Comments (2)
After reviewing and testing the scenarios, I believe what happened here is that the agency had a rule in place that did use the block action. However, they had the policy set to test mode. In test mode, blocking actions are not performed even if the rule indicates that it is blocking (BlockAccess is true). So, technically speaking, the assessment is correct since the rule itself is set to block as indicated in the implementation guidance. However, the overall effect is that the policy is NOT blocking sharing of sensitive information even if the rule is set to do so as the policy itself would only generate a notification (at best).
Recommend we add code to the check that validates whether or not the policy is "On" (Mode is Enable) vs. test (TestingWithNotifications) or off and flag the check as failed if not on even if a blocking action is present in the rule. Ideally with feedback that the issue isn't in the rule, but in the policy configuration although that might be trickier to pull off.
from scubagear.
One of the big issues complicating this from a technical level is that the relevant policy bullet is stated as:
"The action for the DLP policy SHOULD be set to block sharing sensitive information with everyone when DLP conditions are met."
However, blocking actions are associated at the rule level, not the policy level, and a policy may contain multiple policies. At the policy level, the only control related to blocking is whether the policy is Turn it on right away
, Keep it off
, or set in Test It Out First
mode.
A follow-on in the future would be to update the baseline policy to have two separate items... the existing item to make sure that rules include blocking actions and a separate SHOULD item that policies with blocking actions should have their mode set to On (as opposed to Off or Test) to ensure rule actions are taken.
from scubagear.
Related Issues (20)
- Bug with MS.DEFENDER.2.2v1 - "Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies" HOT 1
- Bug with MS.DEFENDER.2.3v1 - "Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies." HOT 1
- Defender functional tests fail due to timing/cache issues
- Defender functional test plan tests not configured correctly
- Teams product testing with ScubaGear on a GCCHIGH tenant throws a warning about 'invalid teams environment name for migration api'
- MS.SHAREPOINT.4.2v1 functional test fails in SPO mode for GCC high test tenant HOT 3
- Accessibility improvements to HTML reports
- Sharepoint 1.3 1.4 incorrectly produce Fail even when compliant under a specific condition and does not handle N/A HOT 1
- Enhance Sharepoint policy evaluation outputs for policies that are N/A under certain conditions HOT 1
- Modify Sharepoint so that the policies only execute when applicable and produce a consistent N/A message HOT 2
- MS.EXO.4.3v1 Reporting Failure / No option for config file to use other point of contact. HOT 1
- Update Repository Organization section of the readme
- Clarify that unmanaged user / skype access is not available in GCC
- Baseline Policy Enhancements, Part 1
- M365 Auditing Changes and Enhancements, Part 2 HOT 1
- Service Principal Security
- Refactor Test Cases
- Clean up sample config files
- Change from BITS to WebClient HOT 2
- MS.AAD.6.1 Does not account for federated domains HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scubagear.