Data Loss Prevention

There are basically two policies that I am concerned with.  One is a policy that violates emails that are flagged as encrypted either by a subject line or  confidential flag.  The other is our Hipaa policy which has the encryption policy as an exception.  However, despite that it is listed as an exception we are still seeing in our Hipaa violations the encrypted email.  I was led to understand that this is due to the correlation being turned and I just need to know how to turn them off so that this filters correctly as well as what the risks are.  Any assistance is greatly appreciated.

I'm really not very understanding your scenario...

The correlation is a function of the incidents, but, what you mentioned is your policy.

Hi,

 i dont think there is any relationship between correlation and policy.

What you describe looks more like a wrong rule configuration for your exclusion. This happens to me several times when i didnt check "Apply this exception to ENTIRE MESSAGE" but only apply the exception to "matched component" (which  is the default for fiel type rules).

 Regards

Did recieve the following document however also did look to find that the exception was NOT set to ENTIRE MESSAGE.  I have made both changes and will monitor and test.

Article ID: 42298

How Do I Turn Off Correlations?

Can anybody explain to me what Correlation means in DLP ?.. And what Effect does it have on the performance.. ?

Dear Enthusiast,

You can view lists of the incidents that share various attributes of the current incident.

For example, if the copying of a file triggered the current incident, you can bring up a list of all the incidents that are related to the copying of this file. The Correlations tab shows a list of correlations that are matched to single attributes. Click on attribute values to view lists of the incidents that are related to those values.

To search for other incidents with the same attributes, click Find Similar. In the Find Similar Incidents dialog box that appears, select the desired search attributes. Then click Find Incidents. Archived incidents are not displayed when you search for similar incidents.

After turning off correlation and ensuring that the policy rule is applied to the whole message still it continues that we cannot filter out emails with the encryption flag set. 

In looking at the items in question I am wondering if it is violating attachments seperate from the email?  Does this seem likely?  We do filter on keywords in the subject line to exclude and that works successfully and doesn't violate on attachments though so I'm a bit unclear. 

Put in a feature request as I am told that you cannot filter based on the violations of another policy.

I have a scenario. I have a simple credit card policy and I need to see all the incidents related to a particular Credit Card No ..? Can I do that using the correlations ??..