Cisco Cisco Email Security Appliance C160 Guia Do Utilizador
17-17
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 17 Data Loss Prevention
DLP Policies for RSA Email DLP
Importing DLP Dictionaries
Before You Begin
If you will import a file that you exported from a non-DLP dictionary on an Email Security appliance,
you must first strip the weight values from the text file and convert any regular expressions to words or
phrases.
you must first strip the weight values from the text file and convert any regular expressions to words or
phrases.
Procedure
Step 1
Select Mail Policies > DLP Policy Manager.
Step 2
In the Advanced Settings section, click the link beside Custom DLP Dictionaries.
Step 3
Click Import Dictionary.
Step 4
Select a file to import from either your local machine or the configuration directory on the appliance.
Step 5
Select an encoding.
Step 6
Click Next.
A “Success” message appears and the imported dictionary is displayed in the Add Dictionary page.
However, the process is not yet complete.
However, the process is not yet complete.
Step 7
Name and edit the dictionary.
Step 8
Click Submit.
Determiners of the Risk Factor of a Suspected Violation
When the appliance scans a message for DLP violations, it assigns a risk factor score to the message.
This score indicates the likelihood that the message contains a DLP violation. A score of 0 means the
message almost certainly does not contain a violation. A score of 100 means it almost certainly does
contain a violation.
This score indicates the likelihood that the message contains a DLP violation. A score of 0 means the
message almost certainly does not contain a violation. A score of 100 means it almost certainly does
contain a violation.
For DLP Policies Based On Predefined Templates
You cannot view or modify risk factor scoring parameters for DLP policies created from predefined
templates. However, if there are too many false positive matches for a particular DLP policy, you can
adjust the severity scale for that policy. See
templates. However, if there are too many false positive matches for a particular DLP policy, you can
adjust the severity scale for that policy. See
. For policies
based on templates that do not have a content matching classifier, such as the SOX (Sarbanes-Oxley)
template, the scanning engine always returns a risk factor value of “75” when a message violates the
policy.
template, the scanning engine always returns a risk factor value of “75” when a message violates the
policy.
For Custom DLP Policies
When you create content matching classifiers for custom DLP policies, you specify values that are used
to determine the risk factor score:
to determine the risk factor score:
•
Proximity. How close the rule matches must occur in the message or attachment to count as a
violation. For example, if a numeric pattern similar to a social security number appears near the top
of a long message and an address appears in the sender’s signature at the bottom, they are presumed
to be unrelated and the data does not count as a match.
violation. For example, if a numeric pattern similar to a social security number appears near the top
of a long message and an address appears in the sender’s signature at the bottom, they are presumed
to be unrelated and the data does not count as a match.
•
Minimum Total Score. The minimum risk factor score required for sensitive content to be labeled
a DLP violation. If the score of a message’s matches does not meet the minimum total score, its data
is not considered sensitive.
a DLP violation. If the score of a message’s matches does not meet the minimum total score, its data
is not considered sensitive.