💡 Summary

For the Emerald release, only these EXO policies still have a mix of Shall/Should Policies. No other policies in the baselines currently have a mix of Shall/Should in one policy statement. These policies are also Defender mirrored policies that have Rego code that only have the */Not-Implemented tests.

This issue is to break up these polices into separate Shall/Should policies for consistency with the other baseline policies. This includes the necessary updates to EXO and Defender.

• MS.EXO.8.1v1
  • A DLP solution SHALL be used. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft.
• MS.EXO.8.2v1
  • The DLP solution SHALL protect PII and sensitive information, as defined by the agency. At a minimum, the sharing of credit card numbers, Taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) via email SHALL be restricted.
• MS.EXO.9.1v1
  • Emails SHALL be filtered by the file types of included attachments. The selected filtering solution SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter.
• MS.EXO.9.3v1
  • Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe).
• MS.EXO.14.1v1
  • A spam filter SHALL be enabled. The filtering solution selected SHOULD offer services comparable to the native spam filtering offered by Microsoft.

Motivation and context

For consistency with other baseline policy statements.

Implementation notes

• Updates to these policies to split up the shall and shoulds
• Updates to the old rationale and the new rationale for these policies.
• Updates to the rego and unit tests to capture these new policies.

Acceptance criteria

How do we know when this work is done?

• When the above policy statements are separated both in policy and in the document.