The My Organization page shows what DLP recognizes as data movement in the internal network (where data leakage is not an issue) and what is external (where data transmission must be monitored).
By default, My Organization includes all hosts and networks that are behind the internal interfaces of the DLP gateway. My Organization also includes specific users, user groups, and all users in the LDAP groups defined in the Security Management Server.
Note - The SmartConsole must be in the Active Directory domain to take advantage of the LDAP User List features. |
My Organization Definitions: |
You define the DLP internal domains and specific email addresses that are included in My Organization. You can add domains to include your remote offices and branch offices as part of the definition of what is My Organization.
Important - If your organization uses cloud servers, you should not add them. The technology governing cloud servers makes them inherently insecure, taking the control of your data away from your administration and giving it to a third party. It is recommended to detect all sensitive data sent to and from cloud servers, rather than to trust a service provider to make sure that other clients do not have access to your data. |
Add email addresses to include those that are safe for general data sharing. You should not add the private email addresses of any employees or managers. Taking home confidential data is a bad practice that you should discourage and eventually prevent.
Notes about Domains:
example.com
example.com
, email addresses such as jsmith@uk.example.com
are also considered part of My Organization.Important - Do not remove the default domain definition. You must have a domain in the My Organization definition, or an LDAP server defined. If you do not have the domain defined (either by Email Address Domain or LDAP Account Unit) for My Organization, DLP will not scan emails. |
To add domains and email addresses to My Organization:
Most organizations use an external LDAP server (for example, Active Directory) to manage users and user groups.
You can define an internal user account to use as a source or destination in the Rule Base when:
You can add accounts for individual users from the Data Loss Prevention tab in SmartConsole.
To define user accounts as internal users:
The User Properties window opens.
The most important field is the email address. This lets DLP recognize the user for email scans.
The user is added to the other Software Blades managed by SmartConsole.
DLP may require different user groups than those in the LDAP server. For example, you may want a group for new employees, whose rules are set to Ask User rather than Prevent, to give them time to become familiar with the organization guidelines. You may also want a group for temporary employees or terminating employees, to give them stricter rules.
To define user groups:
The Group Properties window opens.
If the default option for the Users area is selected (Users, user groups and LDAP groups defined in the Security Management Server), you can define exclusions to this definition of My Organization.
For example, you can exclude the CEO. This lets the CEO send any data without having it scanned.
To exclude users from My Organization:
The User groups and Users window opens.
By default, My Organization includes networks, network groups, and hosts that are defined as being behind the internal interface of the DLP gateway.
If you choose to define My Organization by naming specific networks or hosts, any internal networks or hosts that you did not name will not be considered internal by DLP.
Note - The networks and hosts must already be defined in the Objects Tree of SmartConsole. |
To define specific networks and hosts:
In large sites it is often more efficient to define exclusions to the internal interfaces than to define the internal environment piece by piece.
If the default option in My Organization is selected (Anything behind the internal interfaces of my gateways), you can define exclusions to internal Networks.
Any network, network group, or host that you define as an exclusion will be recognized by Data Loss Prevention as Outside My Org. To scan data sent from these networks, you must change the default Source of rules from My Org to the network object.
To exclude networks from My Organization:
The Networks and Hosts window opens.
Remote Access communities in VPN of My Organization are supported only in Office Mode.
To configure Office Mode for support of Remote Access communities:
The gateway window opens and shows the General Properties page.
To include VPN traffic in My Organization:
SmartDashboard opens and shows the DLP tab.
To discover VPNs known to DLP:
For an integrated DLP deployment, this is the DLP gateway itself. The protecting VPN gateway includes the IP address of the DLP gateway in its encryption domain.
The gateway window opens and shows the General Properties page.
The DLP gateway is aware of the VPN communities that are shown in this page.
To exclude VPNs from My Organization:
SmartDashboard opens and shows the DLP tab.
The VPN Communities window opens.
Ignore the VPNs that are not relevant to the protecting VPN gateway; they are excluded by default.