I wanted to check in DLP, Microsoft has default policy templates for US PII and HIPAA compliance. Are those templates proven? it contains few out-of-the box trainable classifiers with AND condition for different sensitive info types.
is it recommended to follow those conditions as defined in default template if we are creating custom policy?
Admittedly, the pre-built templates tend to be looking for a substantial amount of data that has to be met and this likely will lead to catching everything as desired, specifically due to the AND statement. I have found it best to maybe use these templates to identify the out-of-the-box SITs and Trainable Classifiers for a specific category like PII and then build my own custom policy based on the client and which of the data types they have in their environment. Hope this helps but essentially, yes, I would recommend build a custom policy.