Data Owner and User Notifications

Data Owners

The people who are responsible for data, such as managers and team leaders, have specific responsibilities beyond those of regular users. Each Data Owner should discuss with you the types of data to protect and the types that have to be sent outside.

For example, according to heuristics, it might seem logical that no source code be sent outside of your organization; but a Data Owner explains that her team needs to send code snippets to outside technical support for troubleshooting. Add this information to the list of Data Types that this Data Owner controls, and create an Exception to the Rule for this type of data, coming from this team, and being sent to the technical support domain.

When DLP incidents are logged, the DLP gateway can send automatic notifications to the Data Owners. For example, configure Data Owner notification for rules that have a critical severity. Automatic notifications ensure that the Data Owner knows about relevant incidents and can respond rapidly to issues under their responsibility.

To define data owners:

1. On the SmartDashboard, open the Data Loss Prevention tab > Data Types.
2. Double-click a Data Type in the list.

   The properties window of the Data Type opens.

3. Click Data Owners.
4. Click Add.

   The Add Data Owners window opens.

5. Select the user or group who is responsible for this data and click Add.

   If the data owner is not in the list, click New. In the Email Addresses window, enter the name and email address of the data owner (or name a list of email addresses).

6. Add as many data owners as needed.
7. Click OK.

Preparing Corporate Guidelines

Allow users to become familiar with the local guidelines for data transmission and protection. For example, corporate guidelines should ensure that your organization is compliant with legal standards (such as privacy laws) and protects intellectual property.

In particular, you must protect your organization from legal issues in companies and locations where employees are protected from having their emails opened by others. In most cases, if you tell your users that any email that violates a DLP rule will be captured and may be reviewed, you have fulfilled the requirements of the law.

You can include a link to the corporate guidelines in DLP notifications to users and to Data Owners.

When you have the corporate guidelines page ready, modify the DLP gateway to link directly to the corporate guidelines.

To modify a DLP gateway to link to your corporate guidelines:

1. On the gateway, open: $DLPDIR/config/dlp.conf
2. Find the corporate_info_link parameter and change the value to be the URL of your corporate guidelines (format = http://www.example.com).
3. Save the file and close it.
4. Run Install Policy on the DLP gateway.

Communicating with Data Owners

Before installing the first policy, send an email to Data Owners:

• Explain the Data Owner responsibility for protecting data.
• Provide an example of automated notification and discuss corporate guidelines for responding to incidents.
• Ask the Data Owners to provide the Data Types that they want protected and any exceptions.
• Decide ahead of time what exceptions you do not want to allow. For example, you can create a corporate DLP guideline that no one sends protected data to home email addresses. Having organization-wide guidelines should prevent conflicts if a Data Owner makes a request that is not good business practice; you can direct the Data Owner to the guidelines, rather than rejecting the request personally.

You are responsible for finding a balance between notifying the Data Owner every time an incident occurs - which may overwhelm the person and reduce the effectiveness of the system - and failing to notify the Data Owner enough. The notification system must help Data Owners maintain control over their data and help resolve issues of possible leakage.

Communicating with Users

It is recommended that before you install the first policy, you let all the users in the organization know how the DLP policy operates. Send an email with this information:

• Declare the date that the policy was or will start to operate.
• Let them know that the policy operates on emails, uploads, and web posts. Make sure to let users know that such transmissions can be captured and read by others if they violate DLP rules.
• Let them know that each user is expected to respond to notifications, to handle incidents and to learn from the incident about the corporate policy. Perhaps include a screen shot of the Self Incident Handling Portal and give instructions on the options that users have. Let them know that administrators with permissions can send or discard quarantined transmissions. They will be notified by email when this occurs.
• Give a link to the corporate policy.
• Let them know that not abiding to specific rules will cause in result in notification to managers, containing the user's name and the type of data that was leaked.
• Give the expiration time (default is 7 days) for incidents to be handled.

After installing the policy, you can set automatic notification (as part of each rule) of incidents to users. This enforces the corporate guidelines and explains to the users what is happening and why, when this data is related.

When a user performs an action that matches a rule, DLP handles the communication and logging automatically.

Notification of DLP violations to users is an email or a pop-up from the tray client. It describes the un-allowed action and can include a link to the corporate guidelines and to the Self Incident-Handling portal. Other actions are based on the severity and action of the matched rule.

Notifying Data Owners

DLP can send automatic messages to Data Owners if an incident occurs involving a Data Type over which the Data Owners have responsibility.

To configure Data Owner notification:

1. In Data Loss Prevention > Data Types, define the data owners of the Data Type.
2. Open Data Loss Prevention > Policy.
3. Right-click the Track column of the rule and select Email.

   The Email window opens.

4. Select the checkbox.

   Data Owners is provided by default.

   If you want the notification to be sent to others as well, click the plus button and select users or groups in the Add Recipients window.

5. Provide the text to appear in the email.

   Default text is: The Data Loss Prevention blade has found traffic which matches a rule

6. Click OK.

Notifying Users

While users are becoming familiar with the Organization Guidelines enforced by the DLP gateway, take advantage of the self-education tools. The vast majority of data leaks are unintentional, so automatic explanations or reminders when a rule is broken should significantly improve user leaks over a relatively short amount of time.

You can set rules of the Data Loss Prevention policy to Inform User - the user receives the automatic explanation about why this data is protected from leakage - but for now, the traffic is passed, ensuring minimal disruption.

You can also set rules to ask the user what should be done about captured data - send it on or delete it.

To configure user notification:

1. Open Data Loss Prevention > Policy.
2. In the Action column of the rule to change, right-click and select Inform User or Ask User.

Customizing Notifications for Users

Notifications sent to users can be customized to match your organizational culture and needs. It is important to maintain an impersonal and nonjudgmental format. While handling an incident:

• Focus on the issue.
• Focus on helping users change future behavior.

In the notification, the user may see:

• The data as an attachment (if an email).
• A subject/title that lets the user know this incident should be handled quickly.
• If the data was a zip file, the email lists the zipped files and explains why they should not be transmitted.
• Explanation of what is being done. For example:
  The message is being held until further action.

  It is recommended that you explain that the data may be read by others, for the purpose of protecting organization-wide data or legal compliance.

• Links to the Self Incident-Handling Portal, to continue, discard, or review the offending transmission.
• Link to the corporate information security guidelines.
• The main body of the email explains the rule. For example:

  The attached message, sent by you, is addressed to an external email address. Our Data Loss PreventionData Loss Prevention system determined that it may contain confidential information.

To include more information, add these fields:

The next fields are applied to emails that match Unintentional Recipient or External BCC rules.

Customizing Notifications to Data Owners

To change the text of a notification to Data Owners:

1. Open Data Loss Prevention > Policy.
2. Right-click in the Track column of a rule and select Email.

   The Email Notification window opens.

3. Customize the text with your own message.

Customizing Notifications for Self-Handling

To change the text of a notification to users to handle an incident:

1. Open Data Loss Prevention > Policy.
2. Right-click in the Action column of a rule and select Edit Properties.

   This option is available for all actions except Detect, because users are not to be informed of rules that match on this action. Change the action to Inform User if you want to notify the user and still pass the data.

3. In the window that opens, change the text with your own message to fit the rule. You can use text or variables.

Setting Rules to Ask User

The Ask User rule action provides UserCheck, distributing unintentional data security checks to the user. This action provides automated education to users. When a user attempts to transmit protected data, DLP captures the data and notifies the user. The notification (by email or by popup of the UserCheck client on user machines) explains the policy about transmitting this data and provides links to handle the incident.

To set a rule to ask user:

1. Open Data Loss Prevention > Policy.
2. Right-click in the Action column of the rule and select Ask User.

Ask User rules depend on the users getting notification and having options to either Send or Discard a message. Before doing Install Policy with new Ask User rules, make sure the DLP gateway is set up for Ask User options.

To set up the gateway for Ask User rules:

1. Open Data Loss Prevention > Gateways.
2. Select the DLP gateway and click Edit.

   The properties window of the gateway opens.

3. In the left pane list of pages, click Data Loss Prevention.
4. In the DLP Portal area, select Activate DLP Portal for Self Incident Handling.
5. In the left pane list of pages, click Data Loss Prevention > Mail Relay.
6. Select the mail server that the DLP gateway will use to send notification emails.
7. Click OK.

DLP Portal

The focus of Check Point Data Loss Prevention is user-led handling of incidents that match the rules you have created. If a user attempts to send data that should not be transmitted outside the organization, a notification is sent to the user. This email or alert includes a link to the Self Incident-Handling portal. From here, the user can explain why the email should be sent; or now realizing the importance of not sending the email, choose to discard it.

This unique method of self-education for Data Loss Prevention reduces prevalent leakage from unintentional violations of the rules. This solution also reduces the cost of ownership. Your users, and your analysis of their usage, become the experts that lead your Data Loss Prevention configurations, rather than the much more time- and resource-consuming solutions of calling in an outside expert.

The DLP portal is a Web portal that is hosted on the DLP Security Gateway. The SmartDashboard administrator configures the DLP Portal URL in the Data Loss Prevention Wizard. By default, the URL is https://<Gateway IP>/dlp. The administrator can change the URL in the Data Loss Prevention page of the Security Gateway that is enforcing DLP.

What Users See and Do

When a data transmission matches a rule with notification, the user receives an email, which contains a link to the Self Incident-Handling Portal.

The Portal explains that decisions are logged.

• If the user chooses to continue the transmission, they have the opportunity to explain why it should be sent before the action is completed.
• If the user chooses to discard the transmission, DLP deletes the transmission immediately.
• If the user wants to review the transmission before deciding, they will see the reasons why it was captured and have the links again to send or discard it.
• The user can log into the Portal and view all UserCheck emails that were not yet handled. To see all the emails, the user clicks the login link in the Portal and gives authentication.

How Users Log in to the Self Incident-Handling Portal

Users can log into the portal in one of these ways:

• Clicking a link in the DLP notification email
• Clicking a link in the UserCheck Client notification
• Browsing directly to the DLP Portal URL. The default URL is:
  https://<Gateway IP>/dlp

Unhandled UserCheck Incidents

When data is captured by an Ask User rule, the data itself is stored in a safe area of the DLP gateway. It stays there until the user decides to send or discard it.

If the user does not make a decision in less than the given interval, the incident expires and the data is automatically discarded. By default, time for handling incidents is 7 days. If a user is out of the office or cannot handle the incident for some other reason, an administrator can take care of it. The administrator must have full permissions or the View/Release/Discard DLP messages permission. Then, from SmartView Tracker the administrator can send or discard the incident. Notification is sent to the user.

Three days before an unhandled incident expires, a new notification email is sent to the user. Then an email is sent at daily intervals, until the user/administrator takes care of it.

Expired incidents are logged in SmartView Tracker. See DLP Blade > User Actions, where the Action of logged incidents is Quarantine Expired.

Managing Incidents by Replying to Emails

Users can handle their incidents by replying to notification emails without entering the portal. This option is not allowed by default.

To allow users to manage incidents by replying to emails:

1. In SmartDashboard, edit the DLP gateway object.
2. Select the Data Loss Prevention page
3. Select Allow users to manage their incidents by replying to the notification emails.

UserCheck Notifications

If you configure and install the UserCheck client on user machines, popup notifications show in the notification area. These popups show the same information as email notifications.

If the incident is in Ask User mode, the popups contain Send, Discard, and Cancel links. Users can handle the incidents directly from UserCheck, without going to the DLP Portal.

If users click Cancel, they can handle the incident at a later time from their email or the Self Incident-Handling Portal.

Managing Rules in Ask User

You can audit the incident and the decisions that the user makes in the portal. With this information, you can quickly understand which rules should be made more specific, where exceptions are needed, and if a rule should be set to Prevent. Your users become the information security experts, simply by using the Portal.

To review these actions:

1. In SmartDashboard, select SmartConsole > SmartView Tracker.
2. In the Network & Endpoint tab, select Predefined > Data Loss Prevention Blade.
3. Click User Actions.

Learning Mode

DLP can recognize email threads or HTTP posts and adapt the policy, rather than asking users to manage each email or HTTP post.

Emails

For example, an Ask User rule is matched. The user gets a notification that an email has been captured by DLP. The user decides to send the email and gives a description why.

DLP caches the subject and recipient list of the email. While the user sends emails in the same thread, DLP will allow the emails. The user gives one explanation why the thread must be allowed if each message contains the content of messages from before. The explanation is given one time for each email thread, for each rule. The explanation is applicable for a week. After a week, the user is notified again.

If a user sends a new violation in the same thread, DLP sends a new notification to the user.

By default, learning mode for Emails is not active.

If DLP scans Exchange traffic, then learning mode is also applied to Exchange emails.

HTTP Posts

Learning mode for HTTP posts operates like learning mode for emails. The user gives one explanation why a post to a site must be allowed if a post contains the content of a post from before. The explanation is given one time for each HTTP post to a site, for each rule. The explanation is applicable for an hour. After an hour, the user is notified again.

If a user posts a new violation to the same site, DLP notifies the user and asks again.

By default, learning mode for HTTP is not active.

If HTTPS Inspection is enabled, then learning mode is also applied to HTTPS posts.

To configure learning mode for email threads and HTTP posts:

1. Open Data Loss Prevention > Additional Settings > Advanced > Learn User Actions.
2. Select the relevant options:
   • Email - When you select this checkbox, the user makes one decision for a complete thread, and that decision is applied to all messages of the same thread. When you clear this checkbox, the user is informed of all messages that match a DLP rule, even if a message is matched on carried-over text of an older message. The checkbox is cleared by default. When DLP scans Exchange emails, learning mode is also applied to Exchange traffic.
   • Web - When you select this checkbox, the user makes one decision for a post to a site, and that decision is applied to all posts that contain content from a previous post within an hour. When you clear this checkbox, the user is informed of all posts that match a DLP rule, even if a post is matched on carried-over text of an older post. The checkbox is cleared by default. When HTTPS Inspection is enabled, learning mode is also applied to HTTPS posts.