Identifying Sensitive Information in Plans

%3CLINGO-SUB%20id%3D%22lingo-sub-675370%22%20slang%3D%22en-US%22%3EIdentifying%20Sensitive%20Information%20in%20Plans%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675370%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20plans%20to%20support%20the%20Data%20Loss%20Prevention%20policies%20from%20O365%20in%20Planner%2C%20i.e.%20if%20a%20user%20enters%20sensitive%20information%20in%20a%20task%20is%20should%20be%20findable%20by%20DLP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-675370%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPlanner%20AMA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675488%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Sensitive%20Information%20in%20Plans%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675488%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20question%20Dean.%20We're%20currently%20working%20through%20the%20plans%20for%20these%20security%20and%20compliance%20features.%20DLP%20is%20on%20our%20radar%2C%20but%20we%20plan%20to%20start%20with%20eDiscovery%20and%20Audit%20Logs%20first.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675530%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Sensitive%20Information%20in%20Plans%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675530%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3BIf%20our%20PMO%20went%20big%20on%20Planner%20this%20would%20be%20something%20that%20concerned%20me.%20User%20education%20only%20goes%20so%20far%2C%20a%20bit%20of%20nudging%2Fmonitoring%20via%20config%20would%20be%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675595%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Sensitive%20Information%20in%20Plans%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675595%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6006%22%20target%3D%22_blank%22%3E%40Eray%20Chou%3C%2FA%3E%26nbsp%3B%20Here%20is%20a%20scenario%20that%20needs%20to%20addressed.%3C%2FP%3E%3COL%3E%3CLI%3EA%20team%20member%20gets%20assigned%20a%20task%20to%20gather%20Patient%20records%20or%20Custom%20credit%20information.%3C%2FLI%3E%3CLI%3Ewhen%20they%20finish%20the%20task%2C%20they%20attach%20a%20file%20containing%20the%20sensitive%20data%20to%20the%20task.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDLP%20needs%20to%20let%20the%20compliance%20people%20know%20that%20this%20has%20occurred.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675606%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Sensitive%20Information%20in%20Plans%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20clarification.%26nbsp%3B%20I'll%20need%20to%20verify%2C%20but%20for%20this%20specific%20case%20(DLP%20for%20attachment%20content)%20it's%20possible%20that%20SharePoint's%20DLP%20support%20would%20kick%20in%20and%20detect%20this%20case.%26nbsp%3B%20The%20DLP%20work%20we%20are%20investigating%20would%20then%20extend%20support%20to%20also%20include%20other%20Tasks%20fields%20--%20for%20example%2C%20recording%20credit%20card%20numbers%20in%20the%20Task's%20description.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-675647%22%20slang%3D%22en-US%22%3ERe%3A%20Identifying%20Sensitive%20Information%20in%20Plans%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-675647%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F6006%22%20target%3D%22_blank%22%3E%40Eray%20Chou%3C%2FA%3E%26nbsp%3BYou%20are%20correct%2C%20in%20my%20scenario%2C%20the%20File%20attached%20to%20the%20task%20gets%20put%20into%20SPO%20(which%20I%20forgot%20happened)%20so%20DLP%20will%20find%20it.%20Your%20scenario%20is%20better%20than%20mine%20and%20needs%20to%20be%20covered.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Respected Contributor

Are there any plans to support the Data Loss Prevention policies from O365 in Planner, i.e. if a user enters sensitive information in a task is should be findable by DLP.

5 Replies
Thanks for your question Dean. We're currently working through the plans for these security and compliance features. DLP is on our radar, but we plan to start with eDiscovery and Audit Logs first.

@Dean Gross If our PMO went big on Planner this would be something that concerned me. User education only goes so far, a bit of nudging/monitoring via config would be useful.

@Eray Chou  Here is a scenario that needs to addressed.

  1. A team member gets assigned a task to gather Patient records or Custom credit information.
  2. when they finish the task, they attach a file containing the sensitive data to the task.

 

DLP needs to let the compliance people know that this has occurred.

@Dean Gross Thanks for the clarification.  I'll need to verify, but for this specific case (DLP for attachment content) it's possible that SharePoint's DLP support would kick in and detect this case.  The DLP work we are investigating would then extend support to also include other Tasks fields -- for example, recording credit card numbers in the Task's description.  

@Eray Chou You are correct, in my scenario, the File attached to the task gets put into SPO (which I forgot happened) so DLP will find it. Your scenario is better than mine and needs to be covered.