Cisco Cisco Email Security Appliance X1070 Guía Del Usuario
11-14
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 11 Data Loss Prevention
Note
You cannot add or remove classifiers for policies based on a predefined template.
Step 6
Optionally, you can limit the DLP policy to messages with specific recipients or senders, attachment
types, or message tags. For more information, see
types, or message tags. For more information, see
Step 7
In the Critical Severity Settings section, choose the action to perform on messages containing critical
DLP violations.
DLP violations.
Step 8
By default, the other severity levels inherit the message action from the level above it. If you want to
define different settings for messages that match the high, medium, or low severity level, select the
message action you want the appliance to perform.
define different settings for messages that match the high, medium, or low severity level, select the
message action you want the appliance to perform.
Step 9
If you want adjust the DLP violation severity scale for the policy, click Edit Scale and adjust the settings.
For more information, see
For more information, see
Step 10
Submit and commit your changes.
The policy is added to the DLP Policy Manager.
Customizing Classifiers for DLP Policies
Some of the DLP policy templates require customized classifiers for better efficacy. These classifiers
search for confidential identification numbers in outgoing messages, such as patient or student
identification numbers, but require one or more regular expressions that define the patterns of your
organization’s record numbering system. You can also add a list of words and phrases that are associated
with the record identification number for supporting information. If the classifier detects the number
pattern in an outgoing message, it searches for the supporting information to verify that the pattern is an
identification number and not a random number string. This results in less false positives.
search for confidential identification numbers in outgoing messages, such as patient or student
identification numbers, but require one or more regular expressions that define the patterns of your
organization’s record numbering system. You can also add a list of words and phrases that are associated
with the record identification number for supporting information. If the classifier detects the number
pattern in an outgoing message, it searches for the supporting information to verify that the pattern is an
identification number and not a random number string. This results in less false positives.
For example, use the HIPAA and HITECH template to create a policy. This template includes the Patient
Identification Numbers content matching classifier, which you can customize to detect a patient’s
identification number. Enter the regular expression
Identification Numbers content matching classifier, which you can customize to detect a patient’s
identification number. Enter the regular expression
[0-9]{3}\-[A-Z]{2}[0-9]{6}
for the classifier.
This regular expression detects numbers in the pattern of 123-CL456789. Enter “Patient ID” for a related
phrase. Finish creating the policy and enable it in an outgoing mail policy. Submit and commit your
changes. Now, if the policy detects the number pattern in an outgoing message with the phrase “Patient
ID” in close proximity to the number pattern, the DLP policy returns a DLP violation.
phrase. Finish creating the policy and enable it in an outgoing mail policy. Submit and commit your
changes. Now, if the policy detects the number pattern in an outgoing message with the phrase “Patient
ID” in close proximity to the number pattern, the DLP policy returns a DLP violation.
For information on how to create a regular expression, see
. For more information on how content matching classifiers detect DLP
violations, see
Filtering Messages for DLP Policies
You have the option of limiting a DLP policy to scanning only messages based on specific information
first detected by AsyncOS. DLP policy scanning can be limited by the following information:
first detected by AsyncOS. DLP policy scanning can be limited by the following information:
•
Senders and recipients
•
Attachment types
•
Message tags