Data policies: How they work

Protect your data from leaking out of your company.

Setting up data policies is a bit more advanced than setting up policies for applications, websites, or auditing. They work in a similar manner, but have more sections that need to be configured.

These extra sections are:

You will also learn how are data policies evaluated.

 

 

 Data classifications section

Here you can specify the data which the policy will target. Click Browse and pick one or more available classifications (learn how to create data classifications here). You can also enter the name of the classification into the search bar.

If you choose All data, the policy will apply to all file transfers to the specified destination types (e.g. to all data sent via email, all data uploaded to the web, all data copied to external devices, etc). Such general policies are great for setting general limitations of what is allowed and what is not.

During evaluation, a policy is applied to files that match ANY of its data classifications (OR relationship between data classifications).

Disabled data classifications do not show up in policies.

 

 More advanced Actions section

You can choose what action will be performed when the policy is applied:

  • Allow – if the policy is matched, no logs are created about the activity.
  • Log – the policy silently logs both allowed activities and activities that violate the policy.
  • Notify – the user is notified that their activities violate a policy. If they perform the activity, it is logged. Allowed activities are also logged. Safetica does not log: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder).
  • Block – activities that violate a policy are completely blocked and logged. Allowed activities are only logged.
  • Block (with override) – certain users are allowed to override a blocking policy, if they have a reason for it. The activity is logged.

 

You can also choose to which destinations and destination groups in your Workspace the policy will apply:

  • All destinations - the policy will apply to all destinations in your Workspace
  • All except safe destinations - the policy will apply to destinations in the Unassigned and Untrusted columns
  • Only safe destinations
  • Only unassigned destinations
  • Other... - you can choose specific destination groups to which the policy will apply

Example: In a company, uploads to all file shares are blocked. The only exception is upload to a file share that is part of the company’s intranet and is considered a safe destination in the company’s workspace. 

 

 Options for clipboard and screen capture

Here you can choose whether to block copying to the clipboard or screen capture.

These options are available only when you select a data classification in section

 

How are data policies evaluated

Data policies follow the same evaluation system as application, web, and auditing policies.

A policy is applied, when ALL its sections are matched (AND relationship between sections). If they are not matched, the evaluation continues with lower-priority policies 

 

Example: An admin has 3 policies. A user from the Graphics team uploads a file. A policy that does not contain the Graphics team is skipped. Another policy contains the Graphics team, but does not contain Web upload, so it is skipped. The third policy is a general one for the whole company, so it is applied.

 

Read next:

Data classification in Safetica ONE 11

Policies: How they work in Safetica ONE 11 

Policies: How to create them

Auditing policies: what are they

Workspace: What is it