Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

DLP Policy Implementation Approach

Created: 29 Sep 2011 • Updated: 11 Oct 2011 | 2 comments
Language Translations
Denis Kattithara's picture
+2 2 Votes
Login to vote
Policy Implementation approach

Certain DLP policies are likely to generate a huge extent of False Positives. The below described approach shall be helpful for Implementing such policies. This approach has been considered keeping three factors in mind:

  • Monitor
  • Validate
  • Implement

Define a policy for Monitoring

The Initially created policy may be leveraged for Monitoring purposes (eg. “<Policy name>-Monitor”). The incidents generated from this policy may be analyzed for identifying keyword sets of ‘False Positive’ and ‘False Negative’ keywords.

The identified keyword sets may then be added to the exception list of the “-Monitor” policy.

Validate the keyword sets

The keyword sets identified in the Monitor phase, may be leveraged for creating a Validation policy, (eg. “<Policy name>-Validate”), with two rules.


  • “<Policy name>-False Positive Keywords rule”
  • “<Policy name>-False Negative Keywords rule”

The Incidents generated from these rules may be analyzed for validating the keywords, ie:

  • “<Policy name>-False Positive Keywords rule” must generate False Positives
  • “<Policy name>-False Negative Keywords rule” must generate False Negatives

Note: The Validation policies may be deleted at a later stage along with its associated incidents.

Implement the Validated keyword sets

Once Validated, the ‘False Negative’ keyword sets may be leveraged as rules for creation of the Final policy (in Prevent mode).

The ‘False Positive’ keyword sets may be leveraged as exceptions, if required.

Comments 2 CommentsJump to latest comment

GSDavid's picture

 Thank for the breif explaination it would be great if you share your exp more about DLF

Login to vote
Mohammad Ashkaibi's picture

This is just perfect. Awesome. Wise.

Well-established approach.

Login to vote