Protect your data from leaking out of your company. Learn how to set up data policies and configure additional sections, including data classifications, actions, and options for clipboard and screen capture.
Introduction
Creating data policies is a bit more advanced than creating policies for applications or websites. They work in a similar manner but have more sections that need to be configured. Before creating a data policy, have a look at setting up policies for applications and websites.
How to create a data policy
✍️Data policies follow the same evaluation system as application, web, and auditing policies.
To create a new data policy, navigate to Policies > Data and Add policy. Data policies have the following extra sections:
- Data classifications
- More advanced Policy actions
- Destination types
- Options for clipboard and screen capture
1. Data classifications
Here you can specify the data that the policy will target.By default, All data is selected, applying the policy to all files transferred to specified destination types (e.g. to all data sent via email, all data uploaded to the web, all data copied to external devices, etc).
To modify that, click Browse and select one or more data classifications (learn how to create data classifications here). Only files classified with selected data classification(s) will be affected by the policy.
❗Disabled data classifications do not show up in policies.
2. More advanced Policy actions
You can choose what policy action should happen when the policy is applied (i.e. the user transfers files to a selected destination):
- Allow: The file operation is allowed, and no records are created about it.
- Log: The file operation is silently recorded without the user being notified. The policy silently records both allowed operations and operations that violate the policy.
- Notify: The user is shown a notification that the operation violates a policy.
- For some data destinations (web upload, email, instant messaging, git), they can decide whether to perform or abort the operation. If they perform it, it is recorded.
- For other data destinations (print, virtual print, RDP, external storage devices, network file share, cloud drive upload), the operation is performed and recorded.
- Allowed activities are also recorded. Safetica does not record: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder).
- Block: Activities that violate a policy are completely blocked and recorded. Allowed activities are only recorded.
- Block (with override): Certain users are allowed to override a blocking policy, if they provide a reason for performing the file operation. The reasoning is linked to the record about the file operation. If they choose to override the policy, the operation proceeds and is recorded; otherwise, it’s blocked and recorded.
🍏macOS devices: Block (with override) is not supported on macOS.
Learn more about the differences in features between Windows and macOS here.
If you want to learn more about Dynamic action, read this article.
What destinations does this policy apply to?
In the drop-down below, you can also select to which destinations and destination groups from your Data destinations the policy will apply. This allows the policy to be specifically applied to files transferred to chosen destinations:
- All destinations: The policy will apply to all data destinations.
- All except safe destinations: The policy will apply to destinations in the Unassigned and Untrusted columns.
- Only safe destinations
- Only unassigned destinations
- Other...: You can choose specific destination groups to which the policy will apply.
Example: In a company, uploads to all file shares are blocked. The only exception is upload to a file share that is part of the company’s intranet and is considered a safe destination.
✍️By clicking Advanced control of individual destination types, you can configure distinct settings (both action and destination) for each destination type.
3. Destination types
The core of each data policy is selecting destination types, such as Email, Web upload, External storage devices, etc.
✍️Learn more details about individual destination types here.
4. Options for clipboard and screen capture
❗Block copy to clipboard and Block screen capture are available only when a data classification is selected.
🍏macOS devices: These options are not supported on macOS. Learn more about the differences in features between Windows and macOS here.
Extend your data protection by blocking copying to the clipboard (up to 160 symbols without sensitive content are allowed, more than 160 symbols are always blocked) or block screen capture.
✍️A newly created policy is disabled by default. You can enable it:
- in the policy detail by changing the policy status on the right side or
- by toggling the button in the list of policies in the Data tab of the Policies section
Read next:
Data classification in Safetica
Policies: How they work in Safetica
Auditing policies: what are they
Data destinations: What are they