DATA PREVENTION LOSS Office 365 now includes data loss prevention as a core feature across the tenant. In past releases, companies had to configure each service individually or rely on costly third-party products. It is now possible to enforce data compliance as an Office 365 global administrator without purchasing other tools, but it does require the Office 365 E3 or E5 plans. If you want to enable DLP on a standalone service, it can be enabled with Exchange, SharePoint, or Skype Online Plan 2 licenses. DLP is managed by the administrator through DLP Policies in the Security & Compliance Center. There are out of the box templates to detect common data types (SSN, credit card numbers, banking account numbers, etc.). You are also able to create your own custom policies for specific keywords or regular expressions on account numbers. Once a detection is made, you can customize the rules to take certain behaviors like encrypting that message and allowing it to be sent or blocking the message entirely. You will also be able to create Policy Tips, which will alert the user that they may be in violation of a policy before clicking the send button. With these new policies, it is quite easy to recognize a potential social security number, credit card number, or other common data. Microsoft has made the process of managing DLP much simpler for the average user by supplying pre-built templates that will conform to major compliance legislations. The list on the next page includes the following U.S. acts: AVAILABLE DLP POLICYTEMPLATES FOR U.S. ACTS: Template Description PCI Data Security Standard (PCI DSS) Helps detect the presence of information subject to PCI Data Security Standard (PCI DSS), including information like credit card or debit card numbers. U.S. Federal Trade Commission (FTC) Consumer Rules Helps detect the presence of information subject to U.S. Federal Trade Commission (FTC) Consumer Rules, including data like credit card numbers. U.S. Financial Data Helps detect the presence of information commonly considered to be financial information in United States, including information like credit card, account information, and debit card numbers. U.S. Gramm-Leach-Bliley Act (GLBA) Helps detect the presence of information subject to Gramm-Leach-Bliley Act (GLBA), including information like social security numbers or credit card numbers. U.S. Health Insurance Act (HIPAA) Helps detect the presence of information subject to United States Health Insurance Portability and Accountability Act (HIPAA), including data like social security numbers and health information. U.S. Patriot Act Helps detect the presence of information commonly subject to U.S. Patriot Act, including information like credit card numbers or tax identification numbers. U.S. Personally Identifiable Information (PII) Data Helps detect the presence of information commonly considered to be personally identifiable information (PII) in the United States, including information like social security numbers or driver's license numbers. U.S. State Breach Notification Laws Helps detect the presence of information subject to U.S. State Breach Notification Laws, including data like social security and credit card numbers. U.S. State Social Security Number Confidentiality Laws Helps detect the presence of information subject to U.S. State Social Security Number Confidentiality Laws, including data like social security numbers. For a complete list of available templates, please visit: http://bit.ly/2CGwGKa Once you have selected a policy or created a custom policy for your needs, Office 365 allows you to easily test it before going full production. If you allow notifications during testing, users will receive a mail tip before sending the message. All of this can be done through the Office 365 Administration Center, accessed via web browser or through Powershell cmdlets. Rules can also be given exceptions for specific users or keywords in the subject line, such as using “Override,” then Office 365 will allow the messages through. 3 4