Detections
Analytics

MS.DEFENDER.4.1v2 - A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency. At a minimum, credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITIN), and U.S. Social Security numbers (SSN) SHALL be blocked.

Information

Users may inadvertently share sensitive information with others who should not have access to it. DLP policies provide a way for agencies to detect and prevent unauthorized disclosures.

Solution

1. Sign in to the Microsoft Purview compliance portal.

2. Under the Solutions section on the left-hand menu, select Data loss prevention.

3. Select Policies from the top of the page.

4. Select Create policy.

5. From the Categories list, select Custom.

6. From the Templates list, select Custom policy and then click Next.

7. Edit the name and description of the policy if desired, then click Next.

8. Under Choose locations to apply the policy, set Status to On for at least the Exchange email, OneDrive accounts, SharePoint sites, Teams chat and channel messages, and Devices locations, then click Next.

9. Under Define policy settings, select Create or customize advanced DLP rules, and then click Next.

10. Click Create rule. Assign the rule an appropriate name and description.

11. Click Add condition, then Content contains.

12. Click Add, then Sensitive info types.

13. Add information types that protect information sensitive to the agency. At a minimum, the agency should protect:

 - Credit card numbers
 - U.S. Individual Taxpayer Identification Numbers (ITIN)
 - U.S. Social Security Numbers (SSN)
 - All agency-defined PII and sensitive information

14. Click Add.

15. Under Actions, click Add an action.

16. Check Restrict Access or encrypt the content in Microsoft 365 locations.

17. Under this action, select Block Everyone.

18. Under User notifications, turn on Use notifications to inform your users and help educate them on the proper use of sensitive info.

19. Under Microsoft 365 services, a section that appears after user notifications are turned on, check the box next to Notify users in Office 365 service with a policy tip.

20. Click Save, then Next.

21. Select Turn it on right away, then click Next.

22. Click Submit.

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-4, 800-53|AC-5, 800-53|AC-6, 800-53|AC-7, 800-53|AC-16, 800-53|AC-17, 800-53|AC-18, 800-53|AC-19, 800-53|AC-20, 800-53|AC-21, 800-53|AC-23, 800-53|CA-3, 800-53|CA-7, 800-53|CA-8, 800-53|CM-2, 800-53|CM-3, 800-53|CM-5, 800-53|CM-6, 800-53|CM-7, 800-53|CM-8, 800-53|IA-2, 800-53|IA-3, 800-53|IA-4, 800-53|IA-5, 800-53|IA-6, 800-53|IA-8, 800-53|RA-5, 800-53|SA-8, 800-53|SA-9, 800-53|SC-4, 800-53|SC-7, 800-53|SC-28, 800-53|SC-31, 800-53|SI-3, 800-53|SI-4, 800-53|SI-7, 800-53|SI-10, 800-53|SI-12, 800-53|SI-15

Plugin: microsoft_azure

Control ID: da19affad4c078ed3cb885b0b68b3fbc91dcaf9d632ce74882aa241f6faa56b9