What is Data Loss Prevention Policy?
Organizations have sensitive information under their control, such as employee or student personal information, financial data, proprietary data, credit card numbers, health records, or social insurance numbers. Data Loss Prevention (DLP) is a security solution that identifies and helps prevent unsafe or accidental sharing of sensitive data.
A DLP policy can identify, monitor, and automatically protect sensitive items across:
- Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive accounts
- Office applications such as Word, Excel, and PowerPoint
Why our College is using Data Loss Prevention
Our community entrusts us with the appropriate safe storage and use of their sensitive information. This technology, commonly implemented in most organizations, works as an additional safeguard to ensure that we, as stewards and users of this sensitive information, do not accidentally share that information with unintended recipients.
How Does Data Loss Prevention Work?
A DLP solution makes use of a combination of standard cybersecurity measures, such as firewalls, endpoint protection tools, monitoring services and antivirus software, and advanced solutions, such as artificial intelligence (AI), machine learning (ML) and automation, to prevent data breaches, detect anomalous activity and contextualize activity for the Cyber Security team.
For example, if a user performs an action that is flagged by the DLP policy, like copying a sensitive item to an unapproved location or sharing medical information in an email or other conditions laid out in a policy, DLP can:
- Show a pop-up policy tip to the user warning them that they may be trying to share a sensitive item inappropriately
- Block the sharing and, via a policy tip, allow the user to override the block and capture the user's justification
- Block the sharing without the override option
- For stored data, sensitive items can be locked and moved to a secure quarantine location
- For Teams chat, sensitive information won't be displayed
What is considered Sensitive Information?
Sensitive Information can include (but is not limited to):
- Financial data
- Personally Identifiable Information (PII)
- Credit card numbers
- Social insurance numbers
- Personal Health Information (PHI)
- Health records
- Any information related to a client's care
Mohawk College has implemented policies based on templates from the following:
- Personal Health Information Protection Act (PHIPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canadian Financial Data
The following workloads will be monitored for sensitive information for all accounts and sites:
- Exchange email
- SharePoint sites
- OneDrive accounts
- Teams chat and channel messages
I accidentally shared sensitive information. What should I do?
- Review and follow the steps outlined in the Security Incident Response Plan.
I deal with many emails and documents daily; how can I be sure I'm not sharing sensitive information unintentionally?
- The best way to be sure is to understand what sensitive information is at the college. Start with the Information Governance and Security Policy (PDF).
I need to share sensitive information for a legitimate reason, how can I safely share this information?