Protect your data from leaking out of your company.
Setting up data policies is a bit more advanced than setting up policies for applications, websites, or auditing. They work in a similar manner, but have more sections that need to be configured.
These extra sections are:
You will also learn how are data policies evaluated.
Data classifications section
Here you can specify the data which the policy will target. Click Browse and pick one or more available classifications (learn how to create data classifications here). You can also enter the name of the classification into the search bar.
If you choose All data, the policy will apply to all file transfers to the specified destination types (e.g. to all data sent via email, all data uploaded to the web, all data copied to external devices, etc). Such general policies are great for setting general limitations of what is allowed and what is not.
During evaluation, a policy is applied to files that match ANY of its data classifications (OR relationship between data classifications).
Disabled data classifications do not show up in policies.
More advanced Actions section
You can choose what action will be performed when the policy is applied:
- Allow – if the policy is matched, no logs are created about the activity.
- Log – the policy silently logs both allowed activities and activities that violate the policy.
- Notify – the user is notified that their activities violate a policy. If they perform the activity, it is logged. Allowed activities are also logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder).
- Block – activities that violate a policy are completely blocked and logged. Allowed activities are only logged.
- Block (with override) – certain users are allowed to override a blocking policy, if they have a reason for it. The activity is logged.
You can also choose to which destinations and destination groups in your Workspace the policy will apply:
- All destinations - the policy will apply to all destinations in your Workspace
- All except safe destinations - the policy will apply to destinations in the Unassigned and Untrusted columns
- Only safe destinations
- Only unassigned destinations
- Other... - you can choose specific destination groups to which the policy will apply
Example: In a company, uploads to all file shares are blocked. The only exception is upload to a file share that is part of the company’s intranet and is considered a safe destination in the company’s workspace.
Options for clipboard and screen capture
Here you can choose whether to block copying to the clipboard or screen capture.
These options are available only when you select a data classification in section
How are data policies evaluated
Data policies follow the same evaluation system as application, web, and auditing policies.
A policy is applied, when ALL its sections are matched (AND relationship between sections). If they are not matched, the evaluation continues with lower-priority policies
Example: An admin has 3 policies. A user from the Graphics team uploads a file. A policy that does not contain the Graphics team is skipped. Another policy contains the Graphics team, but does not contain Web upload, so it is skipped. The third policy is a general one for the whole company, so it is applied.
Read next:
Data classification in Safetica ONE 11
Policies: How they work in Safetica ONE 11
Auditing policies: what are they