Information SecurityPolicyDLP-Policy

DLP Policy

To comply with business standards and industry regulations, the State of Montana needs to protect sensitive information and prevent its inadvertent disclosure. With a data loss prevention (DLP) policy template set on our email system and OneDrive for Business storage the State can better identify, monitor, and automatically protect sensitive information.

What is considered sensitive information according to the DLP policy template?

  • Credit Card Number
  • Drug Enforcement Agency (DEA) Number
  • U.S. / U.K. Passport Number
  • U.S. Bank Account Number
  • U.S. Individual Taxpayer Identification Number (ITIN)
  • U.S. Social Security Number (SSN)
  • MT Driver’s License Number (Currently not actively scanning for, working on adding this)

DLP for Email

Regular email is not a secure method of communication. To enhance protection of the State of Montana’s citizen sensitive information the Montana Information Security Advisory Council has approved an email policy that will prevent the sending of sensitive information without properly securing the email. This email policy will start in audit mode starting on January 30th. Audit mode means that if an email contains sensitive information the email will not be blocked, but a tool tip in Outlook will be displayed before the email will be sent.

What will happen should I send an email with the above sensitive information?

A policy tool tip will display (similar to “Out of Office” tip that displays) within the email message before you hit send.

As of January 30th you will only receive a tool tip, and the email still will be sent. Once audit mode is turned off (scheduled for July 1 st, 2017 right now), you will get a notification email that the email was blocked from being sent, and list what the email contained that marked it as sensitive. A notification report will also be sent to the security team.

What should you do if you believe the email blocking was done in error?

Contact the agency service desk or SITSD service desk

When will Audit mode be turned off, and blocking of unencrypted sensitive emails begin?

July 1st 2017 is the scheduled date to turn off Audit mode and begin blocking of unencrypted sensitive email. It is possible that the MT-ISAC Council will move this date up. There will be notifications sent out at least two weeks prior to turning off audit mode.

What can I do now to securely send email if I know it will contain sensitive information?

Use the Secure File Transfer Service.

There is an Outlook Add-In available for Windows 10/Outlook 2016 that would add Secure File Transfer Service as an icon in the Outlook application.  With the Add-In you would click on Secure File Transfer icon within Outlook (not the Send button) to securely send sensitive email. Please work with your Agency IT staff for installation of the Add-In. Email your service desk or SITSD service desk for more information.

Windows 7/Outlook 2016 is not supported by SITSD. Some agencies have reported success in using the Add-In on Windows 7/Outlook 2016.

Can I help test with audit mode turned off (Before July 1, 2017) to see how this will affect me or my division?

Contact the agency service desk or email SITSD service desk for more information.

DLP for OneDrive for Business Users

Starting January 29th DLP will be turned on for OneDrive for Business. If you have sensitive information found within any of your documents stored on OneDrive, you will receive an email notice on this date.

What will happen if I store a document with sensitive information on OneDrive?

If you are using Microsoft OneDrive for Business to store documents, a notification will be sent to you (starting on January 29th) should you have sensitive any sensitive information (see above what is considered sensitive information) stored on OneDrive. This notification will list the document and the owner of the file will be able to continue to use the document (read, write, edit). A red icon will appear on the document icon signifying that the document contains sensitive information.

If a document is flagged as sensitive, you will be able to share the document only with other state employees and once shared you will receive an email notification. If the person you shared the document with also shares the document, you as the owner of the document will again receive an email notification that it was shared and by and to whom.

What should you do if you believe the document was falsely tagged with sensitive information?

Contact the agency service desk or SITSD service desk

Will I be able to share my OneDrive document with an outside entity (non-state user)?

MT-ISAC council will be considering during the February 8th meeting approval of sharing (non-sensitive information) document(s) in OneDrive with outside entities.

Any document that contains sensitive information in OneDrive will not be allowed to be shared with outside entities. See above for how to properly secure and send sensitive information.

For more information on DLP for OneDrive – visit the Service Catalog site at the following location: