Educause Security Discussion mailing list archives
Re: Minimum DLP rules & thresholds for all users
From: Ken Munro <Ken.Munro () MSVU CA>
Date: Mon, 9 Nov 2020 18:47:54 +0000
We use Office 365 DLP. We monitor for SSN (or SIN in Canada), health card numbers, driver's licenses, passport numbers, credit card numbers, and bank account numbers. We monitor all accounts. Our thresholds are low. Any number (1 or above) of these numbers are reported, but in a weekly and monthly summary email, not for each incident. I would run a custom report in the Office 365 Security and Compliance center to get more details. We are a small university as well, and the IT department took it upon itself to monitor for this leakage. It is not driven by a top-down governance need, unfortunately. Thanks. Ken Munro ________________________________________ Ken Munro Security Compliance and Training Specialist Information Technology and Services Mount Saint Vincent University 166 Bedford Highway Halifax, NS B3M 2J6 (902) 457-6150 ken.munro () msvu ca Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it. Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such information are phishing attempts and should be deleted. -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Monday, November 9, 2020 2:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Minimum DLP rules & thresholds for all users I would like to get some feedback from folks that have deployed a DLP solution: 1. What are the minimum rules and thresholds you've applied across your org to all/most users, as opposed to more granular rules you may have applied to specific groups requiring increased security/privacy? 2. Since SSN is often regarded as a key piece of PII, what rules/thresholds have you applied for SSNs and what regulatory criteria supports it (FERPA, GLBA, GDPR, etc.) 3. What person or group is responsible for establishing DLP policy parameters, IT, Privacy Office, Legal, etc.? I'm especially interested in small/medium private institutions like mine who don't have as heavy of a compliance burden as larger, public ones. Many thanks. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Minimum DLP rules & thresholds for all users Jim A. Bole (Nov 09)
- Re: Minimum DLP rules & thresholds for all users Ken Munro (Nov 09)
- Re: Minimum DLP rules & thresholds for all users Jeff Choo (Nov 09)
- Re: Minimum DLP rules & thresholds for all users Jim A. Bole (Nov 11)