Safetica Knowledge Base

PROTECTION: Set up your data protection

POLICIES

Data policies: How to create data policies

Protect your data from leaking out of your company. Learn how to set up data policies and configure additional sections, including data classifications, actions, and options for clipboard and screen capture.

Introduction

Creating data policies is a bit more advanced than creating policies for applications or websites. They work in a similar manner but have more sections that need to be configured. Before creating a data policy, have a look at setting up policies for applications and websites.

How to create a data policy

✍️Data policies follow the same evaluation system as application, web, and auditing policies.

To create a new data policy, navigate to Policies > Data and Add policy. Data policies have the following extra sections:

Data classifications
More advanced Policy actions
Destination types
Options for clipboard and screen capture

✍️A newly created policy is disabled by default. You can enable it:

in the policy detail by changing the policy status on the right side or
by toggling the button in the list of policies in the Data tab of the Policies section

1. Data classifications

Here you can specify the data that the policy will target.

By default, All data is selected, applying the policy to all files transferred to specified destination types (e.g. to all data sent via email, all data uploaded to the web, all data copied to external devices, etc).
To modify that, click Browse and select one or more data classifications (learn how to create data classifications here). Only files classified with selected data classification(s) will be affected by the policy.

✍️The policy will apply to files that match ANY of the selected data classifications (OR relationship)

❗Disabled data classifications do not show up in policies.

2. More advanced policy actions

You can choose what policy action should happen when the policy is applied (i.e. the user transfers files to a selected destination):

Allow: The file operation is allowed, and no records are created about it.
Log: The file operation is silently recorded without the user being notified. The policy silently records both allowed operations and operations that violate the policy.
Notify: The user is shown a notification that the operation violates a policy. There are 2 types of notifications, depending on the destination type:
1. Interactive notifications: For web upload, email, instant messaging, and git, the notification allows the user to choose whether to proceed or cancel the operation. If the user decides to proceed, the action is performed and recorded.
2. Informational notifications: For print, virtual print, Remote file transfer (RDP), external storage devices (USB, memory cards etc.), network file share (SMB etc.), and cloud drive upload, the notification serves as an informational message only. The user cannot cancel the operation via the notification – the operation is performed and recorded.

Allowed activities are recorded without displaying a notification to the user. Safetica does not record: Delete, Create, Rename, Copy/Move within one physical storage (exceptions: destination is a cloud folder).

Block: Activities that violate a policy are completely blocked and recorded. Allowed activities are only recorded.
Block (with override): Certain users are allowed to override a blocking policy, if they provide a reason for performing the file operation. The reasoning is linked to the record about the file operation. If they choose to override the policy, the operation proceeds and is recorded; otherwise, it’s blocked and recorded.

🍏macOS devices: Block (with override) is not supported on macOS.

Learn more about the differences in features between Windows and macOS here.

If you want to learn more about Dynamic action, read this article.

What destinations does this policy apply to?

In the drop-down below, you can also select to which destinations and destination groups from your Data destinations the policy will apply. This allows the policy to be specifically applied to files transferred to chosen destinations:

All destinations: The policy will apply to all data destinations.
All except safe destinations: The policy will apply to destinations in the Unassigned and Untrusted columns.
Only safe destinations
Only unassigned destinations
Other...: You can choose specific destination groups to which the policy will apply.

Example: In a company, uploads to all file shares are blocked. The only exception is upload to a file share that is part of the company’s intranet and is considered a safe destination.

✍️By clicking Advanced control of individual destination types, you can configure distinct settings (both action and destination) for each destination type.

3. Destination types

The core of each data policy is selecting destination types, such as Email, Web upload, External storage devices, etc.

Here you can find more details about individual destination types:

Destination type	Details
🍏AirDrop	You can audit and block file transfer via Apple AirDrop. The content of files is analyzed. If you transfer multiple files and one is blocked, the whole operation will be blocked.
Cloud drive upload	Safetica supports six cloud drives: Box, Dropbox, Google Drive, M365 OneDrive Business, M365 SharePoint, and OneDrive Personal. Both file transfers to locally synchronized folders and uploads to corresponding websites can be controlled by the policy.
Email	Safetica Client analyzes the email body for sensitive content. The policy applies only to emails sent from supported desktop email clients. Does not apply to webmails. Email attachments sent via webmail can be controlled by the Web upload destination type. If you have Outlook protection activated, you can also audit and protect outgoing emails in Outlook on the web. Supported email clients can be found here.
M365 file sharing	Available only as part of Safetica Cloud Protection. You can audit and cancel file sharing within Microsoft 365.
Git	Performing git push (i.e. data upload from local directories into remote Git repositories). 🍏Not supported for macOS devices.
Instant messaging	Applies to files sent via supported instant messaging applications. Applications must be categorized as Instant messaging and VOIP software. The content of messages is not analyzed. Supported instant messaging apps can be found here.
Network file share (SMB etc.)	File transfer to network file shares. 🍏macOS devices: supported, but without advanced control of individual destination types.
Print	Printing in general.
Remote file transfer (RDP)	Applies to remote file transfers over RDP and TeamViewer (on Windows devices only). The policy must be active for the Safetica Client running on the host device. 🍏Not supported for macOS devices.
Removable storage (USB, memory cards, etc.)	File transfer to removable storage devices. Applies only to devices connected as USB mass storage or Windows Portable Device.
Virtual print	Applies only to virtual printing into files. 🍏Not supported for macOS devices.
Web upload	File uploads via web browser to all websites irrespective of their category. Web upload also affects: sending files via instant messaging websites, email attachments sent via webmails, and uploading files to cloud drives in web browser.

🍏Learn more about the differences in features between Windows and macOS here.

4. Options for clipboard and screen capture

Block copy to clipboard and Block screen capture are available only when a data classification is selected. They apply to the chosen data classification itself, not to any specific policy. This means they will be enforced in all policies that include the selected data classification.

🍏macOS devices: These options are not supported on macOS. Learn more about the differences in features between Windows and macOS here.

Extend your data protection by blocking copying to the clipboard (up to 160 symbols without sensitive content are allowed, more than 160 symbols are always blocked) or block screen capture.

FAQ

Q: Does Safetica block or audit FTP operations? Can I control FTP file transfer?

A: No, Safetica does not support auditng or blocking FTP file transfers.

Q: Can I create a policy to audit or block git on macOS?

A: No, auditing or blocking git on macOS is not supported yet.

Q: How can I block file uploads to all instant messaging (IM) applications except for a specific one (e.g., WhatsApp), without blocking the running of the apps themselves?

A: To allow uploads for a specific IM application while blocking others, change its category for both applications and websites from Instant messaging and VoIP software to a different category (learn more here). This will prevent data policies targeting Instant messaging from applying to the selected app.

Q: Can Safetica protect against copy and pasting?

A: Yes, it can. Create a data policy, and in the Options section, select Block copy to clipboard.

Q: Can Safetica protect against making screenshots?

A: Yes, it can. Create a data policy, and in the Options section, select Block screen capture.

Q: Can Safetica prevent a user from deleting sensitive files or sensitive data?

A: No, Safetica does not audit or block delete operations, since they are not related to data loss.

Q: How can I protect files from a specific folder or file path? How can I set up a data protection policy with a specific source file path for specific file transfers?

A: Create a data classification with the File type element. Then, create a data policy linked to this data classification.