DLP Self Incident-Handling Portal

The focus of Check Point Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. is user-led handling of incidents that match the rules you have created. If a user attempts to send data that should not be transmitted outside the organization, a notification is sent to the user. This email or alert includes a link to the Self Incident-Handling portal. From here, the user can explain why the email should be sent; or now realizing the importance of not sending the email, select to discard it.

This unique method of self-education for Data Loss Prevention reduces prevalent leakage from unintentional violations of the rules. This solution also reduces the cost of ownership. Your users, and your analysis of their usage, become the experts that lead your Data Loss Prevention configurations, rather than the much more time- and resource-consuming solutions of calling in an outside expert.

The DLP Portal is a Web portal that is hosted on the DLP Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. administrator configures the DLP Portal URL in the Data Loss Prevention Wizard. By default, the URL is https://<IP Address of Security Gateway>/dlp. The administrator can change the URL in the Data Loss Prevention page of the Security Gateway that is enforcing DLP.

What Users See and Do

When a data transmission matches a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. with notification, the user receives an email, which contains a link to the Self Incident-Handling Portal.

The Captive Portal explains that decisions are logged.

  • If the user selects to continue the transmission, they have the opportunity to explain why it should be sent before the action is completed.

  • If the user selects to discard the transmission, DLP deletes the transmission immediately.

  • If the user wants to review the transmission and then decide, the reasons why it was captured shows, and the user sees the links again - to send or discard it.

  • The user can log into the Portal and view all UserCheck emails that were not yet handled. To see all the emails, the user clicks the login link in the Portal and gives authentication.

How Users Log in to the Self Incident-Handling Portal

Users can log into the portal in one of these ways:

Unhandled UserCheck Incidents

When data is captured by an Ask User rule, the data itself is stored in a safe area of the DLP Gateway. It stays there until the user decides to send or discard it.

If the user does not make a decision in less than the given interval, the incident expires and the data is automatically discarded. By default, time for handling incidents is 7 days. If a user is out of the office or cannot handle the incident for some other reason, an administrator can take care of it. The administrator must have full permissions or the View/Release/Discard DLP messages permission. Then, from the Logs & Monitor Logs view the administrator can send or discard the incident. Notification is sent to the user.

Three days before an unhandled incident expires, a new notification email is sent to the user. Then an email is sent at daily intervals, until the user/administrator takes care of it.

Expired incidents are logged in the Logs & Monitor Logs view. See DLP Blade > Blocked, where the Action of logged incidents is Quarantine Expired. For more information, see UserCheck Notifications.