Video Screencast Help

Approach to Fine Tune DLP Policies

Created: 29 Sep 2011 • Updated: 29 Sep 2011
Language Translations
Denis Kattithara's picture
+4 4 Votes
Login to vote

Identify target areas

There are various categories of False Positives that may be generated, eg. Jokes, Celebrations, Festive wishes, Business process requirements etc. The most important aspect is to categorize prioritize these mails on the basis of their occurrence / volume.

 

Identify parameters for Fine tuning

There are various different parameters that may be present within a specific Target area, ie. Email addresses, Keywords etc. Below is an outline of what may be done for each of these parameters:

Email Addresses

Default policies like Competitor Communications etc, are likely to generate a significant amount of False Positives. The best approach to Fine tune these policies is to adapt the below approach:

  1. Identify Senders / Recipients generating a huge volume of Incidents. These may be identified via the correlations tab of the Incident or a spreadsheet report of Incidents.
  2. Contact the appropriate Business Unit to understand whether it is a part of the Business process to send / receive the related email.
  3. Add the white listed Senders / Recipients to the exceptions list of the policy.

Keywords

Keywords are the most important aspect that may be considered for exclusions / inclusions in a policy.

Once a Target area has been isolated, perform an analysis of the False Positives and False Negatives.  Identify keywords that are common amongst these Incidents, and categorize them in the following manner:

  • Keywords with occurrence of 90% or higher
  • Keywords with occurrence of 70% or higher
  • Keywords with occurrence of 50% or higher

These keywords will be  helpful for creating Match based Rules (with False Negative keywords) or Exceptions (with False Positive keywords)