Overview of data loss prevention policies

To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.

With a DLP policy, you can:

  • Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, and OneDrive for Business.

    For example, you can identify any document containing a credit card number that’s stored in any OneDrive for Business site, or you can monitor just the OneDrive sites of specific people.

  • Prevent the accidental sharing of sensitive information.

    For example, you can identify any document or email containing a health record that’s shared with people outside your organization, and then automatically block access to that document or block the email from being sent.

  • Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.

    Just like in Exchange Online, SharePoint Online, and OneDrive for Business, these Office 2016 desktop programs include the same capabilities to identify sensitive information and apply DLP policies. DLP provides continuous monitoring when people share content in these Office 2016 programs.

  • Help users learn how to stay compliant without interrupting their workflow.

    You can educate your users about DLP policies and help them remain compliant without blocking their work. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them an email notification and show them a policy tip in the context of the document library that allows them to override the policy if they have a business justification. The same policy tips also appear in Outlook on the web, Outlook 2013 and later, Excel 2016, PowerPoint 2016, and Word 2016.

  • View DLP reports showing content that matches your organization’s DLP policies.

    To assess how your organization is complying with a DLP policy, you can see how many matches each policy and rule has over time. If a DLP policy allows users to override a policy tip and report a false positive, you can also view what users have reported.

You create and manage DLP policies on the Data loss prevention page in the Office 365 Security & Compliance Center.

Data loss prevention page in the Office 365 Security & Compliance Center

What a DLP policy contains

A DLP policy contains a few basic things:

  • Where to protect the content – locations such as Exchange Online, SharePoint Online, and OneDrive for Business sites.

  • When and how to protect the content by enforcing rules comprised of:

    • Conditions the content must match before the rule is enforced -- for example, look only for content containing Social Security numbers that have been shared with people outside your organization.

    • Actions that you want the rule to take automatically when content matching the conditions is found -- for example, block access to the document and send both the user and compliance officer an email notification.

You can use a rule to meet a specific protection requirement, and then use a DLP policy to group together common protection requirements, such as all of the rules needed to comply with a specific regulation. For example, you might have a DLP policy that helps you detect the presence of information subject to the Health Insurance Portability and Accountability Act (HIPAA). This DLP policy could help protect HIPAA data (the what) across all SharePoint Online sites and all OneDrive for Business sites (the where) by finding any document containing this sensitive information that’s shared with people outside your organization (the conditions) and then blocking access to the document and sending a notification (the actions). These requirements are stored as individual rules and grouped together as a DLP policy to simplify management and reporting.

Diagram shows DLP policy contains locations and rules

Locations

A DLP policy can find and protect sensitive information across Office 365, whether that information is located in Exchange Online, SharePoint Online, or OneDrive for Business. You can easily choose to protect all sites or just specific sites.

Options for locations where a DLP policy can be applied

Rules

Rules are what enforce your business requirements on the information stored by your organization. A policy contains one or more rules, and each rule consists of conditions and actions. For each rule, when the conditions are met, the actions are taken automatically. Rules are executed sequentially, starting with the lowest order rule in each policy.

Conditions

Conditions are important because they determine what types of information you’re looking for, and when to take an action. For example, you might choose to ignore content containing passport numbers unless the content contains more than ten such numbers and is shared with people outside your organization.

Conditions focus on the content, such as what types of sensitive information you’re looking for, and also on the context, such as who the document is shared with. You can use conditions to assign different actions to different risk levels -- for example, sensitive content shared internally might be lower risk and require fewer actions than sensitive content shared with people outside the organization.

List showing available DLP conditions

The conditions now available can determine if:

  • Content contains any of the 80+ built-in types of sensitive information.

  • Content is shared with people outside or inside your organization.

  • The document properties contain specific values. For example, documents uploaded to Office 365 from a Windows Server–based file server may have Files Classification Infrastructure (FCI) properties applied to them. For email, this condition works for documents attached to messages.

Types of sensitive information

A DLP policy can help protect sensitive information, which is defined as a sensitive information type. Office 365 includes definitions for many common sensitive information types across many different regions that are ready for you to use, such as a credit card number, bank account numbers, national ID numbers, and passport numbers.

List of available sensitive information types

When a DLP policy looks for a sensitive information type such as a credit card number, it does not simply look for a 16-digit number. Each sensitive information type is defined and detected by using a combination of:

  • Keywords

  • Internal functions to validate checksums or composition

  • Evaluation of regular expressions to find pattern matches

  • Other content examination

This helps DLP detection achieve a high degree of accuracy while reducing the number of false positives that can interrupt peoples’ work.

Actions

When content matches a condition in a rule, you can apply actions to automatically protect the document or content.

List of available DLP actions

With these actions, you can:

  • Block the content For site content, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. These people can remove the sensitive information from the document or take other remedial action. When the document is in compliance, the original permissions will be automatically restored. When access to a document is blocked, the document appears with a special policy tip icon in the library on the site.

    Policy tip showing access to document is blocked

    For email content, this action blocks the message from being sent. Depending on how the DLP rule is configured, the sender will see an NDR or (if the rule uses the Send a notification action) a policy tip and/or email notification.

    Warning that unauthorized recipients must be removed from the message

  • Send a notification This can include the person who shared, emailed or last modified the content and, for site content, the site collection administrator and document owner. In addition to sending an email notification, this action displays a policy tip:

    • In Outlook 2013 and later and Outlook on the web.

    • For the document on a SharePoint Online or OneDrive for Business site.

    • In Excel 2016, PowerPoint 2016, and Word 2016, when the document is stored on a site included in a DLP policy.

    The email notification and policy tip explain why content conflicts with a DLP policy. If you choose, the email notification and policy tip can allow users to override a rule by reporting a false positive or providing a business justification. This can help you educate users about your DLP policies and enforce them without preventing people from doing their work. Information about overrides and false positives is also logged for reporting (see below about the DLP reports) and included in the incident reports (next section), so that the compliance officer can regularly review this information.

    Dialog boxes showing policy tip with option to override

Incident reports

When a rule is matched, you can send an incident report to your compliance officer with details of the event. This report includes information about the item that was matched, where the match occurred, and the rules and policies it triggered. For email messages, the report also includes as an attachment the original message that matches a DLP policy.

Page for configuring incident reports

Get started with DLP policy templates

The quickest way to start using DLP policies is to create a new policy from a template. This saves you the work of building a new set of rules from scratch, and figuring out which types of information should be included by default. You can then add to or modify these requirements to fine tune the rule to meet your organization’s specific requirements.

New button for creating a data loss prevention policy in the Office 365 Security & Compliance Center

Your organization may also have its own specific requirements, in which case you can create a DLP policy from scratch.

A preconfigured DLP policy template can help you detect specific types of sensitive information, such as HIPAA data, PCI-DSS data, Gramm-Leach-Bliley Act data, or even locale-specific personally identifiable information (PII). To make it easy for you to find and protect common types of sensitive information, the policy templates included in Office 365 already contain the most common sensitive information types necessary for you to get started.

List of templates for data loss prevention policies with focus on template for U.S. Patriot Act

For example, if you select the DLP policy template for the U.S. Patriot Act, this template already includes rules referencing the necessary sensitive information types, to help you easily find and protect that information.

Roll out DLP policies gradually with test mode

When you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before fully enforcing them. For example, you don’t want a new DLP policy to unintentionally block access to thousands of documents that people require access to in order to get their work done.

If you’re creating DLP policies with a large potential impact, we recommend following this sequence:

  1. Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.

  2. Move to Test mode with notifications and Policy Tips so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.

  3. Start full enforcement on the policies so that the actions in the rules are applied and the content’s protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.

Options for using test mode and turning on policy

You can turn off a DLP policy at any time, which affects all rules in the policy. However, each rule can also be turned off individually.

Options for turning off a rule in a policy

DLP reports

After you create and turn on your DLP policies, you’ll want to verify that they’re working as you intended and helping you stay compliant. With DLP reports, you can quickly view the number of DLP policy and rule matches over time, and the number of false positives and overrides. For each report, you can filter those matches by location, time frame, and even narrow it down to a specific policy, rule, or action.

With the DLP reports, you can get business insights and:

  • Focus on specific time periods and understand the reasons for spikes and trends.

  • Discover business processes that violate your organization’s compliance policies.

  • Understand any business impact of the DLP policies.

In addition, you can use the DLP reports to fine tune your DLP policies as you run them.

DLP report showing policy matches

How DLP policies work

DLP detects sensitive information by using deep content analysis (not just a simple text scan). This deep content analysis uses keyword matches, dictionary matches, the evaluation of regular expressions, internal functions, and other methods to detect content that matches your DLP policies. Potentially only a small percentage of your data is considered sensitive. A DLP policy can identify, monitor, and automatically protect just that data, without impeding or affecting people who work with the rest of your content.

Policies are synced

After you create a DLP policy in the Security & Compliance Center, it’s stored in a central policy store, and then synced to the various content sources, including:

  • Exchange Online, and from there to Outlook on the web and Outlook 2013 and later

  • OneDrive for Business sites

  • SharePoint Online sites

  • Office 2016 desktop programs (Excel 2016, PowerPoint 2016, and Word 2016)

After the policy’s synced to the right locations, it starts to evaluate content and enforce actions.

Policy evaluation in OneDrive for Business and SharePoint Online sites

Across all of your SharePoint Online sites and OneDrive for Business sites, documents are constantly changing — they’re continually being created, edited, shared, and so on. This means documents can conflict or become compliant with a DLP policy at any time. For example, a person can upload a document that contains no sensitive information to their team site, but later, a different person can edit the same document and add sensitive information to it.

For this reason, DLP policies check documents for policy matches frequently in the background. You can think of this as asynchronous policy evaluation.

Here’s how it works. As people add or change documents in their sites, the search engine scans the content, so that you can search for it later. While this is happening, the content’s also scanned for sensitive information and to check if it’s shared. Any sensitive information that’s found is stored securely in the search index, so that only the compliance team can access it, but not typical users. Each DLP policy that you’ve turned on runs in the background (asynchronously), checking search frequently for any content that matches a policy, and applying actions to protect it from inadvertent leaks.

Diagram showing how DLP policy evaluates content asynchronously

Finally, documents can conflict with a DLP policy, but they can also become compliant with a DLP policy. For example, if a person adds credit card numbers to a document, it might cause a DLP policy to block access to the document automatically. But if the person later removes the sensitive information, the action (in this case, blocking) is automatically undone the next time the document is evaluated against the policy.

DLP evaluates any content that can be indexed. For more information on what file types are crawled by default, see Default crawled file name extensions and parsed file types in SharePoint Server 2013.

Policy evaluation in Exchange Online, Outlook 2013 and later, and Outlook on the web

When you create a DLP policy that includes Exchange Online as a location, the policy’s synced from the Office 365 Security & Compliance Center to Exchange Online, and then from Exchange Online to Outlook on the web and Outlook 2013 and later.

When a message is being composed in Outlook, the user can see policy tips as the content being created is evaluated against DLP policies. And after a message is sent, it’s evaluated against DLP policies as a normal part of mail flow, along with Exchange transport rules and DLP policies created in the Exchange Admin Center (see the next section for more info). DLP policies scan both the message and any attachments.

Policy evaluation in the Office 2016 desktop programs

Excel 2016, PowerPoint 2016, and Word 2016 include the same capability to identify sensitive information and apply DLP policies as SharePoint Online and OneDrive for Business. These Office 2016 programs sync their DLP policies directly from the central policy store, and then continuously evaluate the content against the DLP policies when people work with documents opened from a site that’s included in a DLP policy.

DLP policy evaluation in Office 2016 is designed not to affect the performance of the programs or the productivity of people working on content. If they’re working on a large document, or the user’s computer is busy, it might take a few seconds for a policy tip to appear.

How DLP in the Office 365 Security & Compliance Center works with DLP and transport rules in the Exchange Admin Center

After you create a DLP policy in the Office 365 Security & Compliance Center, the policy is deployed to all of the locations included in the policy. If the policy includes Exchange Online, the policy’s synced there and enforced in exactly the same way as a DLP policy created in the Exchange admin center.

If you’ve created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the Office 365 Security & Compliance Center. But note that rules created in the Exchange admin center take precedence. All Exchange transport rules are processed first, and then the DLP rules from the Office 365 Security & Compliance Center are processed.

This means that:

  • Messages that are blocked by Exchange transport rules won’t get scanned by DLP rules created in the Office 365 Security & Compliance Center.

  • If an Exchange transport rule modifies a message in a way that causes it to match a DLP policy in the Office 365 Security & Compliance Center – such as adding external users – then the DLP rules will detect this and enforce the policy as needed.

Also note that Exchange transport rules that use the “stop processing” action don’t affect the processing of DLP rules in the Office 365 Security & Compliance Center – they’ll still be processed.

Policy tips in the Exchange Admin Center vs. the Office 365 Security & Compliance Center

Policy tips can work either with DLP policies and mail flow rules created in the Exchange Admin Center, or with DLP policies created in the Office 365 Security & Compliance Center, but not both. This is because these policies are stored in different locations, but policy tips can draw only from a single location.

If you’ve configured policy tips in the Exchange Admin Center, any policy tips that you configure in the Office 365 Security & Compliance Center won’t appear to users in Outlook on the web and Outlook 2013 and later until you turn off the tips in the Exchange Admin Center. This ensures that your current Exchange transport rules will continue to work until you choose to switch over to the Office 365 Security & Compliance Center.

Note that while policy tips can draw only from a single location, email notifications are always sent, even if you're using DLP policies in both the Office 365 Security & Compliance Center and the Exchange Admin Center.

Permissions

Members of your compliance team who will create DLP policies need permissions to the Security & Compliance Center. By default, your tenant admin will have access to this location and can give compliance officers and other people access to the Security & Compliance Center, without giving them all of the permissions of a tenant admin. To do this, we recommend that you:

  1. Create a group in Office 365 and add compliance officers to it.

  2. Create a role group on the Permissions page of the Security & Compliance Center.

  3. Add the Office 365 group to the role group.

For more information, see Give users access to the Office 365 Compliance Center.

These permissions are required only to create and apply a DLP policy. Policy enforcement does not require access to the content.

Find the DLP cmdlets

To use most of the cmdlets for the Security & Compliance Center, you need to:

  1. Connect to the Office 365 Security & Compliance Center using remote PowerShell

  2. Use any of these Office 365 Security & Compliance Center cmdlets

However, DLP reports need pull data from across Office 365, including Exchange Online. For this reason, the cmdlets for the DLP reports are available in Exchange Online Powershell -- not in Security & Compliance Center Powershell. Therefore, to use the cmdlets for the DLP reports, you need to:

  1. Connect to Exchange Online using remote PowerShell

  2. Use any of these cmdlets for the DLP reports:

More information

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×