DLP policy basics
Posted by Štěpán Horký, Last modified by Štěpán Horký on 11 June 2019 03:32 PM

DLP policy priority

DLP policies are prioritized based on the top-bottom order in which they are listed.

The DLP policy system is based on a few main principles:

  • When more policies apply to a user's action, the highest policy rule setting overrides all lower policy rule settings.
  • It's recommended to use general and less strict policies in the lower part of your policy list, and more specific or strict policies in the upper part of your policy list.
  • If you need to create an exception for a user, you simply creates a new policy with an overriding setting, assign it to the user, and place it above the more general policy.

You can learn more about policy configuration here.

Here's an example of a recommended company configuration of DLP policies:

general policy
content data policy
context data policy

Priority Policy name Upload E-mail Cloud Policy applied to: What does this setting mean?
1 Exception for CEO Log Log Log CEO The CEO can do everything, all their actions are only logged.
2 Construction data policy Block Block Block manufacturing department The manufacturing department can't transfer construction data anywhere
3 Sensitive data policy Block Notify - whole company Sensitive data can't be uploaded; e-mail with sensitive data shows a notification. Cloud setting is inherited from lower applicable policies.
4 Department manager exception - - Allow finance department manager The finance department manager can use cloud sync. Upload and e-mail settings are inherited from lower applicable policies.
5 Department policy Block - Block finance department Finance department can't upload files and use cloud sync. E-mail setting is inherited from lower applicable policies.
6 Company base policy Log Log Log whole company All actions are logged in the whole company.

DLP policy types

A. General policy

General policies affect and manage entire communication channels, e.g. all e-mail messages, all uploads, all external devices, etc.

Tip: General policies are great for setting general limitations of what is allowed and what is not, and they are best used at the bottom of your DLP policy list.

B. Data policy

Data policies manage and protect specific data categories, for example:

  • regulatory compliance data, such as personal identification numbers, credit cards numbers, HIPAA-related terms, etc.
  • custom keywords or regular expressions
  • already classified data, e.g. files labeled as "Internal", "Sensitive", etc.
  • data classified by Safetica, e.g. files stored in a shared network location, intranet downloads, CRM exports, etc.

Tip: Data policies are best used in the upper part of your policy list, where they can override general policies.

C. Application policy

Application policies manage applications and how they are allowed to work. They are applied to application categories. To manage a single application, create a new application category and apply your policy to it.

Tip: Application policies are best used in the upper part of your policy list - mixed with data policies, and sorted by your preferred priority.