Cisco Cisco Email Security Appliance C160 Mode D'Emploi
18-18
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 18 Data Loss Prevention
DLP Policies for RSA Email DLP
For DLP Policies Based On Predefined Templates
You cannot view or modify risk factor scoring parameters for DLP policies created from predefined
templates. However, if there are too many false positive matches for a particular DLP policy, you can
adjust the severity scale for that policy. See
templates. However, if there are too many false positive matches for a particular DLP policy, you can
adjust the severity scale for that policy. See
. For policies
based on templates that do not have a content matching classifier, such as the SOX (Sarbanes-Oxley)
template, the scanning engine always returns a risk factor value of “75” when a message violates the
policy.
template, the scanning engine always returns a risk factor value of “75” when a message violates the
policy.
For Custom DLP Policies
When you create content matching classifiers for custom DLP policies, you specify values that are used
to determine the risk factor score:
to determine the risk factor score:
•
Proximity. How close the rule matches must occur in the message or attachment to count as a
violation. For example, if a numeric pattern similar to a social security number appears near the top
of a long message and an address appears in the sender’s signature at the bottom, they are presumed
to be unrelated and the data does not count as a match.
violation. For example, if a numeric pattern similar to a social security number appears near the top
of a long message and an address appears in the sender’s signature at the bottom, they are presumed
to be unrelated and the data does not count as a match.
•
Minimum Total Score. The minimum risk factor score required for sensitive content to be labeled
a DLP violation. If the score of a message’s matches does not meet the minimum total score, its data
is not considered sensitive.
a DLP violation. If the score of a message’s matches does not meet the minimum total score, its data
is not considered sensitive.
•
Weight. For each custom rule you create, you specify a “weight” to indicate the importance of the
rule. A score is obtained by multiplying the number of detection rule matches by the weight of the
rule. Two instances of a rule with a weight of
rule. A score is obtained by multiplying the number of detection rule matches by the weight of the
rule. Two instances of a rule with a weight of
10
results in a score of
20
. If one rule is more important
for the classifier than the others, it should be assigned a greater weight.
•
Maximum Score. A rule’s maximum score prevents a large number of matches for a low-weight
rule from skewing the final score of the scan.
rule from skewing the final score of the scan.
To calculate the risk factor, the classifier multiplies the number of matches for a detection rule by the
weight of the rule. If this value exceeds the detection rule’s maximum score, the classifier uses the
maximum score value. If the classifier has more than one detection rule, it adds the scores for all of its
detection rules into a single value. The classifier maps the detection rules score (10 - 10000) on a scale
of 10 -100 using the logarithmic scale shown in the following table to create the risk factor:
weight of the rule. If this value exceeds the detection rule’s maximum score, the classifier uses the
maximum score value. If the classifier has more than one detection rule, it adds the scores for all of its
detection rules into a single value. The classifier maps the detection rules score (10 - 10000) on a scale
of 10 -100 using the logarithmic scale shown in the following table to create the risk factor:
Table 18-1
How Risk Factor Scores Are Calculated From Detection Rule Scores
Rule Scores
Risk Factor
10
10
20
20
30
30
50
40
100
50
150
60
300
70
500
80
1000
90
10000
100