data loss prevention in exo
DESCRIPTION
A presentation aid and primer for adoption and approach strategy for Data Loss Prevention (DLP) in Office 365 Exchange Online. Written for IT and security management audiences.TRANSCRIPT
2
Contents
• How to minimize risk• Terminology• Proposed implementation approach• Phase I - Awareness• Phase II - Governance • Reporting• Appendix A
3
How to minimize risk
• Although malware and targeted attacks can cause data breaches, user error is actually a much greater source of data risk for most organizations• Exchange 2013 and Exchange Online provides technology that
identifies, monitors, and protects sensitive data and helps users understand and manage data risk
http://blogs.msdn.com/b/microsoft_press/archive/2013/04/29/from-the-mvps-data-loss-prevention-with-office-365-and-exchange-online.aspx
4
Terminology
• Policy - Hosts the transport rules • Transport rules - If and Then statements for emails that can warn or
block activity. These rules can be applied to a country or region and can be ran against data classifications.• Data Classification - Data sets that use patterns to identify things like;
Finance, Personal Identification, and Health Information. Examples are Credit Cards, SWIFT Codes, Bank Account Numbers, Drivers License Numbers, Passport Numbers.
5
Proposed implementation approach
• Establish & Refine DLP policies around the three Data classifications; Finance, PII, and Health• Two step process as countries onboard
1. Create awareness of DLP violations by notifying them in Outlook. Using reporting, a grace period, or another method we can have the country move to the second phase.
2. Governance - messages sent containing sensitive information to be rejected with an explanation.
6
Phase I - Awareness
Finance Phase 1: Awareness
If the message:Is sent to 'Outside the organization'and The message contains these sensitive information types: 'International Banking Account Number (IBAN)' or ‘SWIFT Code‘ or ‘Credit Card Number‘ | Count >= 1Take the following actions:Set audit severity level to 'Medium'and Notify the sender that the message violates a DLP policy, but send the message
PII Phase 1: Awareness
If the message:Is sent to 'Outside the organization'and The message contains these sensitive information types: 'U.S. Social Security Number (SSN) '| Count >= 1 | 100% ConfidenceTake the following actions:Set audit severity level to 'Medium'and Notify the sender that the message violates a DLP policy, but send the message
Health Phase 1: Awareness
If the message:Is sent to 'Outside the organization'and The message contains these sensitive information types: 'U.K. National Health Service Number ' or 'U.K. National Insurance Number (NINO) '| Count >= 1Take the following actions:Set audit severity level to 'Medium'and Notify the sender that the message violates a DLP policy, but send the message
7
User experience - Awareness
8
Phase II - Governance
Finance Phase 2: Governance
If the message:Is sent to 'Outside the organization'and The message contains these sensitive information types: 'Credit Card Number' or 'International Banking Account Number (IBAN)' or ‘SWIFT Code‘| Count >= 7 | 100% ConfidenceAnd the Sender is in Country:DETake the following actions:Set audit severity level to 'High'and Reject the message Include the explanation 'Finance information in high volume was found in message, per Data Loss PreventionPolicy unable to deliver your message.'
PII Phase 2: Governance
If the message:Is sent to 'Outside the organization'and The message contains these sensitive information types: 'U.S. Social Security Number (SSN) '| Count >= 7 | 100% ConfidenceAnd the Sender is in Country:DETake the following actions:Set audit severity level to 'High'and Reject the message Include the explanation ‘PII information in high volume was found in message, per Data Loss PreventionPolicy unable to deliver your message.'
Health Phase 2: Governance
If the message:Is sent to 'Outside the organization'and The message contains these sensitive information types: 'U.K. National Health Service Number ' or 'U.K. National Insurance Number (NINO) '| Count >= 7 | 100% ConfidenceAnd the Sender is in Country:DETake the following actions:Set audit severity level to 'High'and Reject the message Include the explanation Health information in high volume was found in message, per Data Loss PreventionPolicy unable to deliver your message.'
9
User experience - governance
Can create custom text for message
10
Reporting
Because of the different methods of notifying through DLP and enforcing through transport rules we can run reports against the DLP Policies, DLP Rules, and Transport Rules on Sent Email from Office 365.
11
Appendix A
• Microsoft press blog on Exchange Online DLP• Excel Details of DLP
Apply this Rule if…
The SenderIs this personis external/internalis a member of this groupaddress includes any of these wordsaddress matches any of these text patternsis on a recpients's supervision listhas a specific properties including any of these keywordshas a specific properties matching these text patternshas overridden the Policy TipIP address is in any of these ranges or exactly matchesdomain is
The Recipientis this personis external/internal