Here's our Response Rules we use:
If the initial incident responder reviews the incident and does not need to involve anyone for escalation or clarification, we use “dismiss” and no further action is performed on the incident.
Dismiss – Business Process. Example: sending a blank form containing “proprietary” and/or “confidential” in the footer, but nothing sensitive in the document.
Dismiss – False Positive. Example: Finding a 9-digit web session ID and the characters “SS#” that together might trigger the SSN policy.
Dismiss – Personal Use. Example: A person sends their own personal data, like tax forms, pay stub, etc. that contains just their (or their family’s) own personal info.
If an incident requires further review, we escalate to the CISO, HR, or the manager, depending on what is observed.
Escalate for Investigation. Example: Requesting sender’s manager to verify if the attachment contains real data, test data, or is not sensitive.
Escalate to HR. Example: Employee sending customer PII to an unrecognized external address.
Once an escalated issue is resolved, we mark it as “resolved” instead of “dismissed”, to differentiate in reporting with ones required additional investigation versus the ones we were able to resolve ourselves.
Resolve – Business Issue. Example: The manager determined that the data is not sensitive, and/or was mis-marked as confidential, and the sender did not do anything wrong.
Resolve – Education Issue. Example: The manager or HR indicates they addressed the infraction with the sender. This may mean the sender was warned, was put on performance plan, or may have been terminated, but this is not necessarily communicated to the DLP admins.
Resolve - Employee Oversight. Example: Manager or HR determines this was not malicious and was truly an accident. Sender was likely warned to be more careful, but no further info is know to DLP admins.
Resolve – One-time Event. Manager determines they have a broken, incorrectly documented, or undocumented process and are taking steps to resolve.