Protecting Documents by Template

Confidential and sensitive documents are often based on templates. A template specifies the headers, footers, seals, and formatting of related documents. This is what makes all court orders, for example, look the same.

You can create a Data Type Classification of data in a Check Point Security Policy for the Content Awareness Software Blade. that protects documents based on a specific template. You then add the Data Type to a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. and connections that contain such a document are matched by the policy.

Important - When a template including images is attached to a DLP Template Data Type, the image file format is important. The file format used in the template must match the file format in the user document. If the file formats are different, the rule does not trigger a DLP response. For example, if the template contains a JPG image and the user document contains the image in GIF format, there is no DLP response.

Example:

To create a Data Type representation of documents based on a template:

1. In the Data TypeWizard, select Documents based on corporate template.

2. Click Next.

3. Browse to the template file on your system.

   This file does not have to be known as a template in the application: the template for the Data Type may be a *.doc file and does not have to be a *.dot file. Select any file that is a basic example of documents that might be sent.

4. Move the Similarity slider to determine how closely a document must match the given template to be considered protected.

   Best Practice - Set this slider quite low first. The higher it is, the less the rule catches. After you complete the wizard, send a test email with such a document, and check the Logs & Monitor Logs view to see if the document was caught. Slowly increase the Similarity level until the rule catches the documents you want. This is different for each template.

5. Click Next.

6. Click Finish.

7. To configure additional properties for the Data Type, select Configure additional Data Type properties.

   Property	Description
   Match empty templates	Select this option if you want DLP to match the Data Type on an empty template. An empty template is a template that is identical to the uploaded corporate template. If the option is not selected, an empty template is detected but the Data Type is not matched. The template is not considered confidential until it contains inserted private data. Note - the rule is bypassed for this document, but the document may still be matched by another DLP rule in the policy.
   Consider template's images	Incorporates a template's graphic images into the matching process. Including template images increases the similarity score calculated between the template and the examined document. The higher the score, the more accurate the match. Select this option if the graphic images used in a template document suggest that the document is confidential.

If you want to catch documents that match on different levels with different actions, make an alternative to slider tests.

Procedure:

1. Create a Data Type for the template. Set the slider to 10%.

2. In the Policy window, create a Detect rule that tracks the documents that match but does not stop them.

3. Create a second Data Type. Set the slider to 50%.

4. In the Policy window, create an Ask User rule that tracks the matching documents and holds the transmission until the user decides to send them or to delete because they are too sensitive.

5. Create a third Data Type. Set the slider to 90%.

6. In the Policy window, create a Prevent rule that tracks the matching documents and blocks the transmission.