Design a custom DLP policy

  • 6 minutes

In Microsoft Purview, you implement data loss prevention by defining and applying DLP policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:

  • Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive
  • Office applications such as Word, Excel, and PowerPoint
  • Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) endpoints
  • Non-Microsoft cloud apps
  • On-premises file shares and on-premises SharePoint

Microsoft Purview DLP policies detect sensitive items by using deep content analysis rather than just a simple text scan. It analyzes content by:

  • Looking for primary data matches to keywords.
  • Evaluating regular expressions.
  • Validating internal functions.
  • Looking for secondary data matches that are in proximity to the primary data match.

DLP also uses machine learning algorithms and other methods to detect content that matches an organization's DLP policies.

Designing a DLP policy before implementation can lead to faster and more accurate results. Organizations should avoid tuning a DLP policy by trial and error alone, which often results in unintended issues. Having your policy designs documented also helps you in communications, policy reviews, troubleshooting, and further tuning.

Designing a DLP policy typically involves:

  • Clearly defining your business needs.
  • Documenting them in a policy intent statement.
  • Mapping those needs to your policy configuration.

You should use the decisions you made in your planning phase to inform some of your policy design decisions.

Define intent for the DLP policy

An organization should summarize in a single statement the business intent for every DLP policy. Developing this statement helps drive conversations about the policy throughout the organization. When it fully develops the statement, it should directly link the policy to a business purpose and provide a roadmap for policy design.

Additional reading. For help on getting started on your DLP policy intent statement, see Plan for data loss prevention (DLP).

Earlier in this training, you learned that all DLP policies require that an organization:

  • Choose what it wants to monitor.
  • Choose where it wants to monitor.
  • Choose the conditions that must match for a policy to apply to an item.
  • Choose the action to take when the policy meets its conditions.

For example, here's a fictitious first draft of an intent statement that provides answers to all four questions for Contoso Ltd.:

"Contoso is a U.S. based organization, and we need to detect Office documents containing sensitive health care information covered by HIPPA that employees stored in OneDrive/SharePoint and protect against users sharing this information in Teams chat and channel messages and restrict everyone from sharing these documents with unauthorized third parties."

As an organization develops its policy design, it usually modifies and extends its statement of intent.

Map business requirements to your policy configuration

To map business requirements to its policy configuration, an organization should begin by breaking down the draft into shorter segments. It can then map each segment to DLP policy configuration points.

The following table maps the business requirements of Contoso's fictitious first draft statement to its policy configuration.

Statement Configuration question answered and configuration mapping
"Contoso is a U.S. based organization, and we need to detect Office documents containing sensitive health care information covered by HIPPA... - What to monitor: Office docs, use the U.S. Health Insurance Act (HIPAA) template.

- Conditions for a match: (preconfigured but editable) - item contains U.S. SSN and Drug Enforcement Agency (DEA) number, International Classification of Diseases (ICD-9-CM), International Classification of Diseases (ICD-10-CM), users share content with people outside my organization.

- Drives conversations to clarify the triggering threshold for detection like confidence levels, and instance count (called leakage tolerance).
...that employees stored in OneDrive/SharePoint and protect against users sharing information in Teams chat and channel messages... - Where to monitor: Location scoping by including or excluding OneDrive and SharePoint sites and Teams chat/channel accounts or distribution groups.
...and restrict everyone from sharing these documents with unauthorized third parties." - Actions to take: You add Restrict access or encrypt the content in Microsoft 365 locations.

- Drives conversation on what actions to take when someone triggers a policy. Protective actions may include sharing restrictions. Awareness actions may include notifications and alerts. User empowerment actions may include allowing user overrides of a blocking action.

This example doesn't cover all the configuration points of a DLP policy. In the real-world an organization would need to expand such a statement. However, this example should get you thinking in the right direction as you develop your own DLP policy intent statements.

Important

Keep in mind that the location(s) you pick affect whether you can use sensitive information types, sensitivity labels, and retention labels, plus the available actions.

Policy Design Process

The policy design process typically includes the following steps:

  1. Complete the steps in the prior unit on how to Plan for data loss prevention. When planning for DLP, remember to:

    • Identify your stakeholders.
    • Describe the categories of sensitive information to protect.
    • Set goals and strategy.
    • Define your policy deployment plan.

  2. Familiarize yourself with Data Loss Prevention policy reference so that you understand all the components of a DLP policy and how each one influences the behavior of a policy.

  3. Familiarize yourself with What the DLP policy templates include.

  4. Develop your policy intent statement with your key stakeholders. Refer to the example earlier in this article.

  5. Determine how this policy fits into your overall DLP policy strategy.

    Important

    You can't rename policies once you create them. If you must rename a policy, you need to create a new one with the desired name, and then retire the old policy. Given this requirement, you should decide on the naming structure to apply to all your policies.

  6. Map the items in your policy intent statement to configuration options.

  7. Decide which policy template you must start with, predefined or custom.

  8. Go through the template and assemble all information required before you create the policy. You typically discover there are some configuration points that you didn't cover in your policy intent statement. That's OK. Go back to your stakeholders to determine the requirements for any missing configuration points.

  9. Document the configuration of all the policy settings and review them with your stakeholders. You must complete your policy intent statement by this point. In this step, you can map it to configuration points.

  10. Create a draft policy and refer back to your policy deployment plan.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

As the Microsoft 365 Administrator for Tailspin Toys, Allan Deyoung created the company's overall DLP strategy and a DLP policy. Since then, the purpose of the DLP policy changed. As such, Allan wants to rename the policy. What should Allan do?