Communicating with Users

Best Practice - Before you install the first policy, let all the users in the organization know how the DLP policy operates. Send an email with this information:

Declare the date that the policy was or will start to operate.
Let them know that the policy operates on emails, uploads, and web posts. Make sure to let users know that such transmissions can be captured and read by others if they violate DLP rules.
Let them know that each user is expected to respond to notifications, to handle incidents and to learn from the incident about the corporate policy. Perhaps include a screen shot of the Self Incident Handling Portal and give instructions on the options that users have. Let them know that administrators with permissions can send or discard quarantined transmissions. They will be notified by email when this occurs.
Give a link to the corporate policy.
Let them know that not abiding to specific rules will cause in result in notification to managers, containing the user's name and the type of data that was leaked.
Give the expiration time (default is 7 days) for incidents to be handled.

After installing the policy, you can set automatic notification (as part of each rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.) of incidents to users. This enforces the corporate guidelines and explains to the users what is happening and why, when this data is related.

When a user performs an action that matches a rule, DLP handles the communication and logging automatically.

Notification of DLP violations to users is an email or a pop-up from the tray client. It describes the un-allowed action and can include a link to the corporate guidelines and to the Self Incident-Handling portal. Other actions are based on the severity and action of the matched rule.

Rule Action	Recommended Communication
Detect	In general, you should not notify users for Detect rules.
Inform User	Transmissions are passed on Inform, but notifications at this stage help the user prepare for stricter rules later on.
Ask User	Communication is imperative in this type of rule. The user must decide how to handle the transmission. Notifications of Ask User incidents should include a link to the Portal, to allow the user to perform the appropriate handling option. The link to the corporate guidelines should also be included.
Prevent	An email for this type of rule does not offer handling options, but does provide necessary information. The user needs to know that the transmission "failed". In addition, the user should learn from the event, and change the behavior that caused the incident.