Protecting Documents by Template

Confidential and sensitive documents are often based on templates. A template defines the headers, footers, seals, and formatting of related documents. This is what makes all court orders, for example, look the same.

You can create a Data TypeClosed Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. that protects documents based on a specific template. You then add the Data Type to a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. and connections that contain such a document are matched by the policy.

Important - When a template including images is attached to a DLP Template Data Type, the image file format is important. The file format used in the template must match the file format in the user document. If the file formats are different, the rule will not trigger a DLP response. For example, if the template contains a JPG image and the user document contains the image in GIF format, there is no DLP response.

Example:

To create a Data Type representation of documents based on a template:

  1. In the Data TypeWizard, select Documents based on corporate template.

  2. Click Next.

  3. Browse to the template file on your system.

    This file does not have to be known as a template in the application: the template for the Data Type may be a *.doc file and does not have to be a *.dot file. Choose any file that is a basic example of documents that might be sent.

  4. Move the Similarity slider to determine how closely a document must match the given template to be considered protected.

    Best Practice - Set this slider quite low first. The higher it is, the less the rule will catch. After you complete the wizard, send a test email with such a document, and check the Logs & Monitor Logs view to see if the document was caught. Slowly increase the Similarity level until the rule catches the documents you want. This will be different for each template.

  5. Click Next.

  6. Click Finish.

    To configure additional properties for the Data Type, select Configure additional Data Type properties clicking Finish.

    Property

    Description

    Match empty templates

    • Select this option if you want DLP to match the Data Type on an empty template. An empty template is a template that is identical to the uploaded corporate template.

    • If the option is not selected, an empty template is detected but the Data Type is not matched. The template is not considered confidential until it contains inserted private data.

      Note - the rule is bypassed for this document, but the document may still be matched by another DLP rule in the policy.

    Consider template's images

    • Incorporates a template's graphic images into the matching process. Including template images increases the similarity score calculated between the template and the examined document. The higher the score, the more accurate the match.

    • Select this option if the graphic images used in a template document suggest that the document is confidential.

Alternative to slider testing:

If you want to catch documents that match on different levels with different actions, you may try this procedure:

  1. Create the Data Type for the template, setting the slider to 10%.

  2. In the Policy window, create a Detect rule that tracks matching documents but does not stop them.

  3. Create another Data Type, just like the first, but set the slider to 50%.

  4. Create an Ask User rule that tracks matching documents and holds the transmission until the user decides whether it should be sent or is too sensitive and should be deleted.

  5. Create a third Data Type, with the slider set to 90%.

  6. Create a Prevent rule that tracks matching documents and blocks the transmission.