Data Loss Prevention: Block non-permitted classifications
This section describes the configuration of Data Loss Prevention (DLP) policies within Microsoft Purview associated with systems built according to guidance in ASD's Blueprint for Secure Cloud.
Estimated reading time: 4 minutes
Instruction
The below tables outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Purview portal at the following URL:
https://compliance.microsoft.com/datalossprevention/policies
The settings described on these pages provide a baseline implementation for a system configured using the Blueprint. Any implementation implied by these pages should not be considered as prescriptive as to how an organisation must scope, build, document, or assess a system.
Implementation of the guidance provided by the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
Placeholders such as <ORGANISATION.GOV.AU>, <BLUEPRINT.GOV.AU> and <TENANT-NAME> should be replaced with the relevant details as required.
Name
| Item | Value |
|---|---|
| Name | Block non-permitted classifications |
| Description | Blocks classifications which are not permitted to be stored on the system |
Admin units
| Item | Value |
|---|---|
| Admin units | Full directory |
Locations
| Item | Value |
|---|---|
| Exchange email | All groups |
| SharePoint sites | |
| OneDrive accounts | |
| Teams chat and channel messages | |
| Devices | |
| On-premises repositories | |
| Power BI workspaces |
Advanced DLP rules
Block SECRET items
| Item | Value |
|---|---|
| Name | Block SECRET items |
| Description |
Conditions
| Item | Value |
|---|---|
| Content contains | Sensitive info types |
| Group name | Default |
| Group operator | Any of these |
| Sensitive info types | |
| - SECRET classified information | Medium confidence; Instance count: 1 to Any |
| OR | |
| Header contains words or phrases | Header name: X-Protective-MarkingWords: SEC=SECRET |
| OR | |
| Subject contains words or phrases | SEC=SECRET |
| OR | |
| Content contains | Sensitivity labels |
| Group name | Default |
| Group operator | Any of these |
| Sensitivity labels | SECRET |
Actions
| Item | Value |
|---|---|
| Restrict access or encrypt the content in Microsoft 365 locations | Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files - Block everyone |
User notifications
| Item | Value |
|---|---|
| Use notifications to inform your users and help educate them on the proper use of sensitive info | On |
| Email notifications | Checked - Notify the user who sent, shared, or last modified the content - Attach matching email message to the notification |
| Policy tips | Checked |
User overrides
| Item | Value |
|---|---|
| Allow overrides from M365 services | Not checked |
Incident reports
| Item | Value |
|---|---|
| Use this severity level in admin alerts and reports | Medium |
| Send an alert to admins when a rule match occurs | On |
| Send an alert every time an activity matches the rule | Selected |
| Use email incident reports to notify you when a policy match occurs | Off |
Additional options
| Item | Value |
|---|---|
| If there’s a match for this rule, stop processing additional DLP policies and rules | Not checked |
| Priority | 0 |
Block TOP SECRET items
| Item | Value |
|---|---|
| Name | Block TOP SECRET items |
| Description |
Conditions
| Item | Value |
|---|---|
| Content contains | Sensitive info types |
| Group name | Default |
| Group operator | Any of these |
| Sensitive info types | |
| - TOP SECRET classified information | Medium confidence Instance count: 1 to Any |
| OR | |
| Header contains words or phrases | Header name: X-Protective-MarkingWords: SEC=TOP-SECRET |
| OR | |
| Subject contains words or phrases | SEC=TOP-SECRET |
| OR | |
| Content contains | Sensitivity labels |
| Group name | Default |
| Group operator | Any of these |
| Sensitivity labels | TOP SECRET |
Actions
| Item | Value |
|---|---|
| Restrict access or encrypt the content in Microsoft 365 locations | Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files - Block everyone |
User notifications
| Item | Value |
|---|---|
| Use notifications to inform your users and help educate them on the proper use of sensitive info | On |
| Email notifications | Checked - Notify the user who sent, shared, or last modified the content - Attach matching email message to the notification |
| Policy tips | Checked |
User overrides
| Item | Value |
|---|---|
| Allow overrides from M365 services | Not checked |
Incident reports
| Item | Value |
|---|---|
| Use this severity level in admin alerts and reports | Medium |
| Send an alert to admins when a rule match occurs | On |
| Send an alert every time an activity matches the rule | Selected |
| Use email incident reports to notify you when a policy match occurs | Off |
Additional options
| Item | Value |
|---|---|
| If there’s a match for this rule, stop processing additional DLP policies and rules | Not checked |
| Priority | 1 |
Policy mode
| Item | Value |
|---|---|
| Policy mode | Turn the policy on immediately |
Related information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified
References
- None identified