sunhux
asked on
Features & implementation of DLP in O365 / Exchange online
We're on O365 E1 & E3.
From browsing, understand our Enterprise E1 & E3 O365 has DLP feature.
I'd like to implement Data Loss Prevention for outgoing emails and files uploaded to OneDrive/Sharepoint.
Need advice here if O365/Exchange Online can fulfill the following requirements & point me to the links that guide on the steps to configure/set:
a) To configure for a pilot group initially before rollout corporate-wide: can we specify a few users 1st?
b) When outgoing emails sent by staff contains NRIC (in the email content as well as its attachments such as MSOffice & PDF attachments), the emails will be quarantined/withheld till myself or alternate approver approves to release them. Ideally the approval for release is done via email or demonstrate how this is done.
IT administrator is not the right party to assess if the user’s function/role requires the user to send the sensitive information so ideally we can designate for each department a couple of approvers.
c) Likewise, if the outgoing emails contain encrypted attachment, the email ought to be withheld/quarantined till the sender’s manager releases it
d) On a lower priority, outgoing emails tagged as “Confidential, Sensitive” or emails with attachments that are tagged with these keywords are to be quarantined till the sender’s approver releases it
e) Repeat the above tests when users upload documents containing NRIC or tagged as ‘Restricted/Confidential’ to OneDrive & SharePoint Online
f) Optionally, when users print documents containing NRIC or tagged as ‘Restricted/Confidential’
g) Lastly for users whose functions (eg: HR staff) often requires them to email/upload sensitive docs, their manager can do a ‘blanket’ approval for them, say every quarterly & every quarterly, the manager will review if their role is still relevant & will extend this ‘blanket’ approval.
Btw, treat the term NRIC (we use it locally) like a Social Security or passport number in the US.
We only have the requirement to DLP for NRIC & docs tagged as 'sensitive/confidential'
From browsing, understand our Enterprise E1 & E3 O365 has DLP feature.
I'd like to implement Data Loss Prevention for outgoing emails and files uploaded to OneDrive/Sharepoint.
Need advice here if O365/Exchange Online can fulfill the following requirements & point me to the links that guide on the steps to configure/set:
a) To configure for a pilot group initially before rollout corporate-wide: can we specify a few users 1st?
b) When outgoing emails sent by staff contains NRIC (in the email content as well as its attachments such as MSOffice & PDF attachments), the emails will be quarantined/withheld till myself or alternate approver approves to release them. Ideally the approval for release is done via email or demonstrate how this is done.
IT administrator is not the right party to assess if the user’s function/role requires the user to send the sensitive information so ideally we can designate for each department a couple of approvers.
c) Likewise, if the outgoing emails contain encrypted attachment, the email ought to be withheld/quarantined till the sender’s manager releases it
d) On a lower priority, outgoing emails tagged as “Confidential, Sensitive” or emails with attachments that are tagged with these keywords are to be quarantined till the sender’s approver releases it
e) Repeat the above tests when users upload documents containing NRIC or tagged as ‘Restricted/Confidential’ to OneDrive & SharePoint Online
f) Optionally, when users print documents containing NRIC or tagged as ‘Restricted/Confidential’
g) Lastly for users whose functions (eg: HR staff) often requires them to email/upload sensitive docs, their manager can do a ‘blanket’ approval for them, say every quarterly & every quarterly, the manager will review if their role is still relevant & will extend this ‘blanket’ approval.
Btw, treat the term NRIC (we use it locally) like a Social Security or passport number in the US.
We only have the requirement to DLP for NRIC & docs tagged as 'sensitive/confidential'
ASKER
c) we use attachments zipped
with password (aes or zipto...).
In some cases, Excel/Word attachmts may be password
protected using MSoffice
encryption
f) i want to be able to withhold
printing of docs to network
printers if they contain nric
n likewise, released upon
approvals
with password (aes or zipto...).
In some cases, Excel/Word attachmts may be password
protected using MSoffice
encryption
f) i want to be able to withhold
printing of docs to network
printers if they contain nric
n likewise, released upon
approvals
ASKER
do point me to links on o365 dlp
ASKER
Anyone can point me to links showing screens/steps to configure?
Any inputs on items f & g?
Any inputs on items f & g?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
b) that's doable, and approvers dont need to be admins (still need to have permissions relevant for the DLP tasks though)
c) define encrypted? DLP can "read" IRM/RMS/Azure Information Protection protected emails, S/MIME and other forms of encryption can be a problem
d) that's different from DLP, but doable via Azure/Office 365 Information protection
e) again AIP feature
f) ?
g) Files are scanned for DLP violations when shared, not when uploaded
I'd strongly suggest you review the documentation on DLP and AIP, where all these questions are answered in detail. If you still have some uncertainties, feel free to ask them here, but please break down the questions to specific topics, one at a time.