Assessment procedure for Symantec Data Loss Prevention Incidents

Article:HOWTO82595  |  Created: 2012-12-02  |  Updated: 2013-07-17  |  Article URL http://www.symantec.com/docs/HOWTO82595
Article Type
How To


Subject


Assessment procedure for Symantec Data Loss Prevention Incidents

SPC Enterprise pre-ships 20 assessment procedures for assessment of data loss incidents reported by Symantec DLP. The assessment procedures assess the following incidents:

  • Clipboard

  • Data At Rest

  • Network

  • Print Fax

  • File System

Following are the examples of the assessment procedures for each category:

  • Credit Card Data Assessment Procedure

    This procedure evaluates data loss incidents related to loss of credit card information or payment data. The procedure evaluates whether any data loss incident fails against an asset. If an incident fails for any asset, then that asset is marked as failed for the assessment procedure.

    The expression for this assessment procedure is:

    [Data loss incident SPC status id = 2] AND [Data loss policy name = Payment Card Industry Data Security Standard].

  • Electronic Protected Health Information (ePHI) Assessment Procedure

    This procedure evaluates data loss incidents related to loss of healthcare related confidential data. The procedure evaluates whether any data loss incident fails against an asset. If an incident fails for any asset, then that asset is marked as failed for the assessment procedure.

    The expression for this assessment procedure is:

    [Data loss policy name LIKE HIPAA] AND [Data loss incident SPC status id = 2].

  • North American Electric Reliability Corporation (NERC) Assessment Procedure

    This procedure evaluates data loss incidents as per NERC security guidelines for electric utilities policy template for Symantec DLP. The procedure evaluates whether any data loss incident fails against an asset. If an incident fails for any asset, then that asset is marked as failed for the assessment procedure.

    The expression for this assessment procedure is:

    [Data loss incident SPC status id = 2] AND [Data loss policy name = NERC Security Guidelines for Electric Utilities].

  • Symantec Data Loss Prevention Policy Violation

    The procedure evaluates whether any data loss incident fails against an asset. If an incident fails for any asset, then that asset is marked as failed for the assessment procedure.

    For example:

    The procedure evaluates if there are any incidents against an asset in the incoming incident data where the SPC Status ID value is 2. If the SPC Status ID is 2 then that asset is marked Fail for the assessment procedure.

    • The SPC status ID 1 represents Pass state.

      When a Symantec DLP status is mapped to the pass status in SPC then the value 1 is saved in the SPC Status ID field.

    • The SPC status ID 2 represents Fail state.

      When a Symantec DLP status is mapped to the fail status in SPC then the value 2 is saved in the SPC Status ID field.

    The expression for this assessment procedure is:

    [Data loss incident SPC status id = 2] AND [Data loss policy name IS NOT NULL].


Legacy ID



v74736040_v82334133


Article URL http://www.symantec.com/docs/HOWTO82595


Terms of use for this information are found in Legal Notices