Data Loss Prevention

 View Only
  • 1.  DLP - Best way to create a conditional policy

    Posted Feb 09, 2015 04:44 PM

    I am new to Symantec DLP and I am looking for the best way to handle this situation.  Our organization would like to detect and modify the headers of emails which contain PII (using EDM).  However, we would only want to do this for emails which do not already contain our encryption keywords.

    Easy enough, create and EDM policy with an exception for the keywords.

    This issue I have is that we would also like to alert on emails that contain PII that already have the keyword as well.  Is there anyway to accomplish this without creating two seperate policies with the only exception being the keyword exception?  Maybe something like an IF statement?



  • 2.  RE: DLP - Best way to create a conditional policy

    Trusted Advisor
    Posted Feb 11, 2015 07:13 AM

    Hello

     You can add some condition on response rule, so you can :

    Define two detection policies:

    - EDM and encryption keyword (severity = low)

    or

    - EDM only (severity = high)

    Add respose rule to modify email headers including condition that "severity = high"

     

     So this will update email headers when you have only PII detected, and you will also get a DLP incident when you detect PII but with encryption keyword already present in email.

     Regards