Tutorial / Cram Notes
Sensitive information types in Microsoft 365 help you identify and protect sensitive items across your organization’s Office applications and services. These can include credit card numbers, bank account details, social security numbers, and more. By creating and managing custom sensitive information types, Information Protection Administrators can tailor data identification and protection to the unique needs of their organization, far beyond the pre-built sensitive information types provided out of the box.
When creating a custom sensitive information type, administrators can define patterns using matching elements such as keywords, regular expressions (Regex), date formats, and function-based validations. These elements work together to identify the sensitive information accurately.
Steps to Create a Custom Sensitive Information Type
Creating a custom sensitive information type involves defining its components and properties in the Microsoft 365 compliance center or using PowerShell. Here’s an overview of the process:
- Navigate to the Microsoft 365 compliance center:
- Go to the Microsoft 365 compliance center and sign in.
- Select ‘Data classification’ > ‘Sensitive info types’.
- Click on ‘Create’.
- Define the name and description:
- Enter a name for your sensitive information type and provide a description that helps identify its use.
- Set up the pattern:
- Add elements that make up the pattern, such as keywords, Regex, or functions.
- The platform allows you to combine these elements with logical operators (like AND/OR) to increase accuracy.
- Configure the confidence level:
- Specify a confidence level to reduce false positives. A higher confidence level means stricter matching criteria.
- Test your custom sensitive information type:
- Use real data (that has been adequately anonymized) to test the accuracy of your custom type.
- Adjust the elements as needed based on the test results.
- Publish the custom sensitive information type:
- Once you are satisfied with the configuration, click ‘Create’ to make the type available for use.
Example Scenario
Consider a scenario where a company needs to protect its proprietary project codes, which consist of the word “Project” followed by a six-digit number. An administrator might create a custom sensitive information type with these specifications:
- Keyword list: Contains “Project”
- Regular expression: Matches a pattern similar to “Project \d{6}”
- Confidence level: Might be set to 85% to ensure that general references to projects without specific codes are not flagged.
Managing Custom Sensitive Information Types
After creating custom sensitive information types, you can manage them effectively by:
- Reviewing Matches: Regularly review how the custom types are matching content across your environment. If necessary, refine the patterns or confidence levels to improve accuracy.
- Updating Definitions: When organizational requirements change, update your custom sensitive information types to reflect these changes.
- Maintaining Documentation: Keep detailed documentation of all custom sensitive information types and their intended use cases for reference and compliance purposes.
- Training and Notifications: Train end-users about the types of sensitive information your organization classifies and what they should do if they encounter a potential breach or false positive.
Comparison with Built-in Sensitive Information Types
| Aspect | Custom Sensitive Information Types | Built-in Sensitive Information Types |
|---|---|---|
| Customization | Highly customizable patterns and matching requirements. | Pre-defined and not customizable, except sometimes in confidence level or additional context. |
| Deployment Time | May take some time to create and fine-tune based on the organization’s specific needs. | Instantly available for use without initial setup. |
| Maintenance | Requires ongoing maintenance to ensure accuracy. | Maintained by Microsoft, with updates for increased efficacy and additional types. |
| Relevance to Organization | Tailored to the unique data elements and patterns specific to an organization. | Designed to meet common data protection standards and laws globally. |
Creating and managing custom sensitive information types is a key responsibility for Microsoft Information Protection Administrators. Custom types enable precise control over data protection efforts, but they require a strategic approach to ensure they are effectively identifying and safeguarding critical information across the organization’s digital estate.
Practice Test with Explanation
True/False: In Microsoft 365, you can create custom sensitive information types only through the Compliance Center UI.
- False
Custom sensitive information types can be created through the UI in Microsoft 365 Compliance Center, but they can also be created and managed using PowerShell.
True/False: Custom sensitive information types cannot be tested before being deployed.
- False
Custom sensitive information types can be tested using the test option in the UI or via PowerShell cmdlets before being deployed to ensure they meet the required criteria.
Multiple Select: Which of the following can be included when defining a custom sensitive information type?
- A) Keywords
- B) Regular expressions
- C) Confidence levels
- D) Data loss prevention policies
Answer: A, B, C
A custom sensitive information type can include keywords, regular expressions, and confidence levels as part of its definition. Data loss prevention (DLP) policies can use sensitive information types but are not included in their definition.
Single Select: What PowerShell cmdlet is used to create a new custom sensitive information type?
- A) New-DlpSensitiveInformationType
- B) Create-SensitiveInfoType
- C) New-SensitiveInformationType
- D) Set-SensitiveInfoType
Answer: C) New-SensitiveInformationType
The New-SensitiveInformationType PowerShell cmdlet is used to create a new custom sensitive information type.
True/False: Once a custom sensitive information type is created, it cannot be edited.
- False
Custom sensitive information types can be edited after being created, allowing administrators to refine or update the conditions and properties of the type.
Single Select: Which component is NOT required when creating a custom sensitive information type?
- A) Name
- B) Description
- C) Publisher
- D) Primary element
Answer: C) Publisher
Publisher is not a required field when creating a custom sensitive information type. Name, description, and primary element (like a regex) are required components.
Single Select: Where do you configure custom sensitive information types in the Microsoft 365 Compliance Center?
- A) Data classification section
- B) Information governance section
- C) Permissions section
- D) Audit section
Answer: A) Data classification section
Custom sensitive information types can be managed and configured within the Data classification section of the Microsoft 365 Compliance Center.
True/False: Custom sensitive information types can only be created by global administrators in Microsoft
- False
While global administrators can create custom sensitive information types, other roles with the appropriate permissions, such as the compliance data administrator, can also create and manage them.
Multiple Select: Custom sensitive information types allow you to define which of the following?
- A) Character proximity
- B) Dictionary
- C) Pre-defined functions
- D) Minimum count
Answer: A, B, D
Custom sensitive information types allow you to define character proximity, use a dictionary and set minimum counts for matches. Pre-defined functions are not something you define; they are provided by Microsoft.
Single Select: How can you improve the accuracy of a custom sensitive information type?
- A) Increasing the sample size
- B) Adding supporting elements like a keyword dictionary
- C) Deploying it immediately
- D) Only using regular expressions
Answer: B) Adding supporting elements like a keyword dictionary
Adding supporting elements such as a keyword dictionary or additional regular expressions can improve the accuracy of a custom sensitive information type. Sample size and deployment are not related to defining accuracy, and using only regular expressions may not be sufficient for complex requirements.
True/False: Custom sensitive information types are supported in only some of the Microsoft 365 services such as Exchange Online and SharePoint Online.
- False
Custom sensitive information types are supported across various Microsoft 365 services, including Exchange Online, SharePoint Online, OneDrive for Business, and Teams.
Single Select: Which attribute can NOT be used for creating a custom sensitive information type?
- A) Date
- B) Confidence level
- C) File extensions
- D) Content contains patterns
Answer: C) File extensions
Custom sensitive information types are defined based on the content of files, such as dates, confidence levels, and pattern recognition, not on the file extensions. File extensions are used for different types of policies and controls, not for defining sensitive information types.
Interview Questions
What are custom sensitive information types in Microsoft 365’s Information Protection feature?
Custom sensitive information types are a way for organizations to create their own sensitive information types that are specific to their needs.
Why would an organization need to create a custom sensitive information type?
An organization would need to create a custom sensitive information type if they store and process sensitive information that is not covered by the predefined sensitive information types provided by Microsoft 365.
What are the steps to create a custom sensitive information type?
The steps to create a custom sensitive information type involve signing in to the Microsoft 365 Compliance center, selecting “Create a sensitive information type,” defining the conditions that trigger the classification of the sensitive information type, testing the new sensitive information type, saving it, and publishing it.
How can custom sensitive information types help improve compliance?
Custom sensitive information types can help organizations ensure compliance with regulatory requirements for the protection of sensitive information.
How can custom sensitive information types help reduce the risk of data breaches and security incidents?
By identifying and managing sensitive information, organizations can reduce the risk of data breaches, security incidents, and data loss.
What are some tips for managing custom sensitive information types?
Tips for managing custom sensitive information types include reviewing them regularly, modifying or deleting them when they are no longer needed, updating the conditions that trigger the classification of sensitive information types, training employees on their use, and monitoring their effectiveness.
How can employees be trained on the use of custom sensitive information types?
Employees can be trained on the use of custom sensitive information types through workshops, online training, and regular communication.
Can custom sensitive information types be used in data loss prevention policies?
Yes, custom sensitive information types can be used in data loss prevention policies to identify and control the flow of sensitive information within an organization.
What are some examples of custom sensitive information types an organization might create?
Examples of custom sensitive information types an organization might create include project-specific information, employee health records, or proprietary company data.
What is the difference between a predefined sensitive information type and a custom sensitive information type?
A predefined sensitive information type is a prebuilt definition of a specific type of sensitive information, while a custom sensitive information type is a definition created by an organization to address specific sensitive information they store and process.
Can custom sensitive information types be shared with other organizations?
Yes, custom sensitive information types can be exported and imported to be shared with other organizations.
What are the benefits of custom sensitive information types?
The benefits of custom sensitive information types include improved compliance, reduced risk of data breaches and security incidents, and improved data loss prevention.
Can custom sensitive information types be modified after they have been created?
Yes, custom sensitive information types can be modified after they have been created to reflect changes to the organization’s data.
How can the effectiveness of custom sensitive information types be monitored?
The effectiveness of custom sensitive information types can be monitored through regular audits and assessments.
Can custom sensitive information types be used in conjunction with third-party applications?
Yes, custom sensitive information types can be used in conjunction with third-party applications to classify and protect sensitive information.
Great blog post! Helped me understand managing custom sensitive information types for the SC-400 exam.
Very informative. Especially liked the section on creating custom types from scratch.
How do you handle false positives when identifying custom sensitive information types?
Thanks for the details. Helped me pass the SC-400 exam!
Didn’t find the explanation very clear on importing custom sensitive information types.
Can someone explain the use of Confidence Levels in custom sensitive information types?
Appreciate the step-by-step guide. Exactly what I needed.
Is it possible to use scripts to automate the creation of custom sensitive information types?