Connecticut State Colleges & Universities
IT Support Center

Office 365 - DLP (Data Loss Prevention) FAQ

Have a question on Data Loss Prevention? Check out the following frequently asked questions when using DLP:

Questions:

Answers:

  •  What's new?
  • May 21, 2021: DLP "Notify Only" policy will be enabled for all faculty/staff and student OneDrive, Teams and SharePoint locations. DLP icons and policy tips will display when content is found that matches Protected Data elements SSN, Credit Card and/or Bank Account information. When a DLP policy is in "Notify Only" mode, it will not prevent access but will alert owners that content has been found and action is needed to remove the DCL3 data from that location.

    Refer to the FAQ item below about how and when the DLP "Notify Only" policy works.
  •  What is DLP (Data Loss Prevention) and what do I have to know about it?
  • Microsoft DLP prevents the loss of Protected Data when using O365 products (Email, OneDrive, Teams, SharePoint, etc). As we roll it out to more O365 products, you can come back here to find out how to interact with DLP as each product helps prevent the loss of Protected Data differently.

    Protected Data is defined in our Data Management Standards found here: http://supportcenter.ct.edu/Service/Standards/IT-STND-001Revised.pdf. DCL3 - our highest level of data classification is defined as "protected confidential data, which comprises identity and financial data that, if improperly disclosed, could be used for identity theft or to cause financial harm to an individual or the CSCU system." Examples of DCL3 are: SSN, credit card or bank account numbers along with personally identifiable information.

    When Microsoft DLP policies are applied, it will either warn or prevent you from sharing a file from OneDrive or SharePoint or attaching a file to an email and attempting to send it.

    Microsoft DLP does NOT block or prevent you from receiving email that matches Protected Data elements. It prevents the loss of Protected Data from being sent or shared. For example, if someone sends you an email with their SSN in it, Microsoft DLP will prevent you from replying to the person if you haven't removed the Protected Data elements from the email's content as you will be sending it out at that point. Remember that you will need to take action on the original email you received that still contains the Protected Data element (i.e. delete the email, redact the Protected Data element from the email or move the information to the Protective Enclave, etc.) but you can't leave it in your inbox.

    The sending/receiving/sharing of DCL3 data should not be occurring and any process that involves the sending or receiving of Protected Data elements SSN, Credit Card or Bank Account info needs to be updated to utilize the Protective Enclave.

    Do not rely solely on Microsoft DLP from preventing the loss of Protected Data. For example, if you are emailing known DCL3 to a recipient and Microsoft DLP is not able to match the data elements and therefore does not warn or block you from sending it, do NOT just send it.
  •  What happened to the DLP override feature?
  • Back in June 2020, the capability to override the DLP block was removed due to the significant number of security incidents that were occurring. People were overriding DLP when DCL3 was in fact included in the content. Very few false positives were actually occurring.

    Now that DLP override capability is no longer available, you can attempt to resend the email after removing or redacting the content by first opening the attached message, then click Actions - Resend This Message:



    then make your changes and attempt to send again.

    However, if the content can't be redacted (i.e. maybe a barcode number has the same format of SSN that needs to be included), then you will need to open a ticket in the Services Portal and someone with the Information Security Program Office will assist you. Make sure to specifiy that DLP for Email is blocking an email from being sent but the content is a false positive.
  •  A Policy Tip appeared telling me my email contains Protected Data. What does that mean?
  • If you are sending an email and you see this Policy Tip appear:

    It means the content of your message matches a Protected Data element and your email cannot be sent as it is.

    If your business procedures involve emailing DCL3 data, DLP will identify those practices and those procedures will need to change to no longer use email to send/receive DCL3. You should work with your business area to identify any procedures that need to change to use the Protective Enclave.

    However, if the content is not Protected Data but was flagged because it matched a Protected Data element (i.e. a barcode number has the same format of SSN and needs to be included in the email), then you will need to make your changes to remove or redact the content so it can be sent. If the content can't be redacted, then you will need to open a ticket in the Services Portal and someone from the Information Security Program Office will assist you. Make sure to specifiy that DLP for Email is blocking an email from being sent but the content is a false positive.
  •  I received a Message Blocked email. It says an email I sent contained Protected Data. What do I do?
  • If you receive a message similar to this:



    It means you clicked Send on an email message that contained DCL3 (in either the body of the email or an attachment) before the Policy Tip had a chance to appear (see previous FAQ item).

    This means your message was not sent.

    If your business procedures involve emailing DCL3 data, DLP will identify those practices and those procedures will need to change to no longer use email to send/receive DCL3. You should work with your business area to identify any procedures that need to change to use the Protective Enclave. Remember to delete the "Message Blocked" email (as it contains the content as an attachment) as well as the one in your Sent folder and empty your Deleted Items.

    However, if the content is not Protected Data but was flagged as seen above (i.e. maybe a barcode number has the same format of SSN), then you will need to resend the email by opening the attached message (click Actions - Resend This Message):


    then make your changes to remove the matching content and resend. If the content can't be redacted or removed and it is still blocking your message, then you will need open a ticket in the Services Portal and someone from the Information Security Program Office will assist you.  Make sure to specifiy that DLP for Email is blocking an email from being sent but the content is a false positive.
  •  Someone sent me an email that contained Protected Data (DCL3) - what do I do?
  • NOTE: The sending/receiving of DCL3 elements (i.e. SSN, Bank Account informaiton, Credit Cards) should not be occurring and any process that involves the sending or receiving of DCL3 data needs to be updated to utilize the Protective Enclave.

    But if someone does send you DCL3 via email you will need to take action on the email that contains the Protected Data (i.e. delete the email sent to you, redact the data element from the email, move the information to the Protective Enclave, etc.) but you can't leave it in your inbox. After deleting any emails with Protected Data remember to empty your deleted items folder.

    NOTE: If you reply to someone that sent you DCL3 data elements, it will be blocked (see previous FAQ) unless you first remove/redact that info.

    You should also educate the person who sent you the Protected Data not to do so in the future and instead they should use proper procedures to use Protected Data.
  •  What does this icon mean in OneDrive/SharePoint/Teams file locations?
  • There are several icons that could appear after a file in OneDrive/SharePoint or in Teams. A Policy tip is always associated with the icon to let you know exactly why the icon is displayed:

    Notify Only: If the file has a red triangle icon with exclamation, it means it has identified Protected Data (DCL3 such as SSN, Credit Card or Bank Account info) in the file and is letting you know so that appropriate action can be taken.

    Block: If the file has a circle icon with a dash, it means if the file is shared, when others try to access the file, they will receive the "You do not have access" message even if you have shared the file with them.

    NOTE: These icons do not appear if you use the OneDrive sync client to sync to your PC's File Browser. They are only displayed in the browser or Teams app:



    If you click view policy tip, you can see additional information:



    If you are using the Microsoft Teams app to view the list of files, the icons are displayed as well when a file has content that matches DCL3 (SSN, Bank account information or Credit Card information):



    Policy Tips are also displayed if you open the file in Microsoft Teams:



    What do I do if I see these icons in a OneDrive/Teams/SharePoint location?

    If your business procedures involve storing DCL3 data in O365, DLP will identify those practices by showing you the icons. You will need to work with your business area to identify those procedures that need to change to utilize the Protective Enclave. You will also need to remove the content from the O365 location (OneDrive, Team or SharePoint site).

    What if the content does not contain Protected Data (i.e. a False Positive)? Refer to this FAQ item.
  •  I received an email that said content was blocked. It says it contains Protected Data. What do I do?
  • If you receive a message similar to this:



    This means the location of the file has a DLP Block policy applied and a file was saved that contains content that matches DCL3 data (SSN, Bank account information or Credit Card information). You received an email that access was blocked because you either were the last modifier or shared the document. You can use the "Open the item" link to open the file in question. NOTE: You will only get the email notification for new documents, you will not get emails for editing old documents that had matched content but it will still flag those by displaying the icon.

    If your business procedures involve storing DCL3 data in O365, DLP will identify those practices by showing you the icons. The file does not have to be shared in order to send you a notification, it just has to contain matching data. You will need to work with your business area to identify those procedures that need to change to utilize the Protective Enclave. You will also need to remove the content from the O365 location (OneDrive, Team or SharePoint site).

    However, if the content is not Protected Data but was blocked as seen above (i.e. maybe a barcode number has the same format of SSN), then you will need to make changes to remove or redact the matching content. However, if the content can't be redacted, then you will need to open a ticket in the Services Portal and someone from the Information Security Program Office will assist you. Make sure to specifiy that DLP blocked content but the content is a false positive and to include the document library (OneDrive/SharePoint/Teams) location and the file name.
  •  My file in OneDrive/Teams/SharePoint is being flagged, but does NOT contain Protected Data, what do I do?
  • If a file is flagged as containing Protected Data but does not  (i.e. maybe a barcode number has the same format of SSN), then you will need to remove or redact the matching content or keywords. However, if the content can't be redacted, then you will need to open a ticket in the Services Portal and someone from the Information Security Program Office will assist you. Make sure to specifiy that DLP flagged content but the content is a false positive and to include the document library (OneDrive/SharePoint/Teams) location and the file name.
  •  My file in OneDrive/Teams/SharePoint does contain Protected Data but isn't flagged, what do I do?
  • NOTE: The storing/sharing of Protected Data elements SSN, Bank account or Credit Card information should not be occurring and any process that involves the storing or sharing of DCL3 in O365 needs to be updated to utilize the Protective Enclave.

    Do not rely solely on Microsoft DLP from preventing the loss of Protected Data. For example, if you are saving/sharing known DCL3 and Microsoft DLP is not able to match the Protected Data and therefore does not warn or block you, do NOT just save/share it.

    If a file contains DCL3 but is not flagged, please contact us using the Services Portal. Be sure to include the document library (OneDrive/SharePoint/Teams) location and the file name.
This FAQ was last updated: Friday, May 14, 2021