Print Download PDF Send Feedback

Previous

Next

Data Owner and User Notifications

In This Section:

Defining Data Owners

Notifying Data Owners

Customizing Notifications to Data Owners

Customizing Notifications for Self-Handling

Setting Rules to Ask User

Managing Incidents by Replying to Emails

Learning Mode

Defining Data Owners

To define data owners:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Data Types.
  3. Double-click a Data Type in the list.

    The properties window of the Data Type opens.

  4. Click Data Owners.
  5. Click Add.

    The Add Data Owners window opens.

  6. Select the user or group who is responsible for this data.
  7. Add as many data owners as necessary.
  8. Click OK.
  9. Click Save and then close SmartDashboard.
  10. From R80 SmartConsole, install the policy.

Notifying Data Owners

DLP can send automatic messages to Data Owners if an incident occurs involving a Data Type over which the Data Owners have responsibility.

To configure Data Owner notification:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. Define the data owners of the Data Type.
  3. From the navigation tree, click Policy.
  4. Right-click the Track column of the rule and select Email.

    The Email Notification window opens.

  5. Click When data is matched, send an email to the following recipients.

    Data Owners is selected by default.

  6. For additional email recipients, click Add and select the user.
  7. Configure the email text that is sent, select one of these options:
    • Use the default text - The Check Point Data Loss Prevention system has found traffic which matches a rule.
    • Customize - Enter the email text
  8. Click OK.
  9. Click Save and then close SmartDashboard.
  10. From R80 SmartConsole, install the policy.

Customizing Notifications to Data Owners

To change the text of a notification to Data Owners:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. Right-click in the Track column of a rule and select Email.

    The Email window opens.

  4. Click Customize and enter the text for the email message.
  5. Click OK.
  6. Click Save and then close SmartDashboard.
  7. From R80 SmartConsole, install the policy.

Customizing Notifications for Self-Handling

To change the text of a notification to users to handle an incident:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. Right-click in the Action column of a rule and select Edit Rule Notification.

    To notify the user and pass the data, change the action to Inform User.

  4. In the window that opens, change the text with your own message to fit the rule. You can use text or variables.
  5. Click OK.
  6. Click Save and then close SmartDashboard.
  7. From R80 SmartConsole, install the policy.

Setting Rules to Ask User

Important - The mail server must be able to act as a mail relay. This allows users to release (Send) emails that DLP captured on Ask User rules. The mail server must be configured to trust the DLP gateway.

To set a rule to ask user:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. Right-click in the Action column of the rule and select Ask User.

    Ask User rules depend on the users getting notification and having options to either Send or Discard a message. Before you install a policy with new Ask User rules, make sure the DLP gateway is set up for Ask User options.

  4. Click Save and then close SmartDashboard.
  5. From R80 SmartConsole, install the policy.

To set up the gateway for Ask User rules:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss Prevention.
  3. In the DLP Portal area, select Activate DLP Portal for Self Incident Handling.
  4. From the navigation tree, click Data Loss Prevention > Mail Server.
  5. Select the mail server that the DLP gateway will use to send notification emails.
  6. Click OK.
  7. Install the policy.

Managing Incidents by Replying to Emails

Users can handle their incidents by replying to notification emails without entering the portal. This option is not allowed by default.

To allow users to manage incidents by replying to emails:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss Prevention.
  3. In the Reply by Email section, click Allow users to manage their incidents by replying to the notification emails.
  4. Click OK.
  5. Publish the changes and install the policy.

Learning Mode

To configure learning mode for email threads, HTTP posts, or FTP uploads:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings > Advanced.
  3. In the Learn User Actions section, select the applicable options:
    • Email - When you select this checkbox, the user makes one decision for a complete thread, and that decision is applied to all messages of the same thread. When you clear this checkbox, the user is informed of all messages that match a DLP rule, even if a message is matched on carried-over text of an older message. The checkbox is cleared by default. When DLP scans Exchange emails, learning mode is also applied to Exchange traffic.
    • Web - When you select this checkbox, the user makes one decision for a post to a site, and that decision is applied to all posts that contain content from a previous post within 12 hours. When you clear this checkbox, the user is informed of all posts that match a DLP rule, even if a post is matched on carried-over text of an older post. The checkbox is selected by default. When HTTPS Inspection is enabled, learning mode is also applied to HTTPS posts.
    • FTP - When you select this checkbox, the user makes one decision for FTP uploads, and that is decision is applied to all uploads with 12 hours. When you clear this checkbox, the user is informed of all uploads that match a DLP rule, even if an upload is matched on carried over content of an older upload. This checkbox is cleared by default.

      Note - For Web violations, turning off Learn User Actions disables the Send and Discard buttons in the UserCheck portal. Users can only close the portal. Suspected data is not posted to the site.

31 March 2016 © 2016 Check Point Software Technologies Ltd. All rights reserved.