the exposure of. For example, I don’t want somebody’s Social Security number going out in an email. I don’t want somebody’s banking codes going out over a document that somebody might be attaching and loading into a OneDrive environment. I have the ability to prevent someone from sharing that information so that we do not unintentionally expose information that should be kept private. So we can go out there, and DLP will give us the ability to search for that information once it’s located, have policy applied to that information, and then also get reports on when we might have violations of that policy in the environment, right? So we can enforce these rules. And when you create a data loss prevention policy, the rules have conditions and actions, right? And the conditions aren’t just about the content. It’s also in the context. In other words, okay, we’ve got an email that has a Social Security number, and that might be some type of data that I want to protect, but it can also look at the context. Are we sharing this with someone inside our organization?
Are we sending this to someone outside the organization? Because depending on which one it is, we may choose to go ahead and allow it to be delivered, right? Maybe we’re a finance company, and we need to be able to send Social Security numbers within our environment. But if someone enters the wrong email address and thinks they’re sending it to Chris and accounting when it actually goes to their softball team’s friend Chris, we want to stop that. We want to prevent them from making a mistake like that. And that’s where data loss prevention actions will come into play. Because based on the condition, we have the ability to decide whether we want to block it, inform the user, or allow the user to override that option, and it gives us that capability, right? So the policy can be based on a template. In other words, Microsoft has gone through and actually created a bunch of prebuilt policy templates for some of the more common issues that we may face. However, we also have the ability to go out there and just create one from scratch. On our own, or if we wanted to, we could start with a template and modify it to better meet our needs, or we could go out there and actually work with it. We can now create those conditions based on sensitive information types within data loss prevention.
Now, those information types could be defined based on a strict formatter—three numbers, two numbers, four numbers being a Social Security number, for example. It could be based on some specific keywords if it finds them in there, or just some checksum composition, like a credit card number, to verify that it really is a credit card number and not a customer number, for example, to make sure that it works. So it can go out there and evaluate those patterns and figure out if the email contains anything that actually matches them. But it doesn’t have to be 100%. That’s the other thing, right? We can set the range so that if it’s like 75% of that type of number, maybe we stop it. But if it’s just a little, we’re not concerned about it because they’re not really going to be able to do anything with it. But once we’ve identified some information, we’ll decide what we’re going to do with that. We can completely block access to it, right? So the user can’t download it, and the user can’t share it out. The user can’t send an email with that information in it. Or we have the ability to go out there and send a notification. Alternatively, we could both block and notify the user to ensure that they understand the type of data we’re attempting to protect within the organization.
7. Creating a DLP Policy
So let’s take a look at how you can actually create a data loss prevention policy using the Security and Compliance Center. From the Security and Compliance Center, I’m going to actually go down and open up DLP, or Data Loss Prevention, and then I’m going to click on Policy. In this environment, you have the ability to go out there and click on the Create a Policy button. Now it’s going to start by putting you on the custom option, and if that’s what you want to create, you can certainly start and build your own policy. But you also have the ability to go out there and use one of the templates that are already preconfigured. If we, for example, go out there and click on “Financial,” maybe your organisation has a requirement to meet some US-based financial requirements. For example, if you’re part of the payment card industry, So if you accept credit cards, you may have to meet the PCI data security requirement. So we can go out there and just click on PCI Security for our PCI Data Security model, then click Next. It’s already given it a name. I don’t even have to name it because it’s going to just pick up the template name for me there. Then we can choose the location.
Now, unlike working with retention policies, note that the DLP policy can apply to exchange teams and all other areas in the environment. So I don’t have to have a separate policy for teams versus the other parts of Microsoft 365, like I would with a retention policy. For now, we’ll just go ahead and say we’ll protect everything. We’ll click next. There. Now, notice what it’s actually doing, right? It’s looking for credit card information, and when it detects it, what do you want to do? Well, it depends. When it’s with people outside my company, I want to stop it from going through. So we can go out there and just accept the template defaults. We’ll click there next. Now notice here we can show the policy tip to the user, which means we have the ability to have them get a little bit of information about why this message might be blocked in their organisation and why they shouldn’t be sending it. We can customise that tip. We can customise the email that’s going to be sent to them if we want to. But also note the default here: detect when the content that’s being shared contains at least ten instances.
So, if I leave that setting alone, I can send nine credit cards to someone outside my organization, but only after the tenth one is added to that email. Now, that email could be the text, the body of the email message, or it could be an attachment that I have attached to that document that has a whole bunch of credit card information in it. If ten is a little high for you, you certainly have the ability to lower that if you don’t think we should be doing it all. You can even set it down to one, right? All right, then send an incident report by email, and we can choose who will receive the report and what it will include.
So in this case, it’s going to be the site administrator, and I could add or remove people there, but it’s going to tell them who sent the content, who modified the content, and the severity of the rule there, right.And we can go out there and click “Next,” and we could test it first. Now, if you choose to test it first, you could test it with policy tips. And a lot of people think that this is a good way to kind of wean people into this notion of data loss prevention by turning the test on with policy tips. When somebody goes to do something that would violate this, they’ll get a policy tip saying corporate policy doesn’t allow this procedure. Whatever you want to put in there Something like “we don’t allow the procedure.” However, you’re not being blocked at present, but in the future, you will be. So we’ll understand that things are going to be changing here, right? so we can activate it later. So I can actually go out there and test it and do it with or without tips.
Now that I’m doing it without tips, I’m just going to start logging information. It’s going to start tracking the fact that they’re doing this, but it’s not going to be giving them any information about the fact that we’re tracking them. And of course, I can just turn this policy on and have people be able to go out there and not send those messages with credit cards in them. Now, you can go through and configure all of that using a template. So we did that from scratch. The other way we can go through this is by actually creating a custom template. So, if I select a custom policy here, let’s go out there and say this is going to be bank information that we want to deny; we’ll click next there, choose the location. For now, we’ll just do it across the board. Now find the content. So, in a custom policy, I’m going to click the edit button to decide what we’re looking for, what I’m going to look for here, right? It must contain at least one type of sensitive information or a label. I’m going to go out there and look at my sensitive information types, and I want to add some sensitive information types. As you can see, Microsoft provides us with a wide range of sensitive information. We can go out there and choose from So I’m going to go out there and say I’m going to worry about their bank routing number. That’s fine. And if we scroll down to the US here, There we go. Maybe their US passport number, their bank account number, or their driver’s licence numbers, right? individual taxpayer ID or Social Security number.
So you can see that we can choose a lot of different things that we wanted to include in this environment for our users, and we’ll just click on the Add button there. So now it’s looking for more than just credit cards, right? And I didn’t actually put my credit card in here. I could have added that in if I wanted to as well, right? But notice here it’s got a range from 75% to 100%, which means if it’s 75% of the way to a bank routing number, that’s going to be counted as an item, something that we’re going to go out there and exclude, right? So I’ve got my sensitive information types now that we’re looking for, and it’s going to detect it when, in this case, it’s from outside my organization. We’ll stick with that and click next there. And again, we can do the same thing in terms of showing the policy tips, what the count is going to be, and all of that. But let’s go back to one because I also have the ability to use some advanced settings, and with advanced settings we can actually go in there and set some ranges, right? So let’s go out there and customise the type of content we want to protect. So we’ll look at this new rule we’re going to protect out here, right?
And again, this is going to look very familiar because we just did this for the other types of sensitive information, but we’ll do it just for bank information, right? And we’ll add some conditions when the content contains—and what do we want the content to contain? types of sensitive information We’ll reinstate those in the Aba routing. We’ll scroll down here and do the credit card number, scroll down to the US section, the social security number, the driver’s license, the bank account number, the passport number, and the like. So now, if it contains any of that information, right, but notice the instant accounts that I have here from one to any; I can change those ranges out there, but we’ll discuss that in a minute. So we can go out there and create one. Now, I can go out there and make any exceptions if I want to. I’ve got some actions here where I can restrict access or encrypt it, but notice here with the user notifications: use notifications to inform the user and help educate them on the proper use of this information.
So we’re going to go out there and turn that on and notify the user, right? We can customise the email and the policy tip if we want to. For example, PII should not be sent to external individuals. And then we could choose to say, but you know, what we’re going to do is maybe sometimes there is a business need or a personal need for them to send this out, and we want to allow that; we’re going to let them override it. So you’ll see the policy tip, but then we can say, you know, if you provide a business justification, which just means they have to type an explanation, they can override it, or if they want to report it as a false positive, they can override it. So yeah, these aren’t really bank account numbers; these are something else. So they can override that in the environment.
So we can choose to allow them to override it. And then we’ll simply click the Save button and then Next. And again, we can test it or we can go out there and enforce the policy in that environment. Now, if we go back over to the policy that we just created earlier, which was the PCI policy, let’s open that one up for a moment. Let’s go in there and edit some of those settings for a moment, because what I want you to notice is that in the default template, it actually has two different levels: low volume and high volume. And if I wanted to, I could go out there and modify, you know, for the low volume. We’ll consider something to be low volume if it contains just one to, say, two credit cards. So if it’s got one or two credit cards in it, we’re good. We’ll go ahead and maybe give them the right to get the user notification, but we’ll give them the right to overwrite it out there and require justification.
But if it has three or more in it, we’re concerned not with 31, but with three or more in it, and we’re concerned enough with that that we’re not going to allow them to overwrite it, right? So we’re going to go in here and say, “In this case, we’ll notify the people out here, and we’ll turn the notifications on.” We can do that, but we’re not going to let people who see this tip do the override. So the people that only do one or two, okay, you can override yours, but the people that do more than that, no. And we also have the ability, if we wanted to, to stop interrupting people that were sending one or two, because we’re getting tonnes and tonnes of reports of people overriding it, and we didn’t realise that that was a business requirement. And it is. I can actually turn off the low part of that policy and just leave on the high part. So it does give you the ability to go out there and modify things in a different way. So let’s go ahead and save that. So you can create PCI or data loss prevention policies like the PCI one that we created from a template. You can create it in a custom way, or you can start with a template and then go out there and modify it.
8. Troubleshooting Policy Tips
When you set up data loss prevention policies, you may notice that the policy tips you want to display don’t always appear for your users. There could be lots of reasons why this is occurring, right? It very well may be the fact that the policy tips have been turned off. In Outlook, a user actually has the ability to go into their inbox and their options, and they can go through and actually turn off the display of policy tips. So if they’ve turned it off, they won’t see it. Now, that’s not going to prevent the blocking.
So if we have a DLP policy that’s going to stop somebody from sending a message with that, the message will still be rejected, but they’re just not going to see the policy tip on it. In the environment, they will not have that information ahead of time. Sometimes it might be that the sensitive data threshold is set too high, right? If, for example, I said that you cannot send an email with credit card information, but we set it to an account of 10, which is the default right now, somebody is sending nine credit cards all day long and not having a problem doing it, and you’re not having the impact that you would hope to have in the organization.
So you may need to lower that threshold so that somebody actually stops it and sees it. It could be that the setting is misconfigured. Sometimes people forget to check the notification as part of the policy, and if I don’t have any notifications going on, the user is not going to see the policy tip as an option. They won’t actually have that pop up on them. But here’s one of the other ones. If you want policy tips to show up, you have to have the full Office Suite installed on that computer. If somebody were to just install, say, Outlook because they didn’t need the rest of the suite, they wouldn’t see policy tips. The policy tip relies on some of the other parts of the office suite in order to expose them. They’re going to expose them in Outlook and in Word. They’re going to expose them in the Excel environment and PowerPoint if we’re applying them to documents that are being saved in a OneDrive business library, for example. But none of them will be seen if they do not have the full suite installed. As a result, make certain that you install the entire Office suite and not just parts of it.
