In This Section: |
To define data owners:
SmartDashboard opens and shows the DLP tab.
The properties window of the Data Type opens.
The Add Data Owners window opens.
Allow users to become familiar with the local guidelines for data transmission and protection. For example, corporate guidelines should ensure that your organization is compliant with legal standards (such as privacy laws) and protects intellectual property.
In particular, you must protect your organization from legal issues in companies and locations where employees are protected from having their emails opened by others. In most cases, if you tell your users that any email that violates a DLP rule will be captured and may be reviewed, you have fulfilled the requirements of the law.
You can include a link to the corporate guidelines in DLP notifications to users and to Data Owners.
When you have the corporate guidelines page ready, modify the DLP gateway to link directly to the corporate guidelines.
To modify a DLP gateway to link to your corporate guidelines:
corporate_info_link
parameter and change the value to be the URL of your corporate guidelines (format = http://www.example.com).Before installing the first policy, send an email to Data Owners:
You are responsible for finding a balance between notifying the Data Owner every time an incident occurs - which may overwhelm the person and reduce the effectiveness of the system - and failing to notify the Data Owner enough. The notification system must help Data Owners maintain control over their data and help resolve issues of possible leakage.
Rule Action |
Recommendation for Data Owner Notification |
---|---|
Detect |
In general, you should not notify Data Owners for Detect rules. |
Inform User |
Sometimes Data Owners want to know what data is sent out, but are not ready to delay or prevent the transmission. Notification of these incidents depends on the needs of the Data Owners. |
Ask User |
The user handles these incidents in the Self Incident-Handling portal. Whether the Data Owner needs to be notified depends on the severity of the rule and the preferences of the individual Data Owners. |
Prevent |
Any rule that is severe enough to justify the immediate block of a transmission, is often enough to justify the Data Owner being notified. |
Best Practice - Before you install the first policy, let all the users in the organization know how the DLP policy operates. Send an email with this information:
After installing the policy, you can set automatic notification (as part of each rule) of incidents to users. This enforces the corporate guidelines and explains to the users what is happening and why, when this data is related.
When a user performs an action that matches a rule, DLP handles the communication and logging automatically.
Notification of DLP violations to users is an email or a pop-up from the tray client. It describes the un-allowed action and can include a link to the corporate guidelines and to the Self Incident-Handling portal. Other actions are based on the severity and action of the matched rule.
Rule Action |
Recommended Communication |
---|---|
Detect |
In general, you should not notify users for Detect rules. |
Inform User |
Transmissions are passed on Inform, but notifications at this stage help the user prepare for stricter rules later on. |
Ask User |
Communication is imperative in this type of rule. The user must decide how to handle the transmission. Notifications of Ask User incidents should include a link to the Portal, to allow the user to perform the appropriate handling option. The link to the corporate guidelines should also be included. |
Prevent |
An email for this type of rule does not offer handling options, but does provide necessary information. The user needs to know that the transmission "failed". In addition, the user should learn from the event, and change the behavior that caused the incident. |
DLP can send automatic messages to Data Owners if an incident occurs involving a Data Type over which the Data Owners have responsibility.
To configure Data Owner notification:
SmartDashboard opens and shows the DLP tab.
The Email Notification window opens.
Data Owners is selected by default.
The Check Point Data Loss Prevention system has found traffic which matches a rule
.While users are becoming familiar with the Organization Guidelines enforced by the DLP gateway, take advantage of the self-education tools. The vast majority of data leaks are unintentional, so automatic explanations or reminders when a rule is broken should significantly improve user leaks over a relatively short amount of time.
You can set rules of the Data Loss Prevention policy to Inform User - the user receives the automatic explanation about why this data is protected from leakage - but for now, the traffic is passed, ensuring minimal disruption.
You can also set rules to ask the user what should be done about captured data - send it on or delete it.
To configure user notification:
Notifications sent to users can be customized to match your organizational culture and needs. It is important to maintain an impersonal and nonjudgmental format. While handling an incident:
In the notification, the user may see:
The message is being held until further action.
Best Practice - Explain that the data may be read by others, for the protection of organization-wide data or legal compliance.
The attached message, sent by you, is addressed to an external email address. Our Data Loss PreventionData Loss Prevention system determined that it may contain confidential information.
To include more information, add these fields:
Field |
Description |
---|---|
Part name |
Location of the data in violation: Email's Body or the name of the attachment |
Rule name |
Name of the rule that matched the transmission |
Data objects |
Name of the Data Types that represent matched data in the transmission |
The next fields are applied to emails that match Unintentional Recipient or External BCC rules.
Field |
Description |
---|---|
Internal Recipients Number |
Number of intended destinations inside My Organization |
External Recipient |
List of external addresses (user@domain.com) in the destination |
To change the text of a notification to Data Owners:
SmartDashboard opens and shows the DLP tab.
The Email window opens.
To change the text of a notification to users to handle an incident:
SmartDashboard opens and shows the DLP tab.
To notify the user and pass the data, change the action to Inform User.
Important - The mail server must be able to act as a mail relay. This allows users to release (Send) emails that DLP captured on Ask User rules. The mail server must be configured to trust the DLP gateway. |
To set a rule to ask user:
SmartDashboard opens and shows the DLP tab.
Ask User rules depend on the users getting notification and having options to either Send or Discard a message. Before you install a policy with new Ask User rules, make sure the DLP gateway is set up for Ask User options.
To set up the gateway for Ask User rules:
The gateway window opens and shows the General Properties page.
The focus of Check Point Data Loss Prevention is user-led handling of incidents that match the rules you have created. If a user attempts to send data that should not be transmitted outside the organization, a notification is sent to the user. This email or alert includes a link to the Self Incident-Handling portal. From here, the user can explain why the email should be sent; or now realizing the importance of not sending the email, choose to discard it.
This unique method of self-education for Data Loss Prevention reduces prevalent leakage from unintentional violations of the rules. This solution also reduces the cost of ownership. Your users, and your analysis of their usage, become the experts that lead your Data Loss Prevention configurations, rather than the much more time- and resource-consuming solutions of calling in an outside expert.
The DLP portal is a Web portal that is hosted on the DLP Security Gateway. The SmartConsole administrator configures the DLP Portal URL in the Data Loss Prevention Wizard. By default, the URL is https://<Gateway IP>/dlp
. The administrator can change the URL in the Data Loss Prevention page of the Security Gateway that is enforcing DLP.
When a data transmission matches a rule with notification, the user receives an email, which contains a link to the Self Incident-Handling Portal.
The Portal explains that decisions are logged.
How Users Log in to the Self Incident-Handling Portal
Users can log into the portal in one of these ways:
https://<Gateway IP>/dlp
When data is captured by an Ask User rule, the data itself is stored in a safe area of the DLP gateway. It stays there until the user decides to send or discard it.
If the user does not make a decision in less than the given interval, the incident expires and the data is automatically discarded. By default, time for handling incidents is 7 days. If a user is out of the office or cannot handle the incident for some other reason, an administrator can take care of it. The administrator must have full permissions or the View/Release/Discard DLP messages permission. Then, from the Logs & Monitor Logs view the administrator can send or discard the incident. Notification is sent to the user.
Three days before an unhandled incident expires, a new notification email is sent to the user. Then an email is sent at daily intervals, until the user/administrator takes care of it.
Expired incidents are logged in the Logs & Monitor Logs view. See DLP Blade > Blocked, where the Action of logged incidents is Quarantine Expired.
Users can handle their incidents by replying to notification emails without entering the portal. This option is not allowed by default.
To allow users to manage incidents by replying to emails:
The gateway window opens and shows the General Properties page.
If you configure and install the UserCheck client on user machines, popup notifications show in the notification area. These popups show the same information as email notifications.
If the incident is in Ask User mode, the popups contain Send, Discard, and Cancel links. Users can handle the incidents directly from UserCheck, without going to the DLP Portal.
If users click Cancel, they can handle the incident at a later time from their email or the Self Incident-Handling Portal.
You can audit the incident and the decisions that the user makes in the portal. With this information, you can quickly understand which rules should be made more specific, where exceptions are needed, and if a rule should be set to Prevent. Your users become the information security experts, simply by using the Portal.
To review these actions:
To configure learning mode for email threads, HTTP posts, or FTP uploads:
SmartDashboard opens and shows the DLP tab.
Note - For Web violations, turning off Learn User Actions disables the Send and Discard buttons in the UserCheck portal. Users can only close the portal. Suspected data is not posted to the site. |