Internal DLP Policy Rules

Here are examples of how to create different types of rules that define when to examine traffic in environments you configure with the Exchange Security Agent (see Configuring the Exchange Security Agent).

Scenario 1: I want DLP to examine financial reports sent by users in the Finance department to all internal users (other than Finance department users) and external users. How can I do this?

• Create a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

  • Data = Financial Reports

  • Source = Finance Dept

  • Destination = Outside Source - rule matching occurs for all internal users other than Finance users and all external users

  • Action = Ask User

    Data	Source	Destination	Exceptions	Action
    Financial Reports	Finance_Dept	Outside Source	None	Ask User

  This rule covers the scenario example. If an organization wants fuller coverage and have stricter definitions as to what traffic is allowed and by whom, the next scenario includes a wider source definition.

Scenario 2: How do I make sure that financial reports are not sent by users outside of the Finance department?

1. Create another rule.

   This rule applies to all traffic sent by all users in the organization (it includes Finance department users) to any destination.

   • Data = Financial Reports

   • Source = My Organization

   • Destination = Any - rule matching occurs for any destination internal and external

   • Action = Prevent

     Data	Source	Destination	Exceptions	Action
     Financial Reports	Finance_Dept	Outside Source	None	Ask User
     Financial Reports	My Organization	Any	1	Prevent

2. To make sure there are no double matches in regards to reports sent by Finance department users, add an exception to the rule (see Creating Exceptions).

   Without an exception, if a Finance department user sends a financial report to anyone, it matches the second rule (source=My Organization) and the first rule. When data matches more than one rule, the most restrictive action is applied and multiple logs are created. So without an exception, a financial report sent from a Finance department user is blocked because of the Prevent action in the second rule and there are multiple logs that audit the incident.

   Exception Rule:

   Data	Source	Destination	Protocol
   Financial Reports	Finance_Dept	Any	Any

To summarize the results of these two rules:

• The Ask User action applies for financial reports that Finance department users send to all internal users other than Finance users.

• The Ask User action applies for financial reports that Finance department users send to all external users.

• The Prevent action applies for financial reports that each user not in the Finance department sends to each external or internal user.

Scenario 3: Financial reports can only be sent within the Finance department. A user that sends a financial report from outside the Finance department gets a notification and must make a decision that relates to what to do. How can I do this?

1. Create a rule.

   • Data = Financial Reports

   • Source = My Organization

   • Destination = Any - rule matching occurs for any destination internal and external

   • Action = Ask User

     Data	Source	Destination	Exceptions	Action
     Financial Reports	My Organization	Any	1	Ask User

2. Add an exception to not include reports sent from the Finance department to the Finance department.

   Data	Source	Destination	Protocol
   Financial Reports	Finance_Dept	Finance_Dept	Any