Create a DLP policy from a template

The easiest, most common way to get started with DLP policies is to use one of the templates included in Office 365. You can use one of these templates as is, or customize the rules to meet your organization’s specific compliance requirements.

Office 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. For example, there are DLP policy templates for:

  • Gramm-Leach-Bliley Act (GLBA)

  • Payment Card Industry Data Security Standard (PCI-DSS)

  • United States Personally Identifiable Information (U.S. PII)

  • United States Health Insurance Act (HIPAA)

You can fine tune a template by modifying any of the existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios.

You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization.

Example: Identify sensitive information across all OneDrive for Business sites and block access for people outside your organization

OneDrive for Business sites make it easy for people across your organization to collaborate and share documents. But a common concern for compliance officers is that sensitive information stored in OneDrive for Business sites may be inadvertently shared with people outside your organization. A DLP policy can help mitigate this risk.

In this example, you’ll create a DLP policy that identifies U.S. PII data, which includes Individual Taxpayer Identification Numbers (ITIN), Social Security Numbers, and U.S. passport numbers. You’ll get started by using a template, and then you’ll modify the template to meet your organization’s compliance requirements—specifically, you’ll:

  • Add a couple of types of sensitive information—U.S. bank account numbers and U.S. driver’s license numbers—so that the DLP policy protects even more of your sensitive data.

  • Make the policy more sensitive, so that a single occurrence of sensitive information is enough to block access for external users.

  • Allow users to override the actions by providing a business justification or reporting a false positive. This way, your DLP policy won’t prevent people in your organization from getting their work done, provided they have a valid business reason for sharing the sensitive information.

Create a DLP policy from a template

  1. Sign in to the Office 365 admin center.

  2. Navigate to Admin centers > Security & Compliance. You're now in the Office 365 Security & Compliance Center.

  3. Navigate to Security policies > Data loss prevention and clic New (+).

    New button for creating a data loss prevention policy in the Office 365 Security & Compliance Center
  4. In the list of DLP policy templates, select the template that protects the types of sensitive information that you need and click Next.

    In this example, you’ll select Privacy > U.S. Personally Identifiable Information ‎(PII)‎ Data because it already includes most of the types of sensitive information that you want to protect—you’ll add a couple later.

    When you select a template, you can read the description below to learn what types of sensitive information the template protects.

    New DLP policy dialog with U.S. PII Data policy template highlighted

  5. To choose the locations that you want the DLP policy to protect, select or clear the options. In this example, to protect sensitive information stored in all OneDrive for Business sites, select only OneDrive for Business > All OneDrive for Business sites and click Next.

    You can also choose to protect just specific sites. Choose Select specific sites > Add (+). Then, in Choose sites > enter the URL of the site > add-> and then click OK when you’re done adding sites and click Next.

    Options for locations where a DLP policy can be applied

    When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site.

    The Choose sites dialog to specify the URL of a site with sensitive information.

  6. A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can modify or delete any of the existing rules, or add new ones. When done, click Next.

    Default rules highlighted

    In this example, the U.S. PII template includes two predefined rules:

    • U.S. PII: Scan content shared outside - low count This rule looks for files containing between 1 and 10 occurrences of each of three types of sensitive information (ITIN, SSN, and U.S. passport numbers), where the files are shared with people outside the organization. If found, the rule sends a notification to the primary site collection administrator, document owner, and person who last modified the document; and it sends an incident report to the primary site collection administrator.

    • U.S. PII: Scan content shared outside - high count This rule looks for files containing 10 or more occurrences of each of the same three sensitive information types, where the files are shared with people outside the organization. If found, this action also sends a notification and incident report, and it also blocks access to the file.

    To meet your organization’s specific requirements, you may want to make the rules easier to trigger, so that a single occurrence of sensitive information is enough to block access for external users. After looking at these rules, you understand that you don’t need low and high count rules—you need only a single rule that blocks access if any occurrence of sensitive information is found.

    So you select the rule named U.S. PII: Scan content shared outside - low count > Delete.

    Customize rules page with delete option highlighted

  7. Now, in this example, you need to add two sensitive information types (U.S. bank account numbers and U.S. driver’s license numbers), allow people to override a rule, and change the count to any occurrence. You can do all of this by editing one rule, so select U.S. PII: Scan content shared outside - high count > Edit.

    Customize rules page with edit option highlighted

  8. To add a sensitive information type, in the condition Contains sensitive information > Add +. Then, in Sensitive information types > select U.S. Bank Account Number > add > select U.S. Driver’s License Number > add and click OK.

    A data loss prevention policy's Conditions page to create rules related to US Personally Identifiable Information.

    Sensitive information types dialog with US Driver's License Number selected.
  9. To change the count, select each sensitive information type and click Edit. Adjust the Minimum count (it cannot be empty) and click Save.

    Minimum count option

    When finished, the count for all of the sensitive information types should be any. In other words, any occurrence of this type of sensitive information will satisfy this condition.

    Contains sensitive information condition with count value of any highlighted

  10. For the final customization, you don’t want your DLP policies to block people from doing their work when they have a valid business justification, so you want the notification to include options to override the blocking action.

    On the left, choose Actions. Under Override options, select all three check boxes and click OK.

    Override options highlighted

  11. Make any changes that you need on the remaining pages of the rule editor and click OK:

    • Incident reports Note that the severity level you select here determines how a match of this rule is categorized in the DLP reports.

    • Name Change the name of this rule from the default U.S. PII: Scan content shared outside - high count to U.S. PII: Scan content shared outside - any because it's now triggered by any occurrence of its sensitive information types.

      Also, if you turn off a policy, all rules contained in the policy are also turned off. However, here you can turn off this specific rule without turning off the entire policy. This can be useful when you need to investigate a rule that is generating a large number of false positives.

  12. Back on the New DLP Policy page, when you finish defining the rules, click Next.

  13. On the last page, before you choose Create, understand the following.

    Important:  Before you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before you fully enforce them. For example, you don’t want a new DLP policy to unintentionally block access to thousands of documents that people require to get their work done.

    If you’re creating DLP policies with a large potential impact, we recommend following this sequence:

    1. Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization.

    2. Move to Test mode with notifications and Policy Tips so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules.

    3. Turn on the policies so that the rules are enforced and the content’s protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend.

  14. Choose Create.

After you create and turn on a DLP policy, it’s deployed to any content sources that it includes, such as SharePoint Online sites or OneDrive for Business sites, where the policy begins automatically enforcing its rules on that content.

View the status of a DLP policy

At any time, you can view the status of your DLP policies on the Data loss prevention page of the Security & Compliance Center. Here you can find important information, such as whether a policy was successfully enabled or disabled, or whether the policy is in test mode.

Here are the different statuses and what they mean.

Status

Explanation

Turning on…

The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources.

Testing, with notifications

The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are sent to the specified recipients.

Testing, without notifications

The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are not sent to the specified recipients.

On

The policy is active and enforced. The policy was successfully deployed to all its content sources.

Turning off…

The policy is being removed from the content sources that it includes. The policy may still be active and enforced on some sources. Turning off a policy may take up to 45 minutes.

Off

The policy is not active and not enforced. The settings for the policy (sources, keywords, duration, etc) are saved.

Deleting…

The policy is in the process of being deleted. The policy is not active and not enforced.

Turn off a DLP policy

You can edit and turn off a DLP policy at any time, which disables all of the rules in the policy.

Option to turn off policy highlighted

In addition, you can turn off each rule individually by editing the policy and then changing the setting on the Name page for that rule, as described above.

More information

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×