Data Owner and User Notifications

In This Section:

Data Owners

The people who are responsible for data, such as managers and team leaders, have specific responsibilities beyond those of regular users. Each Data Owner should discuss with you the types of data to protect and the types that have to be sent outside.

For example, according to heuristics, it might seem logical that no source code be sent outside of your organization; but a Data Owner explains that her team needs to send code snippets to outside technical support for troubleshooting. Add this information to the list of Data Types that this Data Owner controls, and create an Exception to the Rule for this type of data, coming from this team, and being sent to the technical support domain.

When DLP incidents are logged, the DLP gateway can send automatic notifications to the Data Owners. For example, configure Data Owner notification for rules that have a critical severity. Automatic notifications ensure that the Data Owner knows about relevant incidents and can respond rapidly to issues under their responsibility.

To define data owners:

On the SmartDashboard, open the Data Loss Prevention tab > Data Types.
Double-click a Data Type in the list.
The properties window of the Data Type opens.
Click Data Owners.
Click Add.
The Add Data Owners window opens.
Select the user or group who is responsible for this data and click Add.
If the data owner is not in the list, click New. In the Email Addresses window, enter the name and email address of the data owner (or name a list of email addresses).
Add as many data owners as needed.
Click OK.

Preparing Corporate Guidelines

Allow users to become familiar with the local guidelines for data transmission and protection. For example, corporate guidelines should ensure that your organization is compliant with legal standards (such as privacy laws) and protects intellectual property.

In particular, you must protect your organization from legal issues in companies and locations where employees are protected from having their emails opened by others. In most cases, if you tell your users that any email that violates a DLP rule will be captured and may be reviewed, you have fulfilled the requirements of the law.

You can include a link to the corporate guidelines in DLP notifications to users and to Data Owners.

When you have the corporate guidelines page ready, modify the DLP gateway to link directly to the corporate guidelines.

To modify a DLP gateway to link to your corporate guidelines:

On the gateway, open: $DLPDIR/config/dlp.conf
Find the corporate_info_link parameter and change the value to be the URL of your corporate guidelines (format = http://www.example.com).
Save the file and close it.
Install Policy on the DLP gateway.

Communicating with Data Owners

Before installing the first policy, send an email to Data Owners:

Explain the Data Owner responsibility for protecting data.
Provide an example of automated notification and discuss corporate guidelines for responding to incidents.
Ask the Data Owners to provide the Data Types that they want protected and any exceptions.
Decide ahead of time what exceptions you do not want to allow. For example, you can create a corporate DLP guideline that no one sends protected data to home email addresses. Having organization-wide guidelines should prevent conflicts if a Data Owner makes a request that is not good business practice; you can direct the Data Owner to the guidelines, rather than rejecting the request personally.

You are responsible for finding a balance between notifying the Data Owner every time an incident occurs - which may overwhelm the person and reduce the effectiveness of the system - and failing to notify the Data Owner enough. The notification system must help Data Owners maintain control over their data and help resolve issues of possible leakage.

Rule Action	Recommendation for Data Owner Notification
Detect	In general, you should not notify Data Owners for Detect rules.
Inform User	Sometimes Data Owners want to know what data is sent out, but are not ready to delay or prevent the transmission. Notification of these incidents depends on the needs of the Data Owners.
Ask User	The user handles these incidents in the Self Incident-Handling portal. Whether the Data Owner needs to be notified depends on the severity of the rule and the preferences of the individual Data Owners.
Prevent	Any rule that is severe enough to justify the immediate block of a transmission, is often enough to justify the Data Owner being notified.

Communicating with Users

It is recommended that before you install the first policy, you let all the users in the organization know how the DLP policy operates. Send an email with this information:

Declare the date that the policy was or will start to operate.
Let them know that the policy operates on emails, uploads, and web posts. Make sure to let users know that such transmissions can be captured and read by others if they violate DLP rules.
Let them know that each user is expected to respond to notifications, to handle incidents and to learn from the incident about the corporate policy. Perhaps include a screen shot of the Self Incident Handling Portal and give instructions on the options that users have. Let them know that administrators with permissions can send or discard quarantined transmissions. They will be notified by email when this occurs.
Give a link to the corporate policy.
Let them know that not abiding to specific rules will cause in result in notification to managers, containing the user's name and the type of data that was leaked.
Give the expiration time (default is 7 days) for incidents to be handled.

After installing the policy, you can set automatic notification (as part of each rule) of incidents to users. This enforces the corporate guidelines and explains to the users what is happening and why, when this data is related.

When a user performs an action that matches a rule, DLP handles the communication and logging automatically.

Notification of DLP violations to users is an email or a pop-up from the tray client. It describes the un-allowed action and can include a link to the corporate guidelines and to the Self Incident-Handling portal. Other actions are based on the severity and action of the matched rule.

Rule Action	Recommended Communication
Detect	In general, you should not notify users for Detect rules.
Inform User	Transmissions are passed on Inform, but notifications at this stage help the user prepare for stricter rules later on.
Ask User	Communication is imperative in this type of rule. The user must decide how to handle the transmission. Notifications of Ask User incidents should include a link to the Portal, to allow the user to perform the appropriate handling option. The link to the corporate guidelines should also be included.
Prevent	An email for this type of rule does not offer handling options, but does provide necessary information. The user needs to know that the transmission "failed". In addition, the user should learn from the event, and change the behavior that caused the incident.

Notifying Data Owners

DLP can send automatic messages to Data Owners if an incident occurs involving a Data Type over which the Data Owners have responsibility.

To configure Data Owner notification:

In Data Loss Prevention > Data Types, define the data owners of the Data Type.
Open Data Loss Prevention > Policy.
Right-click the Track column of the rule and select Email.
The Email window opens.
Select the checkbox.
Data Owners is provided by default.

If you want the notification to be sent to others as well, click the plus button and select users or groups in the Add Recipients window.
Provide the text to appear in the email.
Default text is: The Check Point Data Loss Prevention system has found traffic which matches a rule.
Click OK.

Notifying Users

While users are becoming familiar with the Organization Guidelines enforced by the DLP gateway, take advantage of the self-education tools. The vast majority of data leaks are unintentional, so automatic explanations or reminders when a rule is broken should significantly improve user leaks over a relatively short amount of time.

You can set rules of the Data Loss Prevention policy to Inform User - the user receives the automatic explanation about why this data is protected from leakage - but for now, the traffic is passed, ensuring minimal disruption.

You can also set rules to ask the user what should be done about captured data - send it on or delete it.

To configure user notification:

Open Data Loss Prevention > Policy.
In the Action column of the rule to change, right-click and select Inform User or Ask User.

Customizing Notifications for Users

Notifications sent to users can be customized to match your organizational culture and needs. It is important to maintain an impersonal and nonjudgmental format. While handling an incident:

Focus on the issue.
Focus on helping users change future behavior.

In the notification, the user may see:

The data as an attachment (if an email).
A subject/title that lets the user know this incident should be handled quickly.
If the data was a zip file, the email lists the zipped files and explains why they should not be transmitted.
Explanation of what is being done. For example:
The message is being held until further action.
It is recommended that you explain that the data may be read by others, for the purpose of protecting organization-wide data or legal compliance.
Links to the Self Incident-Handling Portal, to continue, discard, or review the offending transmission.
Link to the corporate information security guidelines.
The main body of the email explains the rule. For example:
The attached message, sent by you, is addressed to an external email address. Our Data Loss PreventionData Loss Prevention system determined that it may contain confidential information.

To include more information, add these fields:

Field	Description
Part name	Location of the data in violation: Email's Body or the name of the attachment
Rule name	Name of the rule that matched the transmission
Data objects	Name of the Data Types that represent matched data in the transmission

The next fields are applied to emails that match Unintentional Recipient or External BCC rules.

Field	Description
Internal Recipients Number	Number of intended destinations inside My Organization
External Recipient	List of external addresses (user@domain.com) in the destination

Customizing Notifications to Data Owners

To change the text of a notification to Data Owners:

Open Data Loss Prevention > Policy.
Right-click in the Track column of a rule and select Email.
The Email window opens.
Customize the text with your own message.

Customizing Notifications for Self-Handling

To change the text of a notification to users to handle an incident:

Open Data Loss Prevention > Policy.
Right-click in the Action column of a rule and select Edit Rule Notification.
This option is available for all actions except Detect, because users are not to be informed of rules that match on this action. Change the action to Inform User if you want to notify the user and still pass the data.
In the window that opens, change the text with your own message to fit the rule. You can use text or variables.

Setting Rules to Ask User

The Ask User rule action provides UserCheck, distributing unintentional data security checks to the user. This action provides automated education to users. When a user attempts to transmit protected data, DLP captures the data and notifies the user. The notification (by email or by popup of the UserCheck client on user machines) explains the policy about transmitting this data and provides links to handle the incident.

Important - The mail server must be able to act as a mail relay. This allows users to release (Send) emails that DLP captured on Ask User rules. The mail server must be configured to trust the DLP gateway.

To set a rule to ask user:

Open Data Loss Prevention > Policy.
Right-click in the Action column of the rule and select Ask User.

Ask User rules depend on the users getting notification and having options to either Send or Discard a message. Before doing Install Policy with new Ask User rules, make sure the DLP gateway is set up for Ask User options.

To set up the gateway for Ask User rules:

Open Data Loss Prevention > Gateways.
Select the DLP gateway and click Edit.
The properties window of the gateway opens.
In the left pane list of pages, click Data Loss Prevention.
In the DLP Portal area, select Activate DLP Portal for Self Incident Handling.
In the left pane list of pages, click Data Loss Prevention > Mail Relay.
Select the mail server that the DLP gateway will use to send notification emails.
Click OK.

DLP Portal

The focus of Check Point Data Loss Prevention is user-led handling of incidents that match the rules you have created. If a user attempts to send data that should not be transmitted outside the organization, a notification is sent to the user. This email or alert includes a link to the Self Incident-Handling portal. From here, the user can explain why the email should be sent; or now realizing the importance of not sending the email, choose to discard it.

This unique method of self-education for Data Loss Prevention reduces prevalent leakage from unintentional violations of the rules. This solution also reduces the cost of ownership. Your users, and your analysis of their usage, become the experts that lead your Data Loss Prevention configurations, rather than the much more time- and resource-consuming solutions of calling in an outside expert.

The DLP portal is a Web portal that is hosted on the DLP Security Gateway. The SmartDashboard administrator configures the DLP Portal URL in the Data Loss Prevention Wizard. By default, the URL is https://<Gateway IP>/dlp. The administrator can change the URL in the Data Loss Prevention page of the Security Gateway that is enforcing DLP.

What Users See and Do

When a data transmission matches a rule with notification, the user receives an email, which contains a link to the Self Incident-Handling Portal.

The Portal explains that decisions are logged.

If the user chooses to continue the transmission, they have the opportunity to explain why it should be sent before the action is completed.
If the user chooses to discard the transmission, DLP deletes the transmission immediately.
If the user wants to review the transmission before deciding, they will see the reasons why it was captured and have the links again to send or discard it.
The user can log into the Portal and view all UserCheck emails that were not yet handled. To see all the emails, the user clicks the login link in the Portal and gives authentication.

How Users Log in to the Self Incident-Handling Portal

Users can log into the portal in one of these ways:

Click a link in the DLP notification email
Browse directly to the DLP Portal URL. The default URL is:
https://<Gateway IP>/dlp
Right-click the UserCheck agent icon in the Task Bar notification area and select Review DLP notifications.

Unhandled UserCheck Incidents

When data is captured by an Ask User rule, the data itself is stored in a safe area of the DLP gateway. It stays there until the user decides to send or discard it.

If the user does not make a decision in less than the given interval, the incident expires and the data is automatically discarded. By default, time for handling incidents is 7 days. If a user is out of the office or cannot handle the incident for some other reason, an administrator can take care of it. The administrator must have full permissions or the View/Release/Discard DLP messages permission. Then, from SmartView Tracker the administrator can send or discard the incident. Notification is sent to the user.

Three days before an unhandled incident expires, a new notification email is sent to the user. Then an email is sent at daily intervals, until the user/administrator takes care of it.

Expired incidents are logged in SmartView Tracker. See DLP Blade > Blocked, where the Action of logged incidents is Quarantine Expired.

Managing Incidents by Replying to Emails

Users can handle their incidents by replying to notification emails without entering the portal. This option is not allowed by default.

To allow users to manage incidents by replying to emails:

In SmartDashboard, edit the DLP gateway object.
Select the Data Loss Prevention page
Select Allow users to manage their incidents by replying to the notification emails.

UserCheck Notifications

If you configure and install the UserCheck client on user machines, popup notifications show in the notification area. These popups show the same information as email notifications.

If the incident is in Ask User mode, the popups contain Send, Discard, and Cancel links. Users can handle the incidents directly from UserCheck, without going to the DLP Portal.

If users click Cancel, they can handle the incident at a later time from their email or the Self Incident-Handling Portal.

Managing Rules in Ask User

You can audit the incident and the decisions that the user makes in the portal. With this information, you can quickly understand which rules should be made more specific, where exceptions are needed, and if a rule should be set to Prevent. Your users become the information security experts, simply by using the Portal.

To review these actions:

In SmartDashboard, select SmartConsole > SmartView Tracker.
In the Network & Endpoint tab, select Predefined > Data Loss Prevention Blade.
Click the All query.
Click entries with Ask User in the Action column for the log record.
See the decision made in the User Response field.

Learning Mode

DLP can recognize email threads, HTTP posts or FTP uploads and adapt the policy, rather than asking users to manage each email, HTTP post, or FTP upload.

Emails

For example, an Ask User rule is matched. The user gets a notification that an email has been captured by DLP. The user decides to send the email and gives a description why.

DLP caches the subject and recipient list of the email. While the user sends emails in the same thread, DLP will allow the emails. The user gives one explanation why the thread must be allowed if each message contains the content of messages from before. The explanation is given one time for each email thread, for each rule. The explanation is applicable for a week. After a week, the user is notified again.

If a user sends a new violation in the same thread, DLP sends a new notification to the user.

By default, learning mode for Emails is not active.

If DLP scans Exchange traffic, then learning mode is also applied to Exchange emails.

HTTP Posts

Learning mode for HTTP posts operates like learning mode for emails. The user gives one explanation why a post to a site must be allowed if a post contains the content of a post from before. The explanation is given one time for each HTTP post to a site, for each rule. The explanation is applicable for 12 hours. After 12 hours, the user is notified again.

If a user posts a new violation to the same site, DLP notifies the user and asks again.

By default, learning mode for HTTP is active.

If HTTPS Inspection is enabled, then learning mode is also applied to HTTPS posts.

FTP Uploads

Learning mode for FTP uploads operates like learning mode for http posts. The user gives one explanation why an upload must be allowed. The explanation is given one time for each FTP upload, for each rule. The explanation is applicable for 12 hours. After 12 hours, the user is notified again.

If a user uploads a new violation, DLP notifies the user and asks again.

By default, learning mode for FTP uploads is not active.

To configure learning mode for email threads, HTTP posts, or FTP uploads:

Open Data Loss Prevention > Additional Settings > Advanced > Learn User Actions.

Select the relevant options:

Email - When you select this checkbox, the user makes one decision for a complete thread, and that decision is applied to all messages of the same thread. When you clear this checkbox, the user is informed of all messages that match a DLP rule, even if a message is matched on carried-over text of an older message. The checkbox is cleared by default. When DLP scans Exchange emails, learning mode is also applied to Exchange traffic.
Web - When you select this checkbox, the user makes one decision for a post to a site, and that decision is applied to all posts that contain content from a previous post within 12 hours. When you clear this checkbox, the user is informed of all posts that match a DLP rule, even if a post is matched on carried-over text of an older post. The checkbox is selected by default. When HTTPS Inspection is enabled, learning mode is also applied to HTTPS posts.

FTP - When you select this checkbox, the user makes one decision for FTP uploads, and that is decision is applied to all uploads with 12 hours. When you clear this checkbox, the user is informed of all uploads that match a DLP rule, even if an upload is matched on carried over content of an older upload. This checkbox is cleared by default.

Note - For Web violations, turning off Learn User Actions disables the Send and Discard buttons in the UserCheck portal. Users can only close the portal. Suspected data is not posted to the site.