Data Owner Exception - Differences between the exception settings

book

Article ID: 159413

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

One is wanting to setup the ignore function for data owners in EDM. However, there seems to be a functionality issue with part of the feature. When one selects to do this and ignores based on recipient, one has the choice to select "All Recipients", or "Any Recipients". 

 

When one selects to use "Any Recipients", and sends a test message that has multiple recipients, and one of them has data they own, DLP ignores the message correctly and does NOT create a incident.

 

However, if one selects "All Recipients" our expectation is that ALL the recipients must have data they own in the message otherwise the ignore doesn't apply and do create a incident. However, when one sends the same test message thru, it does NOT create a incident.

What is the functional difference between the two settings?

Resolution

For example, let us consider the following sample EDM rows

 

Password   Email1                      Email2                      Domain

xzy686       [email protected]   [email protected]    symc.com

ghj780        [email protected]     [email protected]      symc.com

 

The following scenarios could occur:

 

- The first case is when the All Recipients exception is identified on both Email fields.

 

1. If the email contains data "xzy686" and [email protected], [email protected] in To list, the ignore should work on All recipients, and incident should not be created.

 

2. If the email contains data "xzy686" and [email protected], [email protected], [email protected] then there is a violation and incident should be created. Here admin3 does NOT own "xzy686".

 

3. If the email contains all 4 recipients from both rows ([email protected], [email protected], [email protected], [email protected]) and sensitive data from both rows "xzy686" and "ghj780" then too there is a violation and incident should be created. In this case admin1 and admin2 do not own data "ghj780" and admin3 and admin4 do not own data "xzy686".

 

 

In case of Any Recipient exception all three cases above will be ignored without generating incidents.

 

- Now if the data owner exception for All Recipients is created on Domain.

 

1. In the above sample data both rows contain the same domain field. Hence if all recipients in the email To list contains any email address that belongs to symc.com and sensitive data "xzy686" and/or "ghj780", the email will be ignored as the same domain owns data from both rows.

 

2. However, if the same email also contains one or many email ids that belong to any domain other than symc, the email should generate incident.

 

Again, both the cases above will be ignored by Any Recipient exception without generating incidents.