Information SecurityPolicyDLP-Policy

DLP Policy

To comply with business standards and industry regulations, the State of Montana needs to protect sensitive information and prevent its inadvertent disclosure. With a data loss prevention (DLP) system policy template set on our email system and OneDrive for Business storage the State can better identify, monitor, and automatically protect sensitive information.

What is considered sensitive information according to the DLP System policy template?

  • Credit Card Number
  • Drug Enforcement Agency (DEA) Number
  • U.S. / U.K. Passport Number
  • U.S. Individual Taxpayer Identification Number (ITIN)
  • U.S. Social Security Number (SSN)

DLP for Email

Regular email is not a secure method of communication. To enhance protection of the State of Montana’s citizen sensitive information the Montana Information Security Advisory Council has approved an email policy that will prevent the sending of sensitive information without properly securing the email.

What will happen should I send an email with the above sensitive information?

A policy tool tip will display (similar to “Out of Office” tip that displays) within the email message before you hit send.

As of October 1st, 2017, you will get a notification email that the email was blocked from being sent, and list what the email contained that marked it as sensitive. A notification report will also be sent to the security team.

What should you do if you believe the email blocking was done in error?

Contact the agency service desk or SITSD service desk

When will Audit mode be turned off, and blocking of unencrypted sensitive emails begin?

Beginning October 1st 2017, audit mode was turned off and unencrypted sensitive email began being blocked.

What can I do now to securely send email if I know it will contain sensitive information?

Use the Secure File Transfer Service.

Encrypted email information - Click here.  

There is an Outlook Add-In available for Windows 10/Outlook 2016 that would add Secure File Transfer Service as an icon in the Outlook application.  With the Add-In you would click on Secure File Transfer icon within Outlook (not the Send button) to securely send sensitive email. Please work with your Agency IT staff for installation of the Add-In. Email your service desk or SITSD service desk for more information.

Windows 7/Outlook 2016 is not supported by SITSD. Some agencies have reported success in using the Add-In on Windows 7/Outlook 2016.

Contact the agency service desk or email the SITSD service desk for more information.

For more information on DLP for Exchange visit the Service Catalog site at the following location: http://sitsdservicecatalog.mt.gov/O365/exchangedlp  

 

DLP for OneDrive for Business Users

DLP for OneDrive for Business has been turned on since January of 2017. If you have sensitive information found within any of your documents stored on OneDrive, you will receive an email notice once a file is stored to your OneDrive.

What will happen if I store a document with sensitive information on OneDrive?

If you are using Microsoft OneDrive for Business to store documents, a notification will be sent to you once you store any sensitive information (see above what is considered sensitive information) on OneDrive. This notification will list the document and the owner of the file will be able to continue to use the document (read, write, edit). A red icon will appear on the document icon signifying that the document contains sensitive information.

If a document is flagged as sensitive, you will be able to share the document only with other state employees and once shared you will receive an email notification. If the person you shared the document with also shares the document, you as the owner of the document will again receive an email notification that it was shared and by and to whom.

What should you do if you believe the document was falsely tagged with sensitive information?

Contact the agency service desk or SITSD service desk

Will I be able to share my OneDrive document with an outside entity (non-state user)?

MT-ISAC council approved in February 2017 the use of sharing (non-sensitive information) document(s) in OneDrive with outside entities.

Any document that contains sensitive information in OneDrive will not be allowed to be shared with outside entities. See above for how to properly secure and send sensitive information.

How can I securely share a document or folder using OneDrive for Businesss?

Click here to watch a video on showing how to securely share a document within Office 2016 or from within OneDrive.  Data is secured while stored in OneDrive for Business (encrypted at rest) , and while being transmitted (Encrypted in Transit).

For more information on DLP for OneDrive – visit the Service Catalog site at the following location: http://sitsdservicecatalog.mt.gov/O365/dlp