Skip to content

Control 1.13: Sensitive Information Types (SITs) and Pattern Recognition

Control ID: 1.13 Pillar: Security Regulatory Reference: FINRA 4511, SEC Reg S-P, GLBA 501(b), SOX 404, PCI-DSS Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Configure Sensitive Information Types (SITs) for automatic detection and classification of financial data including customer NPI (SSN, account numbers), regulatory identifiers (CRD, CUSIP), and material non-public information (MNPI) to enable DLP policies and AI data governance.

Why This Matters for FSI

  • GLBA 501(b): Enables automatic detection and protection of customer NPI
  • SEC Reg S-P: Identifies customer records requiring privacy protection
  • FINRA 4511: Classifies records containing customer information for retention
  • PCI-DSS: Detects credit card numbers in scope systems
  • SOX 404: Identifies financial reporting data for integrity controls

Control Description

This control establishes Sensitive Information Types as the foundation of data classification in Microsoft 365:

  1. Built-in Financial SITs - Enable Microsoft-provided detectors for SSN, credit cards, bank accounts, ABA routing numbers, ITIN, CUSIP
  2. Custom FSI SITs - Create organization-specific detectors for internal account formats, FINRA CRD numbers, MNPI indicators, trade details
  3. Keyword Dictionaries - Build dictionaries for competitor names, financial terms, restricted entities
  4. Exact Data Match (EDM) - Configure precise matching against actual customer data (hashed, not stored)
  5. Confidence Tuning - Adjust thresholds to balance false positives and false negatives

Key Configuration Points

  • Review and enable built-in financial SITs in Purview Data Classification
  • Create custom SITs for internal account number formats (regex patterns)
  • Create FINRA CRD Number SIT with supporting keywords
  • Build MNPI indicator SIT using keyword dictionaries
  • Configure EDM classifier schema for customer data matching
  • Set confidence levels by use case: High (85+) for blocking, Medium (65-75) for alerting
  • Test detection in Content Explorer before policy deployment

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Basic built-in SITs; alert-only mode; high confidence threshold (85+) Low risk, awareness-focused
Zone 2 (Team) Built-in + basic custom SITs; alert and educate; medium-high confidence (75-85) Team data requires classification
Zone 3 (Enterprise) Full SIT library + EDM; block on high confidence; medium threshold (65+) Customer-facing requires comprehensive detection

Roles & Responsibilities

Role Responsibility
Purview Info Protection Admin Create and manage SITs, tune confidence levels
Purview Compliance Admin Review detection results, approve custom SIT definitions
Compliance Officer Validate regulatory requirements for data classification
Legal Review MNPI and confidential information SIT definitions
Control Relationship
1.5 - DLP and Sensitivity Labels SITs are used in DLP policy conditions
1.6 - DSPM for AI SITs enable AI data exposure monitoring
1.7 - Audit Logging SIT detection events are logged
1.10 - Communication Compliance SITs used in communication policies

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Built-in financial SITs (SSN, credit card, bank account) are available in Purview
  2. Custom SITs appear in Sensitive info types list with correct publisher
  3. Test document with sample data is detected in Content Explorer within 24 hours
  4. DLP test policy fires when SIT is matched in test content
  5. EDM classifier shows Active status and matches exact data from source

Additional Resources

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current