Data Loss Prevention in Office 365: Part Three


In part two of this mini-series on data loss prevention, I showed you how to create a new policy and explained the link between data loss prevention policies in Office 365 and sensitive information types.

This week, we’ll take a closer look at a policy’s configuration once it’s been created.

Credit Card Policy 4

Note the screenshot above, which shows the main page of the Exchange Admin Center’s data loss prevention section. As you can see, there are two policies in-place, one that tests for the presence of HIPAA information and another which reports the transmission of credit card data (searching for possible PCI violations).

We’re going to focus on the credit card data transmission report.

By clicking on the pencil icon while the policy you want to edit is highlighted, you’ll be brought to the general configuration page:

Credit Card Policy 1

In the general section, we name the policy, enter a description, choose the policy’s state (enabled or disabled) and choose a requirements mode (i.e., whether or not the policy will be enforced, test without policy tips or test with policy tips).

If you’re wondering about policy tips, see this comprehensive overview. The short version is that policy tips can be used to inform your Outlook 2013, OWA and OWA for mobile devices users that the message they’re sending may violate a policy (or at least, is triggering notice).

Once you’ve entered the information and actions you want, click the rules option on the left-hand side of the interface to configure finer-grained actions:

Credit Card Policy 2

In the example, I’ve already configured the sensitive information type used and the policy’s actions.  By clicking the pencil icon, we can take a closer look at what I did:

Credit Card Policy 3

In the name field, I entered the label “PCI DSS…”, the policy’s rule set has been configured to apply if:

  1. The recipient is located outside of the organization
  2. The message contains sensitive information (type: credit card number).

If these conditions are met, the policy will generate an incident report and send it to an internal recipient (email address obscured for this post). The “Custom Content” referenced is the following:

Credit Card Policy 8

And that’s all the time I have for now.  In the next post, we’ll finish our look at this policy and describe some of the other actions you can take.