Data overexposure policies in Privacy Risk Management

Your organization may store content at various levels of access, including areas that are publicly accessible and others that are restricted. Data overexposure policies in Microsoft Priva Privacy Risk Management can help you detect and handle situations in which data stored by your organization is insufficiently secure. For example, if access to an internal site is open to too many people or your permissions settings haven't been maintained, personal data stored on that site might be vulnerable to a breach.

Data overexposure policies can evaluate your data for overexposure risks and alert you to potential issues. When a policy match is detected, you can send users email notifications with remediation options that include keeping or deleting the item, or making the item private (see details at step 10 of the policy creation process).

Our policy setup process makes it easy to set policy conditions. You have full control over alert timing and frequency of emails that bring users' attention to safe data handling practices.

There are two ways you can create a policy: from a template, which is our quick "out-of-box" option using default settings; or the custom option, which is a guided process for setting conditions, alerts, and notifications.

Quick setup: Use a template with default settings

The default data overexposure policy evaluates personal data at all three levels of access: public, external, and internal.

Follow these steps to create a default data transfer policy:

  1. Sign in to one of the following portals using credentials for an admin account in your Microsoft 365 organization:

  2. Go to the privacy risk management solution and select the Policies page.

  3. Select Create a policy.

  4. In the Data overexposure box, select Create.

  5. A flyout pane contains policy details. Select View settings to show the default settings. You can edit settings from here, which takes you into the guided process outlined below. To continue creating your policy using the default settings, enter a descriptive name, then select Create policy.

Your policy is created and you'll find it listed on your Polices page. It begins in test mode so you can monitor how it performs before turning it on.

Default data overexposure policy settings

A data overexposure policy created from the template will detect:

  • When a user provides overly broad access to items containing personal data that are stored in your organization's OneDrive or SharePoint. For example, the policy detects the sharing of personal data in the following ways:
    • Through a link that anyone in the public can access
    • Through a link or because of permissions that allow everyone in the organization to access
    • Granting access rights to external users or guests to OneDrive or SharePoint files
  • Data types based on the following classification groups:
    • EU General Data Protection Regulation (GDPR)
    • US personally identifiable information
    • US Patriot Act
    • US State Breach Notification Law
    • US Gramm-Leach-Bliley Act (GLBA)
    • US Health Insurance Portability and Accountability Act (HIPAA)
    • Australia Health Records Act (HRIP)
    • Australia Privacy Act
    • Japan personally identifiable information
    • Japan Protection of Personal Information

Custom setup: Guided policy creation process

The custom policy option is a guided process to create a new policy by setting conditions, designating alert severity and frequency, and turning on user email notifications.

Important

Data overexposure policies can be set up to cover both Microsoft 365 and multicloud (preview) locations. However, certain policy settings apply only to Microsoft 365 locations. Get details about [selecting multicloud locations](risk-management-policies.md#multicloud-data sources-preview) and policy settings that depend on location.

Complete the steps below to create a new data overexposure policy:

  1. Sign in to one of the following portals using credentials for an admin account in your Microsoft 365 organization:

  2. Go to the privacy risk management solution and select the Policies page.

  3. Select Create a policy.

  4. In the Custom box, select Create.

  5. On the Name and type page, select the Data overexposure policy template. Enter a policy name to help you easily identify it from your list on the Policies page, and enter an optional description, then select Next.

  6. On the Data sources page, select all the data sources that you want the policy to cover. Get details about choosing data sources.

    • Microsoft 365 data sources: Options are SharePoint sites and OneDrive accounts. Within SharePoint, you can designate all sites or specific sites. If you select Specific SharePoint sites, you can enter the site URL in the URL field. You can also select +Choose sites, then on the flyout pane, check the box to the left of the site name you want to select.

    • Multicloud data sources (preview): Options are Azure Storage, Azure SQL, and Amazon S3. Get details about selecting multicloud data sources when creating a policy.

    When you're done, select Next.

  7. On the Data to monitor page, choose the type of personal data you want your policy to monitor. There are two options:

    • Classification groups: Groupings of sensitive information types that are used to detect content related to personal data or specific regulations. If you select this option, you'll then need to select +Add classification groups to choose one or more groups from the list provided.

    • Sensitive information types or trainable classifiers: Select this option, then use the Add dropdown menu to select Sensitive info types or Trainable classifiers and choose from a searchable list. You can choose data types in both categories, and use the condition builder to define an AND or OR relationship between the types.

    Get more details about choosing data to monitor. When you're done selecting data to monitor, select Next.

  8. On the Users and groups page, choose which users in your organization the policy will apply to. You can select all individual users and all Office 365 distribution groups, or you can select specific users and groups. Learn more about choosing users and groups. When you're done, select Next.

  9. On the Conditions page, select which type of data overexposure condition the policy detects:

    • Public: Anyone with a link can access content.
    • External: Specific people outside the organization have access.
    • Internal: All users in your organization have access.

    Selecting more than one level of access widens the scope of data, and could yield significantly larger amounts of alerts and user notifications.

    Put a check in the box next to your choices, then select Next.

  10. On the Outcomes page, select the Send a notification email to users when a policy match occurs checkbox if you want to notify users when policy conditions are met. When the box is checked, you can preview and edit the email, then set the frequency and provide a link to privacy training. The remediation options in the emails are to Trash or Keep items whose data source is Teams, and Make private or Keep items whose data sources are SharePoint or OneDrive. Learn more about setting up and editing user notifications. When you're done defining outcomes, select Next.

  11. On the Alerts page, use the toggle switch to turn on alerts that an admin will see on the Alerts page in the Policies section of Privacy Risk Management. You designate how frequently alerts are generated, thresholds for matches before alerts are generated, and alert severity. Learn more about setting alerts for policy matches. When you're done, select Next.

  12. On the Mode page, choose which mode to put the policy in: Test it out first or Turn it on right away. In test mode, no alerts or notifications are sent. Learn more about recommendations and what to analyze when testing a policy. When you're done, select Next.

  13. On the Finish page, review your choices. Select Edit underneath any of the sections in order to adjust settings. When you're satisfied with your policy's settings, select Submit to create the policy.

After a few seconds, you'll see a confirmation that the policy was created. Select Done on the confirmation page, which will take you to the Policies page where you see the new policy at the top of the table.

Next steps

Visit Privacy Risk Management polices for details about how to edit and manage policies.

Microsoft Priva legal disclaimer