Hi,
Thank you for the response.
Basically the customer wants to block all document from being accessed (such as copy, move, save to USB) internally and emailed externally. The documents are office documents which as suggested by you guys, can either be specified by file types or IDM policy. The customer doesn't care if they cannot do their work for a week, as long as they know their document is blocked from unauthorized access.
Once all documents are blocked from any kind of access, customer then wants the document to be allowed one by one to only authorized person.
To me, it sounds like it requires massive effort to allow the document to authorized person later since I need to create rule for not only sensitive documents, but also non-sensitive documents.
Thanks.