Role of a DLP Administrator

DLP provides many auditing tools:

  • Receive automatic notifications to data owners when transmission of protected data was attempted.

  • Receive user notifications and self-handling portal.

  • Track and log event details, charts, graphs, filtered lists, and reports from the Logs & Monitor view.

Before you begin your audit, configure your DLP policy.

Workflow to create and refine the DLP policy:

  1. Define Data Types.

  2. Configure out-of-the-box Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. with a basic policy.

    This policy provides strong detection capabilities from Day-1.

  3. Customize pre-defined Data Types to improve policy accuracy.

    Some provided Data Types are placeholders for dictionaries of proprietary information. These Data Types are flagged for your attention. Integrate your organization's data with your DLP policy to make it more accurate for your needs.

  4. Select Data Types.

    Become familiar with the wide range of provided Data Types. Enable and disable the rules in the DLP policy that suit your needs.

  5. Create your own Data Types with the easy to use wizard.

    Enforce confidentiality guidelines of your organization. Ensure that information belonging to Data Owners stays within their control. Enforce data protection by using your Data Types in DLP rules.

  6. Monitor incidents and communicate to data owners.

    The DLP Gateway catches attempted transmissions of protected data and logs incidents. You can see these incidents in the Logs & Monitor Logs view. You and the Data Owners specify the incidents require notification to the Data Owners. As you monitor the incidents, create guidelines to make a fine tuning to the DLP policy.

  7. Refine the policy.

    When an email or FTP upload is held because it matches a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in the Data Loss Prevention policy, it disrupts users. Sometimes this is the best preventative action, but in other situations it is unnecessary. Monitor user actions to see whether users agree that the data should not have been sent or that users have reasons for the transmissions.

  8. Maintain policy over time.

    Generate Data Owner reports and audit user actions. Look at the logs that the Logs & Monitor Logs view provides and make sure the DLP policy works smoothly and prevents transmission of protected data.

DLP Permissions for Administrator Accounts

You can assign a DLP administrator full DLP permissions or a subset of permissions.

With full permissions, a DLP administrator can:

  • See all fields of the logs in the Logs & Monitor Logs view.

  • See the captured data (the actual email, FTP files and HTTP posts).

  • Send or discard quarantined user emails.

An alternative to assigning a full set of permissions is to configure a subset. This gives you the flexibility to assign only some of the permissions. For example, permissions to only see the fields of the logs but not to see the captured data or send or discard quarantined emails.

Configuring Full DLP Permissions

To configure full permissions:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., select Manage & Settings > Permissions & Administrators.

  2. Double-click the administrator account or click New create a new administrator user account.

    The Administrator Properties window opens, and shows the General page.

  3. In Permission Profile, click the drop-down menu and then click New.

    The Permissions Profile Properties window opens.

  4. In Enter Object Name, enter the name for the DLP admin profile.

  5. Make sure Read/Write All is selected.

  6. From the navigation tree, click Monitoring and Logging.

  7. Select these options:

    • DLP logs including confidential fields

    • View/Release/Discard DLP messages

  8. Click OK.

  9. Close the administrator window.

  10. Publish the SmartConsole session.

Configuring a Subset of Permissions

To configure a subset of permissions for the DLP administrator:

  1. In SmartConsole, select Manage & Settings > Permissions & Administrators.

  2. Double-click the administrator account or click New create a new administrator user account.

    The Administrator Properties window opens, and shows the General page.

  3. In Permission Profile, click the drop-down menu and then click New.

    The Permissions Profile Properties window opens.

  4. In Enter Object Name, enter the name for the DLP admin profile.

  5. Select Customized and click Edit.

  6. From the navigation tree, click Access Control.

  7. In the Additional Policies section, configure Read or Write permissions for Data Loss Prevention.

  8. From the navigation tree, click Monitoring and Logging.

  9. Select one or more of these options:

    • DLP Logs including confidential fields - Permissions to view all fields of DLP logs in the Logs & Monitor Logs view. When this check box is cleared, an administrator sees the text "**** Confidential ****" and not the actual content of fields defined as confidential.

    • View/Release/Discard DLP messages - Permissions to view emails and related incidents from within the Logs & Monitor Logs view. With this permission, administrators can also release (send) or discard quarantined emails from within the Logs & Monitor Logs view.

      Note - If you select all of these options with Write permissions, the administrator has full DLP permissions.

  10. Click OK.

  11. Close the administrator window.

  12. Publish the SmartConsole session.