Data Loss Preventionuser Guide

Data Loss Preventionuser Guide

Data Loss PreventionUser Guide

Table of Contents

DataLock User Guide

Table of Contents

Section 1 – Configuring Policies

1.1 Manage Alert Words

1.1.1 Viewing Alert Word Categories

1.1.2 Configuring Alert Word Categories

1.1.3 Adding Alert Words to Categories

1.1.4 Deleting Alert Words from Categories

1.2 Policy Management

1.2.1 Adding Policies

1.2.1.1 Policy Type

1.2.1.2 Condition

1.2.1.3 Alert Words

1.2.1.4 Group

1.2.1.5 Finalize the Policy

1.2.2 Editing Policies

1.2.3 Deleting Policies

1.2.4 Internal Emails

1.2.4.1 Select Action

1.2.4.2 Edit Internal Email Addresses

1.3 Group Management

1.3.1 Add Groups

1.3.2 Edit Groups

1.3.3 Delete Groups

1.3.4 Add Members

1.3.5 Edit Members

1.3.6 Delete Members

Section 2 – Policy Violations

2.1 Viewing Policy Violations

2.1.1 Grouping

2.1.2 Summary

2.1.3 Detail

2.1.4 Date and Advanced Filter

2.1.5 Exporting Violations

2.1.6 Deleting Violations

2.1.7 Printing Violations

2.1.8 Policy Violation Storage

2.2 Pending Violations/Overrides

Section 3 – Dashboard

3.1 Managing Dashboard Widgets

3.2 Data Loss Prevention Dashboard Widgets

3.3 Working with the Dashboard

3.3.1 Dashboard Date and Advanced Filter

3.3.2 Layout

3.3.3 Widget Formats

Section 4 – Account Settings

4.1 Account Information

4.1.1 Contact Information

4.1.2 Hotkey Sequence

4.2 User access

4.2.1 Login Information (primary user)

4.2.2 Users

4.2.3 User Settings

4.2.3.1 Username

4.2.3.2 Role

4.2.3.3 Limiting Group

4.2.3.4 Password

4.2.3.5 Disable Web Login

4.2.3.6 Send Reminders

4.2.3.7 Allow Self Override and Linked Login

4.3 Recording & Blocking Options

4.4 Download/License Mgmt.

4.4.1 Inventory

4.4.2 Download/Install

4.4.3 License Management

4.5 Subscriptions

Section 5 – Help

5.1 Knowledge Base

5.2 Live Chat

5.3 Trouble Ticket System

Section 1 –Configuring Policies

There arethree key components to the Data Loss Prevention (DLP) Service Module - managing alert words, policy management, and group management. Settings for each are found in the DLP section of your Interguard account.

1.1Manage Alert Words

Alert words are the triggers for DLP. These are the items that DLP will look for when it scans data. You will need to compile a list of Alert Words that reflect the kind of data or activity you wish to block or monitor with DLP.

There are two kinds of alert words, an alert word that is a single word or a phrase of words and Regular Expressions. For words and phrases DLP will match the specific word. If you enter a phrase, DLP will match only that unique phrase of words. Regular expressions are algorithms that Awareness Technologies has created to match certain types of data based on format. There are a variety of regular expressions available; credit card and Social Security numbers are a few examples. In simple terms the Regular Expression will identify data as a credit card or social security number based on its algorithm.

Alert words are grouped in categories. An alert word category is a group of one or more individual alert word items. When you create DLP policies you will be adding the alert word categories you created to each policy.

1.1.1 Viewing Alert Word Categories

Expand the Settings section of your account by clicking on it. Select the ‘Alert Words’ item. The alert words contained in each category will be displayed. You need to select the category you want to view from the Category drop down menu. If you have not created any alert word categories, then nothing will be displayed.

1.1.2 Configuring Alert Word Categories

To create an alert word category, click the ‘Add’ link located to the right of Category drop down menu. You will be prompted to enter a name for the category. When done, click ‘Ok’. Your new category will be displayed in Category drop down menu.

To change the name of a category, select the desired category from the Category drop down menu then click the ‘Edit’ link located to the right of the category. You will be prompted to enter a new name for the category. When done, click ‘Ok’. The new category name will be displayed in Category drop down menu

To delete a category, select the desired category from the Category drop down menu then click the ‘Delete’ link located to the right of the category. The category will be deleted. Please note that if the Alert Word category is being used in one of your account settings (such as a DLP Policy), you will not be able to delete it. It will need to be removed from the setting first.

1.1.3 Adding Alert Words to Categories

Select the desired category from the Category drop down menu. If it is a new category, it will be empty. To add an alert word click the ‘Add’ button located to the right of ‘Alert Words‘. It will have a green check by it. You will be prompted to entire either a word or phrase of words or to select a regular expression. Click ‘Ok’ when done.

The category will refresh, and you will see your new alert word displayed. A category can contain any combination of alert words or regular expressions. Having a larger category ultimately means your policy will be triggered by a larger range of activity

1.1.4 Deleting Alert Words from Categories

Select the desired category from theCategory drop down menu. The alert words and regular expressions contained in that category will be displayed. Select the desired alert word or regular expression then click the ‘Delete’ button located to the right of ‘Alert Words’. It has a red X by it. The word or regular expression will be removed.

1.2 Policy Management

Policies define how DLP will use your alert words to block or monitor. There are several options for policies.

1.2.1 Adding Policies

Policies are applied to groups of users or computers. You can create unique groups of users and computers so that you can apply different policies for different people. Please see section 1.3 on Group Management for more information on configuring groups.

Select the desired group from the drop down menu located to the right of ‘Groups’. If no groups have been configured you will only see an unassigned group. This is the default group that all users and computers are assigned to when the client software is installed.

Click the ‘Add’ button with the green check mark located to the right of ‘Policies’. This will start the Policy Wizard. There will be several parameters you will need to configure: On the wizard you can sort through the pages of selections by clicking the ‘Next’ and ‘Back’ buttons; you can also click the underlined items displayed in the ‘Step 2’ section of the Policy Wizard.

1.2.1.1 Policy Type

The following policy types are available:

  1. Email/Email Attachment:
    This will enforce your policy on email transmissions through Outlook or Webmail applications. You will be prompted to select an action that will trigger the policy, currently the only action available is when an email is sent.
  2. File – Removable Media:
    This will enforce your policy on files transferred or saved to a USB device.
  3. File – Disable Removable Media:
    This will create a policy that will disable all file transfers to a USB device. You will be prompted to restrict either ‘Write’ only or ‘Read and Write’.
  4. File – Data at Rest:
    This will enforce your policy in data at rest scans. Data at rest periodically scans the contents of the machine’s drive, looking for any files that match your policy.
1.2.1.2 Condition

You will need to select a Condition on all Policy Types except ‘File – Disable Removable media’.

  1. Content:
    This condition only applies to the ‘File – Removable media’ and ‘File – Data at Rest’ policy types. The policy will scan the content and name of the file.
  2. Body:
    This condition only applies to Email policy types. The policy will scan the Body of the email only.
  3. Subject:
    This condition only applies to Email policy types. The policy will scan the Subject of the email only.
  4. Recipients:
    This condition only applies to Email policy types. The policy will scan the Recipients of the email only.
  5. Attachments:
    This condition only applies to Email policy types. The policy will scan the Attachment of the email only.
  6. Body Or Subject:
    This condition only applies to Email policy types. The policy will scan both the body and subject of the email and will trigger if there is a violation in either.
  7. Body or Subject or Attachments:
    This condition only applies to Email policy types. The policy will scan the body, subject, and attachments and will trigger if there is a violation in any of the three.
1.2.1.3 Alert Words

You will need to select alert word categories to apply to the policy for all Policy Types except ‘File – Disable Removable media’. Please see section 1.1.2 for more information on configuring alert word categories.

You can add alert word categories by clicking the ‘Alert Words’ link located in the ‘Step 2’ portion of the wizard. All the alert word categories that you have configured will be displayed. Select the desired categories. Additionally you will need to select the number of occurrences. This is the number or instances of an alert word that need to be contained in the data for the Policy to consider that data a violation. For example, if you select ‘4’ for occurrences, then the policy will only consider data a violation if it contains four or more instances of your alert words. Click ‘Ok’ when done.

1.2.1.4 Group

On all policy types you will need to select a group of computers and users to apply the policy to. All the groups that you have configured will be displayed. Simply select the desired ones. If you have not configured any groups, there will only be one option called Unassigned. Please see section 1.3 on Group Management for more information about configuring groups.

1.2.1.5 Finalize the Policy

After you have configured the above options you will need to finalize the policy. You will be prompted to configure the following items:

  1. Name:
    Provide a name for the policy. If you opt to allow users to request overrides, this name will be displayed to the user when they are notified that they are in violation of your policy.
  2. Description:
    Enter a description for the policy. The description is there to help you keep track of your policies and their intended effects.
  3. Severity:
    Select a severity level. This is simply an organizational tool for you, so you can sort any violations by level of severity. It does not change the function of the policy.
  4. Overridable:

If you select ‘Yes’ for ‘Overridable’, an option to request an override will be displayed to the end user when a violation occurs. Override requests will be sent to your Interguard account where you can view requests and opt to deny or request the override.

  1. Upload context:
    If you select Y’es’ for ‘Upload Context’, DLP will upload a snapshot of just the portion of the data that triggered the policy.
  2. Upload Data:
    If you select ‘Yes’ for ‘Upload Data’, DLP will upload the entire data that triggered the policy to your account.You can download the data from you account at a later time.
  3. Report Only:
    If you select ‘Yes’ for ‘Report Only’, DLP will not block anything when a policy is triggered. Instead it will only report the violation to your account.

The Step 2 section of the wizard details the policy configuration. Click on any of the links to adjust the options you applied previously.

After you click ‘Finish’, the new policy will be added to your list of policies. It will generally be applied to the target computer within a few minutes. There are a few exceptions; if the target computer has limited resources or bandwidth at the time the policy was created, then the new policy may take a bit longer to be applied. Additionally, if there are no users currently logged into windows at the target computer, the new policy will be applied the next time a user logs into Windows.

1.2.2 Editing Policies

To edit a policy, select the desired policy and click the ‘Edit’ button with a blue ‘E’ located to the right of ‘Policies’. This will open up the Policy Wizard allowing you to change any of the options configured for that policy.

1.2.3Deleting Policies

To delete a policy select the desired policy and click the ‘Delete’ button with a red ‘X’ located to the right of ‘Policies’. You will be prompted to confirm the deletion. The policy will be removed from your list of policies.

1.2.4Internal Emails

The internal emails option allows you to have emails sent to internal email addresses in your environment to be treated differently by DLP Policies. By clicking the ‘Internal Emails’ button with the envelope icon located to the right of ‘Policies’, you can configure Internal Emails.

1.2.4.1 Select Action

The following actions are available:

  1. Do not enforce policies:
    This will configure DLP to completely ignore any email sent to an address you have configured as internal. Emails sent to non-internal addresses will be treated normally.
  2. Report violations but do not block:
    This will configure DLP to only report violations from emails sent to an address you have configured as internal. No emails sent to internal addresses will be blocked. Emails sent to non-internal addresses will be treated normally.
  3. Disable list and treat all email addresses as external:
    This is the default setting. It disables the Internal Email feature so DLP will treat all emails the same.
1.2.4.2 Edit Internal Email Addresses

You can populate a list of individual email addresses to be treated as internal by entering them in and clicking ‘Add’. Alternatively, if you only enter the domain portion of the email, leaving the field to the left of the ‘@’ symbol blank, all emails from that particular domain will be treated as internal. For example, if you enter ‘’ then only that specific email address will be treated as internal. If you enter only mycompany.com, all addresses from the mycompany.com domain will be treated as internal.

Clicking Finish will apply your Internal Email settings.

1.3 Group Management

You can configure DLP to have different policies for different groups of people. This is accomplished through the Group Management section of DLP.

The computer names and user names detected by the Interguard client software are stored in your account. You can assign any of these usernames or entire computers as members to a group in your Interguard account. When you create DLP policies you can then assign theses groups to each policy.

By default there is always one group in your account; it is called Unassigned. All computers and users start as membersof the unassigned group. If you would like to have different policies for different people, you will need to create additional groups, and then add the desired users or computers to the new groups.

1.3.1Add Groups

When you navigate to the Group Management section of DLP, the Unassigned group is displayed by default. To add a new group click the ‘Add’ link located to the right of ‘Group’. You will be prompted to enter a name for the group. After clicking ‘Ok’, the new group will be displayed, and it will also be added to the dropdown menu located to the right of ‘Group’.

All newly created groups are empty, so you will need to add members. See section 1.3.4 for more information on adding members.

1.3.2 Edit Groups

You can change the name of a group by first selecting the desired group from the drop down menu located to the right of ‘Group’. Then click the ‘Edit’ link located to the right of ‘Group’. You will be prompted to enter a new name for the group. Clicking ok will change the name of the group.

1.3.3Delete Groups

You can delete a group by first selecting the desired group from the drop down menu located to the right of ‘Group’. Then click the ‘Delete’ link located to the right of ‘Group’. You will be prompted to confirm that you want to delete the group. Click ‘Ok’ to continue or ‘Cancel’ to abort.

When you delete a group any members of that group will be placed into the unassigned group and the deleted group will be removed from all policies. This means that those users will now be under the effect of any policies that have been assigned to the Unassigned group.

1.3.4 Add Members

When you create a new group, you will need to add members. Additionally, you may want to move members to a different group, you can do this by adding them to the desired group.

To add a member, select the desired group from the drop down menu located to the right of ‘Group’. Then click the ‘Add’ button with the green check located to the right of ‘Members’. The Add Member Search tool will open. This tool will search all the computer and user names in your Interguard account.

Top View