Cisco Cisco Email Security Appliance C650 Guía Del Usuario
15-12
Cisco AsyncOS 8.0 for Email User Guide
Chapter 15 Data Loss Prevention
DLP Policies for RSA Email DLP
About Defining Disallowed Content Using Content Matching Classifiers
Content matching classifiers define the content that cannot be emailed and optionally the context in
which that content must occur in order to be considered a data loss prevention violation.
which that content must occur in order to be considered a data loss prevention violation.
Suppose you want to prevent patient identification numbers from being emailed from your organization.
In order for the appliance to recognize these numbers, you must specify the patterns of the record
numbering system used by your organization, using one or more regular expressions. You can also add
a list of words and phrases that might accompany the record number as supporting information. If the
classifier detects the number pattern in an outgoing message, it searches for the supporting information
to verify that the pattern is an identification number and not a random number string. Including context
matching information results in fewer false positive matches.
numbering system used by your organization, using one or more regular expressions. You can also add
a list of words and phrases that might accompany the record number as supporting information. If the
classifier detects the number pattern in an outgoing message, it searches for the supporting information
to verify that the pattern is an identification number and not a random number string. Including context
matching information results in fewer false positive matches.
For this example, you might create a DLP policy that uses the HIPAA and HITECH template. This
template includes the Patient Identification Numbers content matching classifier, which you can
customize to detect a patient’s identification number. To detect numbers in the pattern of 123-CL456789,
you would enter the regular expression
template includes the Patient Identification Numbers content matching classifier, which you can
customize to detect a patient’s identification number. To detect numbers in the pattern of 123-CL456789,
you would enter the regular expression
[0-9]{3}\-[A-Z]{2}[0-9]{6}
for the classifier. Enter “Patient
ID” for a related phrase. Finish creating the policy and enable it in an outgoing mail policy. Submit and
commit your changes. Now, if the policy detects the number pattern in an outgoing message with the
phrase “Patient ID” in close proximity to the number pattern, the DLP policy returns a DLP violation.
commit your changes. Now, if the policy detects the number pattern in an outgoing message with the
phrase “Patient ID” in close proximity to the number pattern, the DLP policy returns a DLP violation.
About Using Content Matching Classifiers in DLP Policies
Many of the predefined DLP policy templates include content matching classifiers from RSA. Some of
these classifiers require customization in order to identify the patterns that are used for data in your
organization.
these classifiers require customization in order to identify the patterns that are used for data in your
organization.
If you create a custom DLP policy, you can choose a predefined classifier or create one of your own.
Content Matching Classifier Examples
The following examples show how classifiers match message content.
Credit Card Number
Several DLP policy templates include the Credit Card Number classifier. The credit card number itself
is subject to various constraints, such as the pattern of digits and punctuation, the issuer-specific prefix,
and the final check digit. The classifier requires additional supporting information to make a match, such
as a second credit card number, an expiration date, or the name of the card issuer. This reduces the
number of false positives.
is subject to various constraints, such as the pattern of digits and punctuation, the issuer-specific prefix,
and the final check digit. The classifier requires additional supporting information to make a match, such
as a second credit card number, an expiration date, or the name of the card issuer. This reduces the
number of false positives.
Examples:
•
4999-9999-9999-9996
(No match because of no supporting information)
•
4999-9999-9999-9996 01/09
(Match)
•
Visa 4999-9999-9999-9996
(Match)
•
4999-9999-9999-9996 4899 9999 9999 9997
(Match because of more than one credit card number)
US Social Security Number
The US Social Security Number classifier requires a properly formatted number as well as supporting
data, such as a date of birth, name, or the string
data, such as a date of birth, name, or the string
SSN
.