Data Loss Prevention

 View Only
  • 1.  Incident Snapshot - Status (only monitoring)

    Posted Feb 07, 2017 12:47 PM

    I have set up 2 policies based on SMTP prevent. I am not doing any blocking yet. I just want to determine the nature of the kind of problems I am likely to encounter, so that when I change the Status for an incident I can select the kind of problem.

    The policies are based on corporate, retail, and employee data file.

    So, from your experience, what kind of problems am I likely to encounter and how can I label these problems in the Status dropdown for monitoring purposes. I would appreciate it if someone can list some of such problems and a brief explanation. I would like to add some of these to the Status just for monitoring.

    For example: User sent herself person data – users have emailed their completed tax for to their home email

    Thank for your help.



  • 2.  RE: Incident Snapshot - Status (only monitoring)

    Posted Feb 07, 2017 01:51 PM
    The stock statuses are a reasonable starting point. You wont see them if you didnt import a solution pack after install though. False Positive - Incident generated for event not in scope, policy require tuning. User Education - Event occured due to user not being aware of risk or that the data was sensitive. Broken Business Process - event occured due to a business process or procedure that has been created without consideration of the risk or that the data was sensitive. Escalation - Event is malicious, intentional or is high severity in mature due to the type of data, or persons involved. Typically requires escalation to management, staff investigation, legal or HR. Investigation - Event is currently under investigation due to additional information or context required to validate.


  • 3.  RE: Incident Snapshot - Status (only monitoring)
    Best Answer

    Posted Feb 08, 2017 02:16 PM

    Here's our Response Rules we use:

    If the initial incident responder reviews the incident and does not need to involve anyone for escalation or clarification, we use “dismiss” and no further action is performed on the incident.

    Dismiss – Business Process.  Example: sending a blank form containing “proprietary” and/or “confidential” in the footer, but nothing sensitive in the document.

    Dismiss – False Positive.  Example: Finding a 9-digit web session ID and the characters “SS#” that together might trigger the SSN policy.

    Dismiss – Personal Use.  Example: A person sends their own personal data, like tax forms, pay stub, etc. that contains just their (or their family’s) own personal info.

     

    If an incident requires further review, we escalate to the CISO, HR, or the manager, depending on what is observed.

    Escalate for Investigation.  Example: Requesting sender’s manager to verify if the attachment contains real data, test data, or is not sensitive.

    Escalate to HR.  Example: Employee sending customer PII to an unrecognized external address.

     

    Once an escalated issue is resolved, we mark it as “resolved” instead of “dismissed”, to differentiate in reporting with ones required additional investigation versus the ones we were able to resolve ourselves.

    Resolve – Business Issue.  Example: The manager determined that the data is not sensitive, and/or was mis-marked as confidential, and the sender did not do anything wrong.

    Resolve – Education Issue.  Example: The manager or HR indicates they addressed the infraction with the sender.  This may mean the sender was warned, was put on performance plan, or may have been terminated, but this is not necessarily communicated to the DLP admins.

    Resolve - Employee Oversight. Example: Manager or HR determines this was not malicious and was truly an accident.  Sender was likely warned to be more careful, but no further info is know to DLP admins.

    Resolve – One-time Event.  Manager determines they have a broken, incorrectly documented, or undocumented process and are taking steps to resolve.



  • 4.  RE: Incident Snapshot - Status (only monitoring)

    Posted Feb 08, 2017 02:33 PM

    Thank you, Dean and Ron. The information you provided is quite helpful to me.