Video Screencast Help

Do you handle every incident?

Created: 13 Feb 2013 | 5 comments

We are averaging about 80+ incidents per day. The only ones that we actually act on are the ones when people respond to the automatic email that is sent to them saying they have violated a policy.

If you do handle each one, what do you do? How do you go about presenting this to them? As I said, in our situation they are notified automatically.

The reason I ask is I feel like I am not doing enough with the tool (it is my sole responsibility at the moment).

Am I over thinking it? What else can I do to be productive with the tool?

Comments 5 CommentsJump to latest comment

Dor E's picture


80 per day ==> You are lucky :)

we are getting around 250,

We are trying to deal with them with automatic notifications.

See which are the sensitive policies which created the alerts and handle them first ==> How do we do it?

We get from DLP entire details about the incindets, then sending the details to the user/manager/both/only manager, and ask from the to explain it.

Of course that we are waiting for response, and only once we got it, and understand why there was incident we close the case.

It's not an easy and DLP system creates a lot of events

Good Luck

enebdu's picture

While we have False/Positives, at this time we are very black and white. If you send an SSN or PCI number, it gets blocked and they get notified. I could email to the high risk senders or high severity incidents to ask them why but I already know the reason why they are trying to send this information. My email after our automated email would be redundant I think.

I guess I could reach out to the high severity and high risk senders and send them an education email on how to send data securely.

Do you search through your incidents for False/Positives to tune the system more or do you take those on as users present them to you?

To be honest, I'm asking all of this because I am bored and want to be more engaged with the system.

kishorilal1986's picture

ho ene,

It is not possible to handle each and every incident in inital stage. You need to reduce false positive incident and try to keep accuracy in incident so that minimum incident will be genrated and keep enough team to handle such all incidents. Also make some changes to optimize DLP application and Incident resoponder.

Create easy and effective workflow to get incident close early. I had worked on incident management apprx 1.5 yrs. You can ask me if u need more info.

Harryk's picture

Hello Mr Sharma,

Can you please help me with the effective workflow to get incident close early? As I am engaged in same activity and would need your help for same. I am looking for the workflow with validating the incidents from first reponders perspective. Thanks

kishorilal1986's picture

yah harry sure, but now I am busy and I need more time explain u in detail.

I recommend u create new thread for this and will better to keep this different for future ref.