Communicating with Data Owners
Before installing the first policy, send an email to Data Owners:
-
Explain the Data Owner responsibility for protecting data.
-
Provide an example of automated notification and discuss corporate guidelines for responding to incidents.
-
Ask the Data Owners to provide the Data Types that they want protected and any exceptions.
-
Decide ahead of time what exceptions you do not want to allow. For example, you can create a corporate DLP guideline that no one sends protected data to home email addresses. Having organization-wide guidelines should prevent conflicts if a Data Owner makes a request that is not good business practice; you can direct the Data Owner to the guidelines, rather than rejecting the request personally.
You are responsible for finding a balance between notifying the Data Owner every time an incident occurs - which may overwhelm the person and reduce the effectiveness of the system - and failing to notify the Data Owner enough. The notification system must help Data Owners maintain control over their data and help resolve issues of possible leakage.
Rule Action |
Recommendation for Data Owner Notification |
---|---|
Detect |
In general, you should not notify Data Owners for Detect rules. |
Inform User |
Sometimes Data Owners want to know what data is sent out, but are not ready to delay or prevent the transmission. Notification of these incidents depends on the needs of the Data Owners. |
Ask User |
The user handles these incidents in the Self Incident-Handling portal. Whether the Data Owner needs to be notified depends on the severity of the rule |
Prevent |
Any rule that is severe enough to justify the immediate block of a transmission, is often enough to justify the Data Owner being notified. |