Frequently Asked Questions (FAQ)

Endpoint DLP Data Classification

What are data rules?

Data rules are a set of criteria that is configured by the admin to find specific types of sensitive data. The data rules can be created using pre-defined templates or customizable templates using mechanism such as RegEx, Document Matching, keyword search. During the data discovery process, the agent will comb through the endpoint and find any sensitive data that matches the data rule deployed for that policy.

When to use pre-defined templates?

For common types of sensitive documents such as PII, Health, Finance, Source Code etc. you can browse and select a template according to countries.

When to use custom templates?

To find sensitive documents specific to your organization or circumstance, you can use custom templates to determine the criteria that a document would have to match to be considered as sensitive. Endpoint DLP supports custom rules using RegEx, keyword matching, document matching and file extensions.

What happens when multiple policies are deployed to the same endpoint?

The last deployed policy takes effect for that endpoint. You can check what policy is currently active under the managed systems by drilling down into the system's view.

When to use RegEx?

When sensitive data can be detected by the presence of a specific pattern/string in a file, RegEx patterns are utilized. These patterns can be predicted and then searched for in order to identify a match.

When to use keyword search to find documents?

Keyword search is used to seek for specific keywords in a document that could make it sensitive and thus inappropriate for transfer outside the organization.

When to use document matching to detect sensitive documents?

Document Matching is a preferred technique over RegEx in cases where sensitive data cannot by identified by an exact match but may be detected by identifying similar templates and analyzing their match percentage.

What are enterprise boundaries and how are they defined?

Boundary definition refers to restrictions that the admin can configure which dictate the boundaries within which a particular type of sensitive data can be processed. The boundaries include email, miscellaneous cloud web applications, peripheral devices etc.

What is the meaning of occurrence count in regex rules?

Occurrence count in a RegEx rule refers to the minimum number of times a pattern has to occur for it to be considered sensitive. For example, if a pattern's occurrence count is 2, the file can be considered sensitive if the pattern appears two or more times.

What is the difference between keyword matching and document matching?

While keyword matching focuses on identifying specific keywords that are considered sensitive in the document, document matching compares the overall similarity of the provided document to the format that is considered sensitive.

What is "match percentage" in document matching?

The percentage of accuracy at which the submitted document can be considered comparable to the sensitive template is referred to as the match percentage in document matching. Increasing the match percentage required to classify a document as sensitive can help improve detection accuracy and reduce false positives.

What is data leakage prevention for "content-based classification"?

Configuring data leakage prevention policies depends on the type of classification opted to classify a file as sensitive. They are: content-based and context-based classification.
Marking a file as sensitive when the file contents matches a RegEx pattern or a keyword/document is content-based classification.
Context-based classification classifies a file as sensitive, based on the file properties (password-protected or file extension-based) and the nature of the file origin (a file downloaded from an enterprise-marked application).

Which files with Embedded Objects will be scanned?

The agent will scan embedded files within .docx, .xlsx, and .pptx formats for sensitive data.

Endpoint DLP Policy Association & Deployment

What are false positives?

In a DLP solution, a false positive occurs when the solution indicates that a DLP policy has been violated even when it hasn't. A false positive can happen as a result of a data detection error or because the file's destination is not approved for sensitive file transfer.

What are business justifications?

End users may be required to send sensitive files outside the enterprise perimeter for official purposes. In such cases, they may be allowed to override the policy citing a suitable justification and proceed to transfer the files.

What are overrides and who should be allowed to implement them?

Override refers to the ability to carry through a DLP action despite the event of a false positive. Override permission should be granted to privileged users and users who frequently contact outside the organization.

What does "Audit Only" mean in DLP policy?

In "Audit mode", the sensitive files will be allowed to be transferred within and outside the enterprise perimeter. The enterprise perimeter defines the restrictions that the admin can configure to dictate the boundaries within which the sensitive data can be processed. However, only the files transferred outside the enterprise perimeter will be audited and can be viewed in the "DLP Sensitive Events Report". The report will give you insights on how to add/remove entries to your DLP Policy without affecting productivity. This applies to the policies of File Access, Email Client, File Upload, Removable Storage Devices, and Printing.

What does "Block within Trusted Applications" mean under Screen Capture?

Since the content given on screen cannot be scanned, they cannot be classified as sensitive data. So the data handled by "Trusted Applications" will be classified as sensitive and the "Block within Trusted Applications" option will restrict screen capture functionality within those applications.