文件指紋Document Fingerprinting

在組織中的資訊工作者處理許多種期間一般 1 天的機密資訊。文件指紋讓您用來識別整個組織中使用的標準表單來保護這項資訊更容易。本主題說明的概念文件指紋。如果您想要了解如何建立文件指紋,請參閱 <保護含有文件指紋的表單資料Information workers in your organization handle many kinds of sensitive information during a typical day. Document Fingerprinting makes it easier for you to protect this information by identifying standard forms that are used throughout your organization. This topic describes the concepts behind Document Fingerprinting. If you'd like to learn how to create a document fingerprint, see Protect form data with document fingerprinting.

文件指紋的基本案例Basic scenario for Document Fingerprinting

文件指紋是一項會將標準表單轉換為敏感資訊類型「資料外洩防護 (DLP)」功能,可讓您用來定義傳輸規則和 DLP 原則。例如,您可以根據空白專利範本建立文件指紋,然後再建立 DLP 原則,以偵測及封鎖所有填入敏感內容的傳出專利範本。您也可以選擇性地設定原則提示,以通知寄件者他們有可能會傳送敏感資訊,而寄件者應確認收件者符合接收專利的資格。此程序適用於您的組織中所使用的任何文字型表單。您可以上傳的表單還包括:Document Fingerprinting is a Data Loss Prevention (DLP) feature that converts a standard form into a sensitive information type, which you can use to define transport rules and DLP policies. For example, you can create a document fingerprint based on a blank patent template and then create a DLP policy that detects and blocks all outgoing patent templates with sensitive content filled in. Optionally, you can set up Policy Tips to notify senders that they might be sending sensitive information, and the sender should verify that the recipients are qualified to receive the patents. This process works with any text-based forms used in your organization. Additional examples of forms that you can upload include:

  • 政府表單Government forms

  • 1996 年健康保險流通與責任法案 (HIPAA) 符合性表單Health Insurance Portability and Accountability Act (HIPAA) compliance forms

  • 人力資源部門的員工資訊表單Employee information forms for Human Resources departments

  • 特別為您的組織建立的自訂表單Custom forms created specifically for your organization

在理想情況下,您的組織應已建立使用特定表單來傳輸敏感資訊的商業實務準則。在您上傳要轉換為文件指紋的空白表單,並設定對應的原則後,DLP 代理程式即會開始在輸出的郵件中偵測符合該指紋的文件。Ideally, your organization already has an established business practice of using certain forms to transmit sensitive information. After you upload an empty form to be converted to a document fingerprint and set up a corresponding policy, the DLP agent will detect any documents in outbound mail that match that fingerprint.

文件指紋的運作方式How Document Fingerprinting works

您可能已猜到文件並沒有實際的指紋,但此名稱仍有助於闡述功能。如同人類的指紋具有獨特的型態,文件也會有獨特的文字模式。當您上載檔案時,DLP 代理程式會識別文件中的獨特文字模式,並根據該模式建立文件指紋,然後使用該文件指紋偵測含有相同模式的輸出文件。正因如此,上載表單或範本能夠產生最有效的文件指紋類型。每個填寫表單的人都會使用同一組原始文字,然後再將其本身的文字新增至文件中。只要輸出文件未受密碼保護,且包含所有來自原始表單的文字,DLP 代理程式即可判斷文件是否符合文件指紋。You've probably already guessed that documents don't have actual fingerprints, but the name helps explain the feature. In the same way that a person's fingerprints have unique patterns, documents have unique word patterns. When you upload a file, the DLP agent identifies the unique word pattern in the document, creates a document fingerprint based on that pattern, and uses that document fingerprint to detect outbound documents containing the same pattern. That's why uploading a form or template creates the most effective type of document fingerprint. Everyone who fills out a form uses the same original set of words and then adds his or her own words to the document. As long as the outbound document isn't password protected and contains all the text from the original form, the DLP agent can determine if the document matches the document fingerprint.

下列範例說明您根據專利範本建立文件指紋時所將發生的情況;但實際上您可使用任何表單作為建立文件指紋的基礎。The following example shows what happens if you create a document fingerprint based on a patent template, but you can use any form as a basis for creating a document fingerprint.

比對專利範本之文件指紋的專利文件範例Example of a patent document matching a document fingerprint of a patent template

符合文件指紋的專利文件。

專利範本包含空白欄位"專利 title,""發明者,"和"Description"和每個欄位的描述 — 這是 word 圖樣。時原始的專利範本上傳,是一種支援的檔案類型及純文字。若要將這個字模式轉換成文件指紋,這是小型的 Unicode XML 演算法檔案包含代表原始文字和指紋的唯一雜湊值儲存在 Active Directory 中的資料分類為 [DLP 代理程式使用。(做為安全性量、 原始文件本身不儲存在服務 ; 儲存雜湊值,和原始文件無法重建的雜湊值從。)專利指紋會變成可與 DLP 原則建立關聯的敏感資訊類型。指紋關聯的 DLP 原則之後,DLP 代理程式偵測到任何包含比對專利指紋的文件的外寄電子郵件與根據貴組織的原則來處理它們。例如,您可能要禁止傳送含有所含之專利權的外寄郵件的規則員工的 DLP 原則設定。DLP 代理程式將會使用專利指紋偵測所含之專利權並封鎖這些電子郵件。或者,您可能會想要讓您能夠將傳送至其他組織所含之專利權,因為它需要這麼商務的法務部門。您可以讓傳送機密資訊在 DLP 原則中,建立這些部門的例外狀況的特定部門或您可以讓它們可以覆寫原則提示與業務上理由。如需建立 DLP 原則規則和例外狀況的詳細資訊,請參閱DLP Procedures,and 若要深入了解設定的使用者可以覆寫原則提示,請參閱管理原則提示The patent template contains the blank fields "Patent title," "Inventors," and "Description" and descriptions for each of those fields—that's the word pattern. When you upload the original patent template, it's in one of the supported file types and in plain text. The DLP agent uses an algorithm to convert this word pattern into a document fingerprint, which is a small Unicode XML file containing a unique hash value representing the original text, and the fingerprint is saved as a data classification in Active Directory. (As a security measure, the original document itself isn't stored on the service; only the hash value is stored, and the original document can't be reconstructed from the hash value.) The patent fingerprint then becomes a sensitive information type that you can associate with a DLP policy. After you associate the fingerprint with a DLP policy, the DLP agent detects any outbound emails containing documents that match the patent fingerprint and deals with them according to your organization's policy. For example, you might want to set up a DLP policy that prevents regular employees from sending outgoing messages containing patents. The DLP agent will use the patent fingerprint to detect patents and block those emails. Alternatively, you might want to let your legal department to be able to send patents to other organizations because it has a business need for doing so. You can allow specific departments to send sensitive information by creating exceptions for those departments in your DLP policy, or you can allow them to override a policy tip with a business justification. For more detailed information about creating DLP policy rules and exceptions, see DLP Procedures, and to learn more about setting up policy tips that users can override, see Manage policy tips.

支援的檔案類型Supported file types

文件指紋支援相同的傳輸規則中所支援的檔案類型。如需支援的檔案類型的清單,請參閱使用郵件流程規則檢查 Office 365 中的郵件附件。關於檔案類型的一個快速筆記: 傳輸規則或文件指紋支援.dotx 檔案類型,因為這是在 Word 中的範本檔案可以是混淆。當您看到單字"template"中此憑證與其他文件指紋的主題時,它是指已建立成為標準表單不範本檔案類型的文件。Document Fingerprinting supports the same file types that are supported in transport rules. For a list of supported file types, see Use mail flow rules to inspect message attachments in Office 365. One quick note about file types: neither transport rules nor Document Fingerprinting supports the .dotx file type, which can be confusing because that's a template file in Word. When you see the word "template" in this and other Document Fingerprinting topics, it refers to a document that you have established as a standard form, not the template file type.

文件指紋的限制Limitations of document fingerprinting

文件指紋 DLP 代理程式在下列情況下將不會偵測敏感資訊:The Document Fingerprinting DLP agent won't detect sensitive information in the following cases:

  • 檔案受密碼保護Password protected files

  • 檔案只包含影像Files that contain only images

  • 文件未包含原始表單中所有用來建立文件指紋的文字Documents that don't contain all the text from the original form used to create the document fingerprint

相關資訊For more information

保護含有文件指紋的表單資料Protect form data with document fingerprinting

與傳輸規則整合敏感資訊規則Integrating sensitive information rules with transport rules

DLP ProceduresDLP Procedures