Data Loss Prevention

in an Exchange Hybrid
Environment
By Nathan Swift
Contents
How to minimize risk
Terminology
Proposed implementation approach
Phase I - Awareness
Phase II - Governance
Reporting
Appendix A
2
How to minimize risk
Although malware and targeted attacks can cause data breaches, user
error is actually a much greater source of data risk for most
organizations
Exchange 2013 and Exchange Online provides technology that
identifies, monitors, and protects sensitive data and helps users
understand and manage data risk
3
http://blogs.msdn.com/b/microsoft_press/archive/2013/04/29/from-the-mvps-data-loss-prevention-with-office-365-and-exchange-online.aspx

Terminology
Policy - Hosts the transport rules
Transport rules - If and Then statements for emails that can warn or
block activity. These rules can be applied to a country or region and
can be ran against data classifications.
Data Classification - Data sets that use patterns to identify things like;
Finance, Personal Identification, and Health Information. Examples
are Credit Cards, SWIFT Codes, Bank Account Numbers, Drivers
License Numbers, Passport Numbers.
4
Proposed implementation approach
Establish & Refine DLP policies around the three Data classifications;
Finance, PII, and Health
Two step process as countries onboard
1. Create awareness of DLP violations by notifying them in Outlook. Using
reporting, a grace period, or another method we can have the country
move to the second phase.
2. Governance - messages sent containing sensitive information to be rejected
with an explanation.
5
Phase I - Awareness

6
Finance Phase 1: Awareness
If the message:
Is sent to 'Outside the organization'
and The message contains these sensitive information types: 'International Banking Account Number (IBAN)' or SWIFT Code or Credit Card Number | Count >=
1
Take the following actions:
Set audit severity level to 'Medium'
and Notify the sender that the message violates a DLP policy, but send the message
PII Phase 1: Awareness
If the message:
Is sent to 'Outside the organization'
and The message contains these sensitive information types: 'U.S. Social Security Number (SSN) '| Count >= 1 | 100% Confidence
Take the following actions:
Set audit severity level to 'Medium'
and Notify the sender that the message violates a DLP policy, but send the message
Health Phase 1: Awareness
If the message:
Is sent to 'Outside the organization'
and The message contains these sensitive information types: 'U.K. National Health Service Number ' or 'U.K. National Insurance Number (NINO) '| Count >= 1
Take the following actions:
Set audit severity level to 'Medium'
and Notify the sender that the message violates a DLP policy, but send the message
User experience - Awareness
7
Phase II - Governance

8
Finance Phase 2: Governance
If the message:
Is sent to 'Outside the organization'
and The message contains these sensitive information types: 'Credit Card Number' or 'International Banking Account Number (IBAN)' or SWIFT Code| Count >=
7 | 100% Confidence
And the Sender is in Country:DE
Take the following actions:
Set audit severity level to 'High'
and Reject the message Include the explanation 'Finance information in high volume was found in message, per Data Loss Prevention
Policy unable to deliver your message.'
PII Phase 2: Governance
If the message:
Is sent to 'Outside the organization'
and The message contains these sensitive information types: 'U.S. Social Security Number (SSN) '| Count >= 7 | 100% Confidence
And the Sender is in Country:DE
Take the following actions:
Set audit severity level to 'High'
and Reject the message Include the explanation PII information in high volume was found in message, per Data Loss Prevention
Policy unable to deliver your message.'
Health Phase 2: Governance
If the message:
Is sent to 'Outside the organization'
and The message contains these sensitive information types: 'U.K. National Health Service Number ' or 'U.K. National Insurance Number (NINO) '| Count >= 7 |
100% Confidence
And the Sender is in Country:DE
Take the following actions:
Set audit severity level to 'High'
and Reject the message Include the explanation Health information in high volume was found in message, per Data Loss Prevention
Policy unable to deliver your message.'
User experience - governance
9
Can create custom text for
message
Reporting
Because of the different methods of notifying through DLP and enforcing through transport rules we
can run reports against the DLP Policies, DLP Rules, and Transport Rules on Sent Email from Office
365.


10
Appendix A
Microsoft press blog on Exchange Online DLP
Excel Details of DLP
11
Apply this Rule if
The Sender
Is this person
is external/internal
is a member of this group
address includes any of these words
address matches any of these text patterns
is on a recpients's supervision list
has a specific properties including any of these keywords
has a specific properties matching these text patterns
has overridden the Policy Tip
IP address is in any of these ranges or exactly matches
domain is
The Recipient
is this person
is external/internal