Creating custom sensitive information types with exact data match (EDM) is a fundamental responsibility of an SC-400 Microsoft Information Protection Administrator. You can create custom sensitive information types based on your organizational needs, and then use these types in your Data Loss Prevention (DLP) policies, compliance policies, and more. This process is essential to classify, label, and protect sensitive data accurately.
Concept – Custom Sensitive Information Type
Sensitive Information Types in Microsoft 365 are entity definitions used to identify sensitive content. The tool already provides many built-in types (e.g., credit card number, social security number), but organizations often need to define their custom types to address specific needs.
Before creating a custom type, it’s important to understand the following components:
- Confidence level: Confidence level is a numerical value assigned to each pattern found corresponding to the custom sensitive information type. Higher numbers indicate higher confidence.
- Character proximity: It is the maximum distance allowed between two match conditions within the same text string.
- Primary and secondary elements: Primary elements are the entity types or patterns that need to be found for a match. Secondary elements are optional patterns that, when found in close proximity to the primary elements, improve the confidence level.
Working with Exact Data Match(EDM):
Exact data match (EDM) is introduced to improve the accuracy and reduce the potential false positives in identifying sensitive data. EDM helps to identify sensitive items based on a precise match with data provided in the data file.
When creating EDM sensitive information types, you will create a rule package, a policy, and a rule. The rule package binds the policy and rule.
Steps to Create the Custom Sensitive Information Type with EDM:
- Create a sensitive information type entity:
Start by Creating a sensitive information type entity in Security and Compliance Centre. You need to configure the primary and secondary pattern detection rules.
Here is a PowerShell cmdlet example:
New-DlpSensitiveInformationTypeRulePackage -FileData (Get-Content -Path “C:\SensitiveInformationTypes\MySensitiveInfoType.xml” -Encoding Byte)
- Create an EDM schema:
The next step is to create your EDM schema that represents the sensitive information you want to identify.
Here is a PowerShell cmdlet example:
New-DlpEdmSchema -FileData (Get-Content -Path “C:\EDMSchemas\MyEDMSchema.xml” -Encoding Byte)
- Upload a data file to populate your EDM schema:
Finally, populate your EDM schema with the sensitive information you want to track.
Here is a PowerShell cmdlet example:
New-DlpEdmData -FileData (Get-Content -Path “C:\EDMData\MyEDMData.csv” -Encoding Byte)
Summing Up:
Custom sensitive information types with EDM add a customized and high confidence level data protection layer. By using exact matches, you can significantly reduce the possibility of false positives and improve accuracy. Roll out this top-tier data protection in your organization and see the difference.
Refer to the official Microsoft documentation to dive deeper into creating and managing custom sensitive information types. This platform gives you the rules and tools to protect your sensitive data across the Microsoft 365 environment optimally.
Therefore, mastering the skill of creating custom sensitive information types with Exact Data Match (EDM) will be a key asset to any SC-400 Microsoft Information Protection Administrator.
Practice Test
The term “Exact Data Match” in Microsoft 365 refers to the technique of finding similar data without exact matching.
- a. True
- b. False
Answer: b. False
Explanation: The term “Exact Data Match” refers to the technique of finding and identifying only exactly matching data in Microsoft
Can the Exact Data Match (EDM) technique be used to create custom sensitive information types in Office 365?
- a. Yes
- b. No
Answer: a. Yes
Explanation: The EDM technique can indeed be used to create custom sensitive information types that accurately detect and protect your sensitive information.
To use the exact data match (EDM) classification method, you must first create a schema.
- a. True
- b. False
Answer: a. True
Explanation: The EDM classification method requires a user to first create a schema. This schema defines the structure of the tables and fields that exact match only with sensitive data.
EDM requires data to be fully uploaded into Microsoft Azure for it to be used.
- a. True
- b. False
Answer: a. True
Explanation: To implement EDM, your sensitive data must be uploaded into a Microsoft Azure storage account.
The custom sensitive information types created with EDM can be used in data loss prevention (DLP) policies.
- a. True
- b. False
Answer: a. True
Explanation: The custom sensitive information types that you create using EDM can indeed be used in DLP policies to better safeguard your sensitive data.
EDM-based classification is available only for data residing in Microsoft Cloud services.
- a. True
- b. False
Answer: b. False
Explanation: EDM-based classification can be used not only for data residing in Microsoft Cloud services, but also on on-premises data with Exchange.
A minimum of three columns are required to create an EDM Schema.
- a. True
- b. False
Answer: b. False
Explanation: Only two columns are mandatory to create an EDM Schema- Primary Key and Sensitive Information Type.
The “DLP policy test mode” is useful for evaluating the impact of the EDM-based classification system without blocking user action.
- a. True
- b. False
Answer: a. True
Explanation: DLP policy test mode lets you understand the impact of the EDM-based classification system as it shows policy tips to users without blocking any content.
To utilize Exact Data Match (EDM) in Microsoft 365, the data you want to match must be hashed using SHA-
- a. True
- b. False
Answer: a. True
Explanation: The data to be utilized with EDM must be hashed using SHA- This ensures that the data is transferred securely.
The rule package for an EDM-based sensitive data type can be created using PowerShell.
- a. True
- b. False
Answer: a. True
Explanation: The rule package for an EDM-based sensitive data type can indeed be created using PowerShell. This allows for a more advanced and controlled setup.
Interview Questions
What is exact data match (EDM) used for in creating custom sensitive information types?
EDM is used to identify and protect sensitive items such as credit card numbers, which might be a part of structured database.
How can you create a custom sensitive information type with EDM?
To create a custom sensitive information type with EDM, you can use the Microsoft 365 compliance center or PowerShell.
What is the first step in creating an EDM based sensitive information type?
The first step is to create a schema for the sensitive data you want to cover, which outlines the type of data to be included.
What is the purpose of the Sensitive Info Type Policy rule in EDM?
The Sensitive Info Type Policy rule is used to define how a match is detected by specifying the condition and action.
How can EDM-based sensitive information types help meet compliance requirements?
They help organizations to discover, monitor, and protect sensitive data throughout their workflow thus meeting regulatory compliance requirements.
What type of data can be used to create an EDM rule package?
The data should typically be structured and often originates from databases such as credit card number, health services patient numbers and social security numbers.
What is the purpose of configuring a data loss prevention (DLP) policy with your sensitive information types?
DLP policy helps to prevent accidental data leakage by tracking sensitive data and restricting how this data is accessed and transmitted.
Can you edit the custom sensitive information types after they have been created?
Yes, you can edit them as your regulatory compliance requirements change.
What is the role of the “Confidence Level” when defining the Sensitive Info Type Policy Rule in EDM?
A Confidence level helps determine how close the match has to be. The higher the confidence level, the more precise the match has to be.
How can I prioritize rules when creating a sensitive information type with EDM?
When creating a sensitive information type with EDM, rules can be prioritized by setting the “Order of Evaluation for Rules” in the “testMatch” function in PowerShell.
Can Microsoft 365 Information Protection and Governance auto-label sensitive information types based on EDM?
Yes, if you have a policy configured, it can auto-label files that match your sensitive information type based on EDM.
What is the maximum size of a data table that can be uploaded for EDM?
The maximum size of a data table that can be uploaded is 5 GB.
Can I use more than one field in the schema when creating a sensitive information type with EDM?
Yes, you can use one or more fields in the schema depending upon your requirement.
How to validate created custom sensitive information types with EDM?
You can validate them by testing and tuning policy rules against the content in your organization using Configuration Analyzer.
Do I need a specific license to create custom sensitive information types with EDM?
Yes, you need Office 365 E5 or Office 365 Advanced Compliance add-on license.
extutorials.com