AD4.12 Module Summary

Module Summary

This module deployed the fourth layer of your security improvement sequence: data protection. With identity, email, and device controls securing access to your M365 environment, sensitivity labels and DLP policies now protect the data itself — classifying content by sensitivity, encrypting sensitive documents, preventing accidental external sharing, and providing an audit trail for every data handling decision.

You designed a four-label taxonomy (Public, Internal, Confidential, Highly Confidential) that users can choose between in 2 seconds. You created and published the labels with appropriate protection settings: visual marking for Public and Internal, encryption to internal users for Confidential, and user-specified encryption with Do Not Forward for Highly Confidential. Default labeling ensures every new document starts as "Internal" without user action. Mandatory labeling ensures no document can be saved or sent without a classification.

You tightened SharePoint external sharing from anonymous links (anyone with the URL can access) to authenticated sharing (external recipients must verify their identity). Sensitive sites — HR, Finance, Legal — have external sharing disabled entirely. Link expiration is set to 30 days. External resharing is blocked. The external sharing audit identified and removed stale access from former vendors and collaborators.

You built two DLP policies — Personal Data Protection and Financial Data Protection — that detect UK NINOs, credit card numbers, bank details, and other sensitive information types in outbound email and SharePoint sharing. The policies deployed in simulation mode for 2 weeks (measuring what would be blocked), then transitioned to policy tips (warning users without blocking), and finally to enforcement (blocking with override). Custom policy tip messages reference NE's data protection policy and provide override with justification logging. The override log creates a GDPR-compliant audit trail of data sharing decisions.

What you built

• Four sensitivity labels with protection (encryption, marking, restrictions)
• Publishing policy with default "Internal" and mandatory labeling
• SharePoint tenant sharing tightened to authenticated-only
• Site-level sharing disabled for HR, Finance, Legal
• DLP Policy 1: Personal Data Protection (NINO, credit card, passport)
• DLP Policy 2: Financial Data Protection (credit card bulk, bank account, SWIFT)
• Custom policy tip messages for both policies
• DLP override monitoring workflow
• Data protection monitoring cadence (weekly DLP, monthly labels, quarterly sharing)
• Complete four-section quarterly management report template

What changed at NE

NE's data protection posture moved from 1/10 to 7/10. 98% of documents are classified with sensitivity labels. Confidential documents are encrypted — unreadable outside the organization even if accidentally shared. DLP blocks external sharing of personal and financial data with user notification and override capability. Anonymous sharing links are disabled tenant-wide. The four-layer security program is complete: identity (99.9% of credential attacks blocked), email (60%+ phishing reduction), devices (100% encryption verified), data (classification + encryption + DLP enforcement). All four layers operate on the existing E3 license at zero additional cost, with a 30-45 minute weekly maintenance commitment.

What's next

Module AD5 covers security monitoring — building the structured weekly review that checks sign-in anomalies, email threats, device compliance, and DLP matches in a single 15-minute Monday morning routine. Module AD6 covers basic incident response — what to do when something gets through all four layers. Module AD7 covers security governance — the policies and procedures that formalize your security program. With the technical controls operational, the remaining modules build the operational cadence and governance framework that sustains the program long-term.