diff --git a/src/powershell/tests/Test-Assessment.35030.md b/src/powershell/tests/Test-Assessment.35030.md new file mode 100644 index 000000000..7ffc45f8e --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35030.md @@ -0,0 +1,34 @@ +Data Loss Prevention (DLP) policies protect sensitive information by monitoring, detecting, and preventing the sharing of confidential data across Microsoft 365 workloads including Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams. + +When DLP policies are not enabled or configured, organizations lack automated controls to prevent accidental or intentional disclosure of sensitive information such as credit card numbers, social security numbers, financial data, or proprietary information. Without active DLP policies, employees can freely share sensitive content through email, file uploads, or team communications without organizational oversight, increasing the risk of data breaches, regulatory violations (GDPR, HIPAA, PCI-DSS), and reputational damage. + +Enabling and configuring at least one DLP policy ensures organizations have automated detection and response capabilities for sensitive data, reducing the risk of unauthorized data exfiltration and demonstrating compliance readiness to regulators and auditors. + +**Remediation action** + +To create and enable DLP policies: + +1. Sign in as a Global Administrator or Compliance Administrator to the [Microsoft Purview portal](https://purview.microsoft.com) +2. Navigate to Data Loss Prevention > Policies +3. Select "+ Create policy" to start a new DLP policy +4. Choose a template (Financial data, Health data, Privacy, Custom, etc.) or create a custom policy +5. Define sensitive information types (SITs) to detect (credit card numbers, SSN, bank account numbers, etc.) +6. Configure rule conditions (locations, conditions for detection, scope) +7. Set enforcement actions (notify users, restrict access, block sharing, etc.) +8. Choose enforcement mode: + - Test mode (audit-only): Monitors but does not block activities + - Enforce mode: Blocks activities matching policy rules +9. Enable the policy and deploy to workloads (Exchange, SharePoint, OneDrive, Teams) +10. Monitor DLP alerts and adjust rules as needed + +Alternatively, create via PowerShell: +1. Connect to Exchange Online: `Connect-ExchangeOnline` +2. Create a policy: `New-DlpCompliancePolicy -Name "Sensitive Data Protection" -Mode "Enforce"` +3. Add rules to the policy: `New-DlpComplianceRule -Name "Block SSN" -Policy "Sensitive Data Protection"` +4. Enable and test: `Get-DlpCompliancePolicy | Select-Object -Property Name, Enabled` + +- [Create and configure DLP policies](https://learn.microsoft.com/en-us/purview/dlp-create-deploy-policy) +- [DLP policy templates](https://learn.microsoft.com/en-us/purview/dlp-policy-templates) +- [DLP Compliance Rules](https://learn.microsoft.com/en-us/powershell/module/exchange/new-dlpcompliancerule) + +%TestResult% diff --git a/src/powershell/tests/Test-Assessment.35030.ps1 b/src/powershell/tests/Test-Assessment.35030.ps1 new file mode 100644 index 000000000..6c53d5467 --- /dev/null +++ b/src/powershell/tests/Test-Assessment.35030.ps1 @@ -0,0 +1,122 @@ +<# +.SYNOPSIS + Data Loss Prevention (DLP) Policies + +.DESCRIPTION + Data Loss Prevention (DLP) policies protect sensitive information by monitoring, detecting, and preventing the sharing of confidential data across Microsoft 365 workloads including Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams. + When DLP policies are not enabled or configured, organizations lack automated controls to prevent accidental or intentional disclosure of sensitive information such as credit card numbers, social security numbers, financial data, or proprietary information. Without active DLP policies, employees can freely share sensitive content through email, file uploads, or team communications without organizational oversight, increasing the risk of data breaches, regulatory violations (GDPR, HIPAA, PCI-DSS), and reputational damage. Enabling and configuring at least one DLP policy ensures organizations have automated detection and response capabilities for sensitive data, reducing the risk of unauthorized data exfiltration and demonstrating compliance readiness to regulators and auditors. + +.NOTES + Test ID: 35030 + Pillar: Data + Risk Level: High +#> + +function Test-Assessment-35030 { + [ZtTest( + Category = 'Data Loss Prevention (DLP)', + ImplementationCost = 'Medium', + MinimumLicense = ('Microsoft 365 E3'), + Pillar = 'Data', + RiskLevel = 'High', + SfiPillar = 'Protect tenants and production systems', + TenantType = ('Workforce'), + TestId = 35030, + Title = 'DLP Policies Enabled', + UserImpact = 'Medium' + )] + [CmdletBinding()] + param() + + #region Data Collection + Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose + + $activity = 'Checking Data Loss Prevention Policies' + Write-ZtProgress -Activity $activity -Status 'Querying DLP policies from compliance center' + + $dlpPolicies = $null + $dlpPoliciesDetailed = $null + $enabledPoliciesCount = 0 + $errorMsg = $null + + try { + # Q1: Get all DLP policies in the organization + $dlpPolicies = Get-DlpCompliancePolicy -ErrorAction Stop + + # Q2: Get details on DLP policy status and rule count + $dlpPoliciesDetailed = $dlpPolicies | Select-Object -Property Name, Enabled, WhenCreatedUTC, WhenChangedUTC + + # Q3: Count enabled vs disabled DLP policies + $enabledPoliciesCount = @($dlpPolicies | Where-Object Enabled).Count + } + catch { + $errorMsg = $_ + Write-PSFMessage "Error querying DLP policies: $_" -Level Error + } + #endregion Data Collection + + #region Assessment Logic + $investigateFlag = $false + $passed = $false + + if ($errorMsg) { + $investigateFlag = $true + } + else { + # If enabled policy count >= 1, the test passes + if ($enabledPoliciesCount -ge 1) { + $passed = $true + } + else { + # No policies exist or all policies are disabled + $passed = $false + } + } + #endregion Assessment Logic + + #region Report Generation + $testResultMarkdown = "" + + if ($investigateFlag) { + $testResultMarkdown = "⚠️ Unable to determine DLP policy status due to permissions issues or service connection failure.`n`n" + } + else { + if ($passed) { + $testResultMarkdown = "✅ One or more DLP policies are enabled and configured, providing automated protection against sensitive data disclosure.`n`n" + } + else { + $testResultMarkdown = "❌ No DLP policies are enabled or no DLP policies exist in the organization.`n`n" + } + + $testResultMarkdown += "## Data Loss Prevention Policy Summary`n`n" + $testResultMarkdown += "**Total DLP Policies:** $($dlpPolicies.Count)`n`n" + $testResultMarkdown += "**Enabled Policies:** $enabledPoliciesCount`n`n" + + if ($dlpPoliciesDetailed.Count -gt 0) { + $testResultMarkdown += "### DLP Policies Configuration`n`n" + $testResultMarkdown += "| Policy Name | Enabled Status | Created Date | Last Modified Date |`n" + $testResultMarkdown += "| :--- | :--- | :--- | :--- |`n" + + foreach ($policy in $dlpPoliciesDetailed) { + $enabledStatus = if ($policy.Enabled) { "✅ Yes" } else { "❌ No" } + $createdDate = if ($policy.WhenCreatedUTC) { $policy.WhenCreatedUTC.ToString('yyyy-MM-dd') } else { "N/A" } + $modifiedDate = if ($policy.WhenChangedUTC) { $policy.WhenChangedUTC.ToString('yyyy-MM-dd') } else { "N/A" } + $testResultMarkdown += "| $($policy.Name) | $enabledStatus | $createdDate | $modifiedDate |`n" + } + $testResultMarkdown += "`n" + } + } + + $testResultMarkdown += "[View DLP Policies in Microsoft Purview Portal](https://purview.microsoft.com/datalossprevention/policies)`n" + #endregion Report Generation + + $params = @{ + TestId = '35030' + Status = $passed + Result = $testResultMarkdown + } + if ($investigateFlag -eq $true) { + $params.CustomStatus = 'Investigate' + } + Add-ZtTestResultDetail @params +}