Data Loss Prevention

I have symatec DLP 11.5 installed  to monitor  my hospital environment.  Currently I am getting between 200,000 and 300, 000 incidents a week.  85 % of these incidents are generated by internal systems that do contain policy triggers (ePHI) for instance, clinical systems.

Do most other companies excluse internal traffic?  The amount of incidents I am receiving makes it very difficult to search out the real incidents.

Thoughts.

We only monitor data going outside our network, we do not monitor internal traffic at all.  Our environment is not as strict as a hospital might be, though.  We us other standard controls to restrict access to the various systems. 

For instance, only Finance employees can access the Finance department network shares.  They can send any document, spreadsheet, or presentation from there, via email, to any other employee, or copy it to another network location, and we don't monitor them via DLP.  There is no "data Loss" to prevent.  But if they, or the interal recipient, attempt to forward that document to a home email address, competitor, or anyone not in our domain, that's when we would care about it.  That would be actual data loss, as far as we are concerned.

hello,

 usually people dont monitor internal traffic, but it is not forbidden to do it but Usually they are not processed the same way (especially to avoid huge amount of incident that could not be processed).

 So what u can do is to have some policies for internal communication and some for external communication. Then after that you can select which traffic have to be analyzed :

- in your policy : implementing an exclusion to remove unwanted traffic.

- in your architecture : having two different detection server, one for internal email and one for outbound email.

 Regards.

Exclude the internal genuine traffic by recipeint mail in exclusion and IP filter for endpoint incident for internal traffic flow.