MNIT’s Data Protection Service provides technical functionality through two offerings: Data Loss Prevention (DLP) and Azure Information Protection (AIP).
Data Loss Prevention (DLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP operates in a monitoring mode to detect and block sensitive data for all agencies that reside on MNIT’s M365 tenant.
DLP is currently deployed as a monitoring service. It is configured to scan communications and report issues. It is set to report on, but not stop these communications.
DLP is currently turned on for all agencies in a monitoring capacity only.
DLP policies are like AIP policies but are designed to prevent the unauthorized sharing of M365 documents that contain sensitive information using pattern recognition instead of using labels the way AIP does. Example: a DLP policy that was defined to stop the sharing of social security numbers will scan documents for text that looks like a social security number and then prevent the sharing of this information.
DLP policies are targeted computer algorithms that look for patterns such as credit card data or social security data in documents or email. DLP then applies actions determined by the agency’s defined policy, such as report, alert, block, or many other features.
DLP policies scan documents to automatically identify sensitive data including:
Financial data
Personally Identifiable Information (PII)
Credit card numbers
Social security numbers
Health records
DLP identifies, monitors, and prevents unauthorized sharing of sensitive data in the following platforms:
Microsoft Office: emails, Word, Excel, and PowerPoint
Exchange Online
SharePoint Online
OneDrive for Business
Microsoft Teams
Windows 10 Devices
Microsoft Defender for Cloud Apps
What is included:
Service management
Reporting
The DLP Alerts Management Dashboard provides alerts and reports for the agency.
View policy match reports to assess the agency’s compliance.
View reports of policy overrides and false positives.
Azure Information Protection (AIP) is a cloud-based solution that enables organizations to classify and protect documents and emails. Executive branch agencies can choose to use AIP to classify information using “labels” and control the flow of information using AIP and DLP “policies.”
AIP is an opt-in service.
Agencies can contact their MNIT Relationship Manager to get the process started.
AIP labels and policies must be applied for all employees at an agency. The service cannot be applied to select sub-units of an agency.
Agencies can decide if this service is mandatory for their users.
AIP labels:
Can be thought of as metadata attached to M365 documents which enable an organization to quickly recognize which information is subject to sharing restrictions.
Apply a classification to documentation and emails to protect the data.
AIP policies:
Can be thought of as electronic filters that actively prevent the unauthorized sharing of M365 documents which contain sensitive information, as defined by their AIP label.
Determine who the AIP Labels are targeted to and if they need to interact in any way with the label.
AIP is currently set up to categorize and report. It is not configured to encrypt and stop sharing actions.
The agency submits a request for service. MNIT Relationship Managers create a Service Authorization (SA). Authorized business partners sign the SA to start the service.
The agency identifies and assigns an agency employee as the Data Protection Owner for this service and notifies MNIT if the assigned owner changes.
The agency – and their legal department—works with the MNIT Business Information Security Officer (security resources assigned to agency) to define their data protection needs and goals (e.g. protect HIPPA data, IRS1075, etc.). MNIT’s legal counsel is also available if the agency has no legal department.
The agency trains and supports their staff on how to use AIP labels in accordance with agency defined standards and guidance.
The agency creates and monitors agency specific DLP report data, taking action as necessary.
Service Costs
The Data Protection Service is a part of the Enterprise Software Bundle. There is no added cost.
