Write a policy that determines where sensitive information may exist within your organization