Video Screencast Help

Need some help with Questions for DAR incidents which I can ask End User

Created: 28 Mar 2013 • Updated: 01 Apr 2013 | 6 comments
Harryk's picture
This issue has been solved. See solution.

Hi Team,

I have violated incidents and I need your help on asking types of questions to end-users (Data owner) like... why do you have data residing in xyz place?etc it for legal purpose?

Also its only related to PCI and PHI

I am trying to create questions as simple as possible to end-user on basis of violated incidents for DAR which can really help to understand layman



Operating Systems:

Comments 6 CommentsJump to latest comment

stumunro's picture


questions are good i would start with notifing your boss and get HR and Legal involved as do you have corporate policy around such data. Let them be the arm behind this not you. Let them decide what is and isnt a breach, if you are finding this type of data at the endpoints you need to start looking at encrypting these laptops with Symantec Encryption. On that note symantec has a work flow solutions to help automate this type of incident. Also make sure that their Endpoint protection is upto date.

here is a link to the workflow video on of my cowrokers did i believe this is still free.

Thomas Fürling's picture

Hi Harry

If you have DaR incidents and you want to do it based on every incident, you can proceed as numbered below. If you learn from incidents and want do ask "summary" questions from an awareness campaing, the user compliance questionaire functionality of CCS might help:

  1. Enricht the incident (lookup plugins) with the information about the owner of the file, DB record, intranet website, ...). If the incident does not give you enough information, relate to a data owner, share owner, application owner, ... or consider data insight to detect the "real" user of the file.
    Identifying the real violator in case of DaR incidents is not always a straight forward process.
  2. Then you might need a grouping feature because nobody wants to manually process thousands of DaR incidents manually. Our customers normally group the incidents and remediate in groups. If you question the users file by file, than this might not be problem for you. Depends on the number of incidents you get.
  3. Anyway you have to send the person you expect the justification from, a trigger. That can be an email or a link to start a workflow. Alternatively (if there are not to many different people you have to work with) you can create dedicated roles with filters on the "owner" as a custom attribute. Be aware, that this role approach does not scale well (hierarchy of organizations, number of different roles are a problem for the RRBAC of DLP)
  4. Now based on the triggered solution (Symantec Workflow or another solution), user is getting an URL to the original file (it must be ensured outside DLP, that the user has access to the location of the original, if user does not have access, user is most probably the wrong person to ask ;-).  After the user has decided what to do with the file, best practice is to remediate potential action via the incident (first to update the incidents state machine, second to be able to undo an action under central control if that might be required). Potential actions are "keep - file can stay there", "delete - file is not needed anymore", "encrypt - make file unaccessable", "drm - apply drm role to file", "quarantine - move file to a save location", "copy - ensure you have an auditable copy of the file". Also consider, that when moving the file, todays journalled file system allow the user to get the file again outside the control of DLP. Luckily most user sdo not know how to do that ;-) but the administrators will know, when the user opens a ticket. So you might give some attention to the incident correlation of the same file appears again and again.
  5. DLP, a workflow or any other solution would then perform the remediation action and update the incident or the incidents in case the action was performed on more than one incident.

We have built such a solution. Due to the grouping issues, we gave up using the Symantec Workflow solution but if you are going through incident by incidents, SYMC Workflow might be fine. We built an external websolution that could handle the autorization, grouping and ensure the transation safety when processing thousands of incident with one click. Happy to talk more about that solution if you are interested.


Harryk's picture

Thanks Thomas for your inputs

I understand Sym Workflow will help this in very easy way to understand the process work flow very well

But we dont use any Sym workflow and I am looking for an easy option to creare the question-naire for the end-user, kind of data classification questions with reference to DaR incidents.

So if I get a clue of how these questions can be prepared and can be asked to end users would appreciate your help. Thanks

Thomas Fürling's picture

Hi Harry

I wouldn't say, that Sym Workflow is an easy thing. It is one option. Problem you have it "how to interact" with the user. In case of DaR, popups from DiU won't work. Therefore you will need some way to contact the user, allow the user to give feedback/answers to your questions and potentially to update the incident/alert to get the audit track for the legal aspect.

Questions/Options IMHO:
Basically you have to tell the users about the policy violated and the target/file. User will then have to look at the file to decide:

  • Is the file still required and okay at that place? -> leads to "keep" remediation action
  • Is the file currently okay there, but only for a limited time? -> leads to "whitelist" remediation action
  • Is the file required but not at that place? -> leads to "move" remediation action
  • Is the file not longer required? -> leads to "delete" remediation action
  • Is the file still needed but information is to critical? -> leads to "encrypt" remediation action

There is also the option, that the policy encrypted/quarantined the file automatically due to the sensitivity of the information. In this case you might want to ask the user, where the file should be placed back.

Solution Proposal:

A: Remediation GUI

  1. Actions can be performed within a GUI, that is in contact with DLP-Enforce to do it "automatically" or done by the user outside DLP and DLP needs just to be updated. Depends on how important it is, to have a 100% consistent status. Obviously if you do everything using a GUI/DLP-Workflow, status will be more consistent than a user that must remediate the incident and sync the status in DLP manually.

There are the following alternatives that comes into my mind (but in my opinion, they all lack one or the other aspect of a holistic solution):

B: Marker-File + Workflow

  1. Policy quarantines the file and leaves a markup-file containing your questions (above) with links. Each link is one answer. (issue if you move the file, owner of the DLP system somehow took responsibility of the file and a secured store for all the sensitive content is required).
  2. Based on the link-click of the user, a small websolution (Sym Workflow or self build), perform the selected remediation action. (be aware, that the user cannot check the file content anymore in this case, since it is quarantined.

C: Excel-Export with manual Feedback

  1. you can export the incidents into a Excel-Form and send it to the user
  2. User can update his decision in the Excel-Form and send it back
    Track records is there, solution does not update the incident automatically. I would say, feasible for smaller numbers

D: Sharepoint

  1. Heard of clients, that exportet the incidents to Sharepoint and then used Sharepoint functions to interact with the user.


kishorilal1986's picture

Hi Harry,

I think u should also consider Data Insights solution to do better this.
Still as u asked about to ask above query to end user (Data Owner) its obevous that he/she is data owner and will have some copy of data. I think u need to create rule/policy to avoid ant data leakage in future and make data retention policy so that u can sacn and collect all confidential data from all machines and remidate accordinglly

Harryk's picture

Thanks Thomas and Mr Sharma

We alreadly have data insight so it shouldnn't be the problem. Thanks again