Plaidnox InfoSec
PLX-2025-027 . Confidential
Data ProtectionMicrosoft Purview DLP3 of 5 Policy Sets Missing

DLP Gap Analysis
[REDACTED]

Data loss prevention gap analysis for [REDACTED] covering data classification maturity, Microsoft Purview DLP policy coverage across M365 and endpoint, and sensitive data exposure risks. Engagement ref. ENG-2025-0565.

Report IDPLX-2025-027
Client[REDACTED]
DLP Coverage2 of 5 policy sets
AssessedQ1 2025
01 . Overview

DLP Gap Analysis Summary

Plaidnox conducted a data protection gap analysis for [REDACTED], reviewing data classification coverage, Microsoft Purview DLP policies across Exchange, SharePoint, OneDrive, Teams, and endpoint, and sensitive data inventory. Only 2 of 5 required policy sets are active, and data classification labels are applied to fewer than 12% of documents in the SharePoint environment.

The most critical finding is 22 unclassified SharePoint site collections containing personally identifiable information (PII) for clients and staff . these 22 sites have no DLP policy applied and no sensitivity label, meaning any licensed user can download or share all content without restriction.

02 . Data Inventory

Sensitive data exposure assessment

847K
Total Documents
12%
Classified
22
Unprotected PII Sites
2/5
DLP Policy Sets Active
WorkloadDLP PolicyClassificationRisk
Exchange Online (Email)ActiveN/AMedium
SharePoint SitesMissing12% labelledCritical
OneDrive for BusinessMissing8% labelledCritical
Microsoft TeamsActiveN/ALow
Endpoint (Windows)MissingN/AHigh
03 . DLP Policy Gaps

Priority findings

IDFindingPriority
DLP-G0122 SharePoint site collections with PII have no DLP policy or sensitivity label . full exfiltration riskCritical
DLP-G02No SharePoint/OneDrive DLP policy . files containing SINs, DOBs, and legal case data can be shared externally undetectedCritical
DLP-G03No endpoint DLP . USB transfer and unmanaged browser upload of sensitive files not blocked or auditedHigh
DLP-G0488% of documents unlabelled . auto-labelling policies not deployed, classification is manual onlyHigh
DLP-G05No DLP alert routing . existing Exchange/Teams DLP violations not routed to security team for reviewMedium
04 . Remediation Roadmap

DLP implementation plan

ActionTimelineOwner
Apply Confidential sensitivity label to all 22 PII SharePoint sites; block external sharingWk 1IT / Plaidnox
Deploy Purview auto-labelling policies for PII, legal privilege, and financial data across SharePoint/OneDriveWk 1-4Plaidnox
Create DLP policies for SharePoint and OneDrive . block sharing of labelled content externallyWk 2-5Plaidnox
Enable endpoint DLP . block USB transfer and unmanaged cloud upload of Confidential+ filesWk 3-6Plaidnox / IT
Configure DLP alert routing to SIEM / SOC mailbox; set SLA for violation reviewWk 4-8Plaidnox
Conclusion
22 unprotected PII sites represent an immediate GDPR and SRA regulatory exposure
[REDACTED] handles client PII and legally privileged material subject to GDPR, the SRA Code of Conduct, and Legal Professional Privilege obligations. 22 SharePoint sites containing PII with no DLP policy and no sensitivity label represent an active data exfiltration risk that could trigger ICO enforcement, SRA investigation, and client trust damage. Applying labels to these sites and deploying SharePoint/OneDrive DLP are the two immediate actions required before any other DLP work proceeds.
Plaidnox InfoSec . dlp
Confidential . Authorised Distribution Only