Protect your data from leaking out of your company. Learn how to set up data policies and configure additional sections, including data classifications, actions, and options for clipboard and screen capture.
Introduction
Creating data policies is a bit more advanced than creating policies for applications or websites. They work in a similar manner but have more sections that need to be configured. Before creating a data policy, have a look at setting up policies for applications and websites.
Creating a data policy
Data policies follow the same evaluation system as application, web, and auditing policies.
To create a new data policy, navigate to Policies > Data and Add policy. Data policies have the following extra sections:
- Data classifications
- More advanced Actions
- Destination types
- Options for clipboard and screen capture
1. Data classifications
Here you can specify the data that the policy will target.By default, All data is selected, applying the policy to all files transferred to specified destination types (e.g. to all data sent via email, all data uploaded to the web, all data copied to external devices, etc).
To modify that, click Browse and select one or more data classifications (learn how to create data classifications here). Only files classified with selected data classification(s) will be affected by the policy.
Disabled data classifications do not show up in policies.
2. More advanced Actions
You can choose what action should happen when the policy is applied (i.e. the user transfers files to a selected destination):
- Allow: The file operation is allowed, and no logs are created about the activity.
- Log: The file operation is silently logged without the user being notified. The policy silently logs both allowed activities and activities that violate the policy.
- Notify: The user is shown a notification that their activities violate a policy, and they can decide whether to continue or abort the operation. If they perform the activity, it is logged. Allowed activities are also logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder).
- Block: Activities that violate a policy are completely blocked and logged. Allowed activities are only logged.
- Block (with override): Certain users are allowed to override a blocking policy, if they provide a reason for performing the file operation. The reasoning is linked to the record about the file operation. If they choose to override the policy, the operation proceeds and is logged; otherwise, it’s blocked and logged. This action is not supported on macOS devices.
What destinations does this policy apply to?
In the drop-down below, you can also select to which destinations and destination groups from your Data destinations the policy will apply. This allows the policy to be specifically applied to files transferred to chosen destinations:
- All destinations: The policy will apply to all data destinations.
- All except safe destinations: The policy will apply to destinations in the Unassigned and Untrusted columns.
- Only safe destinations
- Only unassigned destinations
- Other...: You can choose specific destination groups to which the policy will apply.
Example: In a company, uploads to all file shares are blocked. The only exception is upload to a file share that is part of the company’s intranet and is considered a safe destination.
By clicking Advanced control of individual destination types, you can configure distinct settings (both action and destination) for each destination type.
3. Destination types
The core of each data policy is selecting destination types, such as Email, Web upload, Removable storage, etc.
Learn more details about individual destination types:
Cloud drive upload |
|
|
|
M365 file sharing |
|
Git |
|
Instant messaging |
|
Network file share (SMB etc.) |
|
|
|
Remote file transfer (RDP) |
|
Removable storage (USB, memory cards, etc.) |
|
Virtual print |
|
Web upload |
|
4. Options for clipboard and screen capture
These options are available only when a data classification is selected.
Extend your data protection by blocking copying to the clipboard (up to 160 symbols without sensitive content are allowed, more than 160 symbols are always blocked) or block screen capture.
These options are not supported on macOS devices.
A newly created policy is disabled by default. You can enable it:
- in the policy detail by changing the policy status on the right side or
- by toggling the button in the list of policies in the Data tab of the Policies section
Read next:
Data classification in Safetica
Policies: How they work in Safetica
Auditing policies: what are they
Data destinations: What are they