Cisco Cisco Email Security Appliance X1070 Troubleshooting Guide
Set Up a Custom DLP Policy to Detect Formatted
and Unformatted Social Security Numbers
and Unformatted Social Security Numbers
Document ID: 118537
Contributed by Trenton Shaffer and Robert Sherwin, Cisco TAC
Engineers.
Engineers.
Oct 09, 2014
Contents
Introduction
Set Up a Custom DLP Policy to Detect Formatted and Unformatted Social Security Numbers
Create a Custom Policy
Create a Classifier
Set Up a Custom DLP Policy to Detect Formatted and Unformatted Social Security Numbers
Create a Custom Policy
Create a Classifier
Set the Severity Settings
Set the Severity Scale
Submit and Commit Changes
Final Steps
Related Information
Set the Severity Scale
Submit and Commit Changes
Final Steps
Related Information
Introduction
This document describes how to set up a custom DLP policy to detect both formatted and unformatted Social
Security Numbers (SSN) on the Cisco Email Security Appliance (ESA).
Security Numbers (SSN) on the Cisco Email Security Appliance (ESA).
Set Up a Custom DLP Policy to Detect Formatted and
Unformatted Social Security Numbers
Unformatted Social Security Numbers
By design the DLP scanning engine only detects formatted Social Security Numbers. This is due to the high
level of false positives caused by 9−digit numbers contained in data used by various industries. For example,
Bank ABA Routing Numbers are 9−digits and would trigger when scanning for an unformatted Social
Security Number. As such it is recommended to avoid scanning for unformatted Social Security Numbers
unless strictly required by your organization. If it is required that your organization scans for unformatted
Social Security Numbers, you can create a custom DLP policy by following the steps provided in the solution
below.
level of false positives caused by 9−digit numbers contained in data used by various industries. For example,
Bank ABA Routing Numbers are 9−digits and would trigger when scanning for an unformatted Social
Security Number. As such it is recommended to avoid scanning for unformatted Social Security Numbers
unless strictly required by your organization. If it is required that your organization scans for unformatted
Social Security Numbers, you can create a custom DLP policy by following the steps provided in the solution
below.
AsyncOS provides the option to create your own policy from scratch using classifiers developed by RSA or
your organization. This option is considered advanced and should be used only in the rare cases when the
predefined policy templates do not meet the unique requirements of your network environment.
your organization. This option is considered advanced and should be used only in the rare cases when the
predefined policy templates do not meet the unique requirements of your network environment.
Create a Custom Policy
From the GUI: Mail Policies > DLP Policy Manager.
1.
Click the Add DLP Policy... button.
2.
Select Custom Policy at the bottom of the screen and click Add next to Custom Policy.
3.
Enter a DLP Policy Name. For example: SSN Custom Policy.
4.