Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

CA & DA legal exclusions

Created: 28 Oct 2013 • Updated: 18 Nov 2013 | 11 comments
This issue has been solved. See solution.

Good afternoon!  The topic has come up at my company before but no action was required previously.  Of course, the story has changed and now I need to fix things.

We have a legal department that would like all their emails excluded from searches, unless the search is being performed by certain individuals, so that the legal department emails remain strictly confidential and ensure that they are not accidentally captured or worse, exported.

In CA, I've set it up so certain departments synchronize with Active Directory groups.  Like most companies, employees in one department may also be members of another department - there are seldom any truly strict boundaries.  One of the departments I created in CA is "Legal" and it synchronizes with an Active Directory group that contains all the Legal employees at our company.  However, all those same employees are also member of a group called "The Whole Company" which synchronizes with the Active Directory group "Everyone" because it's possible that a CA search might need to include every employee at my company.

We do not currently synchronize with any Active Directory groups for DA - so, no custodian are setup.  We currently use all free-form addresses for searches in DA.

Maybe I need to eliminate "The Whole Company" group as part of the requested change but I'm a bit confused on the varying possibilities on accomplishing my goal.  I thought all I might need to do would be to establish a department partition that only contains the Active Directory group "Legal" and then their emails would not show up when searching any of the other departments.

Any input on what others have done would be extremely helpful.  I realize there may be more information needed in order to provide a helpful response, so I will provide additional information if I can.

We are currently running EV/CA/DA 10.4.

Operating Systems:

Comments 11 CommentsJump to latest comment

EV_Ajay's picture

Q : We have a legal department that would like all their emails excluded from searches, unless the search is being performed by certain individuals, so that the legal department emails remain strictly confidential and ensure that they are not accidentally captured or worse, exported.

Ans : From DA point of view You can unselect Legal Department User archives from application Level so those will never capture in DA Search.

From CA Point of View do not add those user in “Monitored Employees” section in Department Level.  Also you can exclude / unselect Legal Department User archives from application Level.

Q: In CA, I've set it up so certain departments synchronize with Active Directory groups.  Like most companies, employees in one department may also be members of another department - there are seldom any truly strict boundaries.  One of the departments I created in CA is "Legal" and it synchronizes with an Active Directory group that contains all the Legal employees at our company.  However, all those same employees are also member of a group called "The Whole Company" which synchronizes with the Active Directory group "Everyone" because it's possible that a CA search might need to include every employee at my company.

Ans : I think for Legal Department Employee you can Delete those from the “Monitored Employees” section in Department Level. Or the Best way to exclude there archives from application level , hence if those belongs to any department search will never capture them.

Thanks,

Ajay

Kenneth Adams's picture

Hello, BigAnvil;

The information WV_Ajay provided is correct to a point.  Some things that we need to know to provide a better set of answers to you are

  1. Are you performing journal mailbox archiving?
  2. If you are performing journal mailbox archiving, then
  • Do you have your legal users configured to be journal archived?
  • Do you have the Journal Connector installed on the EV server running the Journal Task?

The some of the reasons we need to know this information are:

  1. If you are archiving your journal mailbox (which is recommended for Compliance Accelerator and best results from DA searches), then the journal archive would very likely be selected to be searched in CA and DA.  Having this archived searched allows for finding ANY e-mails sent to or from journaled users.
  2. If the legal users are configured to be journaled, a copy of every e-mail they receive or send will be sent to the journal mailbox and archived to the journal archive, making them accessible to any CA or DA search that does not exclude those users.
  3. If the Journal Connector is installed, then CA searches will default to using the Department ID tag that is applied to each journal archived item.  The Department ID tags are determined by the Monitored Employees in each Department.  If the legal users are members of one or more Departments, their e-mail messages will be tagged based on their Department memberships.
  4. Random Sampling may be in use if the Journal Connector is installed, so any e-mails to or from the legal users that are configured to be journaled will be subject for inclusion in the Random Sampling review set of the Department or Departments in which they are Monitored Employees.

EV_Ajay's suggestion of unchecking the archives of the legal users is valid if you only search user mailbox archives with CA or DA.  However, if you do journaling AND the legal users are configured to be journaled, their e-mails WILL be searchable via CA and DA as journal archives are the primary source for e-mails.  Their selection as the primary source of e-mails is due to the fact that messages cannot be deleted from the Journal mailbox by any user who does not want his e-mails archived.  With user mailbox archiving, the user has time to delete items from the mailbox prior to the items being archived.

Your DA search criteria specification of user addresses is good, but can still return hits for any message sent between any legal user and the user whose address you've specified in the search criteria.  To exclude the legal users, you'd have to also exclude their addresses in the search criteria (place a minus sign immediately in front of the address to be excluded).  You could also implement Custodian Manager and create a legal users Custodian Group to use to specify in the exclusion, so you only have to exclude the CM Group and not the individual legal users.  Even with this, you would need to test some searches by capturing the search criteria and reviewing it to see if the individual legal users are listed to be excluded.

CA is trickier to configure to exclude users.  There is a known issue that is currently slated to be fixed in CA 10.0.4 CHF2 (subject to change) where exclusions of SMTP addresses in the Freeform address field do not work as expected.  Using the Freeform address field to list all of the legal users to be excluded is the only way to prevent e-mails to or from these users from being returned in searches.  That exclusion is not always working, so you can't currently rely on using the Freeform address field either at this time.

Please understand that CA is designed to not have ways to exclude e-mails as all need to be eligible for capture to ensure everyone is compliant to company policies.  Even if you make each legal user an Exception Employee, e-mails between them and other, non-legal users can still be captured in the non-legal users' Departments' review sets.

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

BigAnvil's picture

Thanks for all the information EV_Ajay and Kenneth!  I received further clarification since my last post - the Legal department only needs to be excluded from random sample searches, not targeted searches.

So, it sounds like I just need to make sure they are not being sampled within CA.  DA is obviously a different animal and is essentially for just targeted searches (though I know they can be scheduled, they are still targeted searches).

EV_Ajay's picture

Hi,

Very Good information provided by Ken.

I think if you want to stop sampling of the Legal Department then you need to remove those users from the Monitored Employee Section. After that the email which has those employee will never tag by CA aatributes and will never capture in Random sampling.

Thanks,

Ajay

Kenneth Adams's picture

While EV_Ajay is correct in that you need to deactivate those Legal Users within CA, you still have the possibility of messages between them and any other Monitored Employee showing up in a Department's review set.  This is due to the fact that the messages would still be tagged with the Department ID of the other Monitored Employees and are, therefore, eligible for Random Sampling in those Departments.

As you are on EV/CA/DA 10.0.4, your best bet to ensure e-mails to or from the legal folks are never sampled is to install Enterprise Vault Dat Classification Service (EV-DCS) and have messages to or from those folks tagged with the exclusion tag.  With that exclusion tag in place, you can be assured that those items will never be sampled and can be excluded from most CA and DA searches.

Yes, EV-DCS is another expense and more servers that need to be implemented, and there are other ways to exclude such messages, but those other ways are more work in terms of the configuration of the search criteria used in CA and DA.  Your Symantec Account Manager should be able to help you obtain resources needed to better determine the best fit for your company's implementation of CA and DA.

I apologize for this post sounding like a sales pitch.  I just wanted you to have enough information to make an informed decision as to how to proceed.

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

SOLUTION
BigAnvil's picture

Thank you both for the excellent information!

I removed the Legal group completely from from EV-CA but since some of the legal team are also members of a Department that includes everyone, I realize I need to remove them from there as well (that is the CA group that synchronizes with the AD group "Everyone").  My trouble is, when I click on that Department on the left, I see the department again on the right  - selectable so that it can be removed, obviously.

When I click on "Show Effective Monitoring Policy", I show all the employees who are members of that "Department", with no option to remove individual employees.  I take it the only way I can remove them would be to delete the "Department" and create new departments that do not Synchronize with the AD group "Everyone"?

This is such a complicated product to configure while still having employees added to monitoring automatically...The last thing we want to have to do is manually add new employees to monitoring groups after creating their AD account.  It's not at all uncommon here for employees to change AD memberships somewhat often...

BigAnvil's picture

I forgot to mention - not that it changes the suggestions provided - but, we're only interested in preventing sampling or searching of messages that are to or from legal department employees to protect priviledge, if they are simply in the CC or BCC field, priviledge is not assumed and the emails should be OK to sample or search.

Kenneth Adams's picture

You should just deactive your legal users in CA.  That way, they won't be sampled, but we'll still tag e-mails with the appropriate Department ID tags for any Department in which they are membrers.  Their e-mails would still be found in CA searches regardless of them being recipients in the To, Cc or Bcc fields.  We can't really restrict searching recipients to just the To field in CA.

In DA, you can use a Custom Attribute instead of the 'To' or 'To or From' selections to find e-mails only in the To field.  The Custom Attribute name you would need to use is reto.  Use recc to search for only recipients in the Cc field, or rbcc for only recipients in the Bcc field.

EV-DCS may be able to help you by tagging messages with legal team members in the To field to apply an exclusion tag.  That would allow you to automatically exclude messages directly to your legal team members from random sampling, but let messages sent to them as Cc or Bcc recipients still be included.  I've not tested this with EV-DCS, so I can't say for sure it would work, but it may be worth looking into.

Again, I apologize for this post sounding like a sales pitch. I just want to provide you with options that may be a good fit in your environment to solve this issue.

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

EV_Ajay's picture

Hi,

As per mentioned by Ken it's not possible to restrict searching recipients to just TO field.

Thanks,

Ajay

EV_Ajay's picture

Hi,

If you have any query please write back us. We will help you.

Thanks,

Ajay

BigAnvil's picture

I can start a new post if needed but figured I would try asking here first since it's relevant to the thread...

Is it just me, or is finding the actual DCS install more difficult than it should be?  When I search for EV DCS I typically come up with DLP.  So, does that mean the DCS product install is actually DLP or part of the DLP package?  I don't see a DCS installation or admin guide, just those same guides for DLP but when I read them, they are quite unclear.

Basically, I'm looking to find the install files for DCS and any related documentation.  Would someone mind offering a but of guidance?  Thanks!!!

Hope everyone had a happy Thanksgiving.