Data Owner and User Notifications

In This Section:

Defining Data Owners

To define data owners:

In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
From the navigation tree, click Data Types.
Double-click a Data Type in the list.
The properties window of the Data Type opens.
Click Data Owners.
Click Add.
The Add Data Owners window opens.
Select the user or group who is responsible for this data.
Add as many data owners as necessary.
Click OK.
Click Save and then close SmartDashboard.
From SmartConsole, Install Policy.

Preparing Corporate Guidelines

Allow users to become familiar with the local guidelines for data transmission and protection. For example, corporate guidelines should ensure that your organization is compliant with legal standards (such as privacy laws) and protects intellectual property.

In particular, you must protect your organization from legal issues in companies and locations where employees are protected from having their emails opened by others. In most cases, if you tell your users that any email that violates a DLP rule will be captured and may be reviewed, you have fulfilled the requirements of the law.

You can include a link to the corporate guidelines in DLP notifications to users and to Data Owners.

When you have the corporate guidelines page ready, modify the DLP gateway to link directly to the corporate guidelines.

To modify a DLP gateway to link to your corporate guidelines:

On the gateway, open: $DLPDIR/config/dlp.conf
Find the corporate_info_link parameter and change the value to be the URL of your corporate guidelines (format = http://www.example.com).
Save the file and close it.
Install Policy on the DLP gateway.

Communicating with Data Owners

Before installing the first policy, send an email to Data Owners:

Explain the Data Owner responsibility for protecting data.
Provide an example of automated notification and discuss corporate guidelines for responding to incidents.
Ask the Data Owners to provide the Data Types that they want protected and any exceptions.
Decide ahead of time what exceptions you do not want to allow. For example, you can create a corporate DLP guideline that no one sends protected data to home email addresses. Having organization-wide guidelines should prevent conflicts if a Data Owner makes a request that is not good business practice; you can direct the Data Owner to the guidelines, rather than rejecting the request personally.

You are responsible for finding a balance between notifying the Data Owner every time an incident occurs - which may overwhelm the person and reduce the effectiveness of the system - and failing to notify the Data Owner enough. The notification system must help Data Owners maintain control over their data and help resolve issues of possible leakage.

Rule Action	Recommendation for Data Owner Notification
Detect	In general, you should not notify Data Owners for Detect rules.
Inform User	Sometimes Data Owners want to know what data is sent out, but are not ready to delay or prevent the transmission. Notification of these incidents depends on the needs of the Data Owners.
Ask User	The user handles these incidents in the Self Incident-Handling portal. Whether the Data Owner needs to be notified depends on the severity of the rule and the preferences of the individual Data Owners.
Prevent	Any rule that is severe enough to justify the immediate block of a transmission, is often enough to justify the Data Owner being notified.

Communicating with Users

Best Practice - Before you install the first policy, let all the users in the organization know how the DLP policy operates. Send an email with this information:

Declare the date that the policy was or will start to operate.
Let them know that the policy operates on emails, uploads, and web posts. Make sure to let users know that such transmissions can be captured and read by others if they violate DLP rules.
Let them know that each user is expected to respond to notifications, to handle incidents and to learn from the incident about the corporate policy. Perhaps include a screen shot of the Self Incident Handling Portal and give instructions on the options that users have. Let them know that administrators with permissions can send or discard quarantined transmissions. They will be notified by email when this occurs.
Give a link to the corporate policy.
Let them know that not abiding to specific rules will cause in result in notification to managers, containing the user's name and the type of data that was leaked.
Give the expiration time (default is 7 days) for incidents to be handled.

After installing the policy, you can set automatic notification (as part of each rule) of incidents to users. This enforces the corporate guidelines and explains to the users what is happening and why, when this data is related.

When a user performs an action that matches a rule, DLP handles the communication and logging automatically.

Notification of DLP violations to users is an email or a pop-up from the tray client. It describes the un-allowed action and can include a link to the corporate guidelines and to the Self Incident-Handling portal. Other actions are based on the severity and action of the matched rule.

Rule Action	Recommended Communication
Detect	In general, you should not notify users for Detect rules.
Inform User	Transmissions are passed on Inform, but notifications at this stage help the user prepare for stricter rules later on.
Ask User	Communication is imperative in this type of rule. The user must decide how to handle the transmission. Notifications of Ask User incidents should include a link to the Portal, to allow the user to perform the appropriate handling option. The link to the corporate guidelines should also be included.
Prevent	An email for this type of rule does not offer handling options, but does provide necessary information. The user needs to know that the transmission "failed". In addition, the user should learn from the event, and change the behavior that caused the incident.

Notifying Data Owners

DLP can send automatic messages to Data Owners if an incident occurs involving a Data Type over which the Data Owners have responsibility.

To configure Data Owner notification:

In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
Define the data owners of the Data Type.
From the navigation tree, click Policy.
Right-click the Track column of the rule and select Email.
The Email Notification window opens.
Click When data is matched, send an email to the following recipients.
Data Owners is selected by default.
For additional email recipients, click Add and select the user.
Configure the email text that is sent, select one of these options:
- Use the default text - The Check Point Data Loss Prevention system has found traffic which matches a rule.
- Customize - Enter the email text
Click OK.
Click Save and then close SmartDashboard.
From SmartConsole, Install Policy.

Notifying Users

While users are becoming familiar with the Organization Guidelines enforced by the DLP gateway, take advantage of the self-education tools. The vast majority of data leaks are unintentional, so automatic explanations or reminders when a rule is broken should significantly improve user leaks over a relatively short amount of time.

You can set rules of the Data Loss Prevention policy to Inform User - the user receives the automatic explanation about why this data is protected from leakage - but for now, the traffic is passed, ensuring minimal disruption.

You can also set rules to ask the user what should be done about captured data - send it on or delete it.

To configure user notification:

Open Data Loss Prevention > Policy.
In the Action column of the rule to change, right-click and select Inform User or Ask User.

Customizing Notifications for Users

Notifications sent to users can be customized to match your organizational culture and needs. It is important to maintain an impersonal and nonjudgmental format. While handling an incident:

Focus on the issue.
Focus on helping users change future behavior.

In the notification, the user may see:

The data as an attachment (if an email).
A subject/title that lets the user know this incident should be handled quickly.
If the data was a zip file, the email lists the zipped files and explains why they should not be transmitted.
Explanation of what is being done. For example:
The message is being held until further action.
Best Practice - Explain that the data may be read by others, for the protection of organization-wide data or legal compliance.
Links to the Self Incident-Handling Portal, to continue, discard, or review the offending transmission.
Link to the corporate information security guidelines.
The main body of the email explains the rule. For example:
The attached message, sent by you, is addressed to an external email address. Our Data Loss PreventionData Loss Prevention system determined that it may contain confidential information.

To include more information, add these fields:

Field	Description
Part name	Location of the data in violation: Email's Body or the name of the attachment
Rule name	Name of the rule that matched the transmission
Data objects	Name of the Data Types that represent matched data in the transmission

The next fields are applied to emails that match Unintentional Recipient or External BCC rules.

Field	Description
Internal Recipients Number	Number of intended destinations inside My Organization
External Recipient	List of external addresses (user@domain.com) in the destination

Customizing Notifications to Data Owners

To change the text of a notification to Data Owners:

In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
From the navigation tree, click Policy.
Right-click in the Track column of a rule and select Email.
The Email window opens.
Click Customize and enter the text for the email message.
Click OK.
Click Save and then close SmartDashboard.
From SmartConsole, Install Policy.

Customizing Notifications for Self-Handling

To change the text of a notification to users to handle an incident:

In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
From the navigation tree, click Policy.
Right-click in the Action column of a rule and select Edit Rule Notification.
To notify the user and pass the data, change the action to Inform User.
In the window that opens, change the text with your own message to fit the rule. You can use text or variables.
Click OK.
Click Save and then close SmartDashboard.
From SmartConsole, Install Policy.

Setting Rules to Ask User

Important - The mail server must be able to act as a mail relay. This allows users to release (Send) emails that DLP captured on Ask User rules. The mail server must be configured to trust the DLP gateway.

To set a rule to ask user:

In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
From the navigation tree, click Policy.
Right-click in the Action column of the rule and select Ask User.
Ask User rules depend on the users getting notification and having options to either Send or Discard a message. Before you install a policy with new Ask User rules, make sure the DLP gateway is set up for Ask User options.
Click Save and then close SmartDashboard.
From SmartConsole, Install Policy.

To set up the gateway for Ask User rules:

In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
From the navigation tree, click Data Loss Prevention.
In the DLP Portal area, select Activate DLP Portal for Self Incident Handling.
From the navigation tree, click Data Loss Prevention > Mail Server.
Select the mail server that the DLP gateway will use to send notification emails.
Click OK.
Install Policy.

DLP Portal

The focus of Check Point Data Loss Prevention is user-led handling of incidents that match the rules you have created. If a user attempts to send data that should not be transmitted outside the organization, a notification is sent to the user. This email or alert includes a link to the Self Incident-Handling portal. From here, the user can explain why the email should be sent; or now realizing the importance of not sending the email, choose to discard it.

This unique method of self-education for Data Loss Prevention reduces prevalent leakage from unintentional violations of the rules. This solution also reduces the cost of ownership. Your users, and your analysis of their usage, become the experts that lead your Data Loss Prevention configurations, rather than the much more time- and resource-consuming solutions of calling in an outside expert.

The DLP portal is a Web portal that is hosted on the DLP Security Gateway. The SmartConsole administrator configures the DLP Portal URL in the Data Loss Prevention Wizard. By default, the URL is https://<Gateway IP>/dlp. The administrator can change the URL in the Data Loss Prevention page of the Security Gateway that is enforcing DLP.

What Users See and Do

When a data transmission matches a rule with notification, the user receives an email, which contains a link to the Self Incident-Handling Portal.

The Portal explains that decisions are logged.

If the user chooses to continue the transmission, they have the opportunity to explain why it should be sent before the action is completed.
If the user chooses to discard the transmission, DLP deletes the transmission immediately.
If the user wants to review the transmission before deciding, they will see the reasons why it was captured and have the links again to send or discard it.
The user can log into the Portal and view all UserCheck emails that were not yet handled. To see all the emails, the user clicks the login link in the Portal and gives authentication.

How Users Log in to the Self Incident-Handling Portal

Users can log into the portal in one of these ways:

Click a link in the DLP notification email
Browse directly to the DLP Portal URL. The default URL is:
https://<Gateway IP>/dlp
Right-click the UserCheck agent icon in the Task Bar notification area and select Review DLP notifications.

Unhandled UserCheck Incidents

When data is captured by an Ask User rule, the data itself is stored in a safe area of the DLP gateway. It stays there until the user decides to send or discard it.

If the user does not make a decision in less than the given interval, the incident expires and the data is automatically discarded. By default, time for handling incidents is 7 days. If a user is out of the office or cannot handle the incident for some other reason, an administrator can take care of it. The administrator must have full permissions or the View/Release/Discard DLP messages permission. Then, from the Logs & Monitor Logs view the administrator can send or discard the incident. Notification is sent to the user.

Three days before an unhandled incident expires, a new notification email is sent to the user. Then an email is sent at daily intervals, until the user/administrator takes care of it.

Expired incidents are logged in the Logs & Monitor Logs view. See DLP Blade > Blocked, where the Action of logged incidents is Quarantine Expired.

Managing Incidents by Replying to Emails

Users can handle their incidents by replying to notification emails without entering the portal. This option is not allowed by default.

To allow users to manage incidents by replying to emails:

In SmartConsole, click Gateways & Servers and double-click the Security Gateway.
The gateway window opens and shows the General Properties page.
From the navigation tree, click Data Loss Prevention.
In the Reply by Email section, click Allow users to manage their incidents by replying to the notification emails.
Click OK.
Install Policy.

UserCheck Notifications

If you configure and install the UserCheck client on user machines, popup notifications show in the notification area. These popups show the same information as email notifications.

If the incident is in Ask User mode, the popups contain Send, Discard, and Cancel links. Users can handle the incidents directly from UserCheck, without going to the DLP Portal.

If users click Cancel, they can handle the incident at a later time from their email or the Self Incident-Handling Portal.

Managing Rules in Ask User

You can audit the incident and the decisions that the user makes in the portal. With this information, you can quickly understand which rules should be made more specific, where exceptions are needed, and if a rule should be set to Prevent. Your users become the information security experts, simply by using the Portal.

To review these actions:

In SmartConsole, select SmartConsole > SmartView Tracker.
In the Network & Endpoint tab, select Predefined > Data Loss Prevention Blade.
Click the All query.
Click entries with Ask User in the Action column for the log record.
See the decision made in the User Response field.

Learning Mode

To configure learning mode for email threads, HTTP posts, or FTP uploads:

In SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.
SmartDashboard opens and shows the DLP tab.
From the navigation tree, click Additional Settings > Advanced.

In the Learn User Actions section, select the applicable options:

Email - When you select this checkbox, the user makes one decision for a complete thread, and that decision is applied to all messages of the same thread. When you clear this checkbox, the user is informed of all messages that match a DLP rule, even if a message is matched on carried-over text of an older message. The checkbox is cleared by default. When DLP scans Exchange emails, learning mode is also applied to Exchange traffic.
Web - When you select this checkbox, the user makes one decision for a post to a site, and that decision is applied to all posts that contain content from a previous post within 12 hours. When you clear this checkbox, the user is informed of all posts that match a DLP rule, even if a post is matched on carried-over text of an older post. The checkbox is selected by default. When HTTPS Inspection is enabled, learning mode is also applied to HTTPS posts.

FTP - When you select this checkbox, the user makes one decision for FTP uploads, and that is decision is applied to all uploads with 12 hours. When you clear this checkbox, the user is informed of all uploads that match a DLP rule, even if an upload is matched on carried over content of an older upload. This checkbox is cleared by default.

Note - For Web violations, turning off Learn User Actions disables the Send and Discard buttons in the UserCheck portal. Users can only close the portal. Suspected data is not posted to the site.