Data Control Deployment Guide

Creating Data Control policy rules requires both planning and testing. It is also important to choose rules that best suit your organization, and then configure them in a way that prevents data loss. Review the guidelines shown below before testing and implementing rules that are based on SophosLabs Content Control Lists (CCLs).

Note
This document describes the configuration, testing, and implementation of SophosLabs rules only. If you are using custom CCLs, they must be created and edited in Sophos Enterprise Console. For more information, see the Enterprise Console documentation.

Best Practices

There are various considerations when creating a data control policy for your organization. Review the following guidelines before creating data control rules on the Sophos Email Appliance:

  • Content scanning can be a resource-intensive process, and it may affect system performance. This should be considered when creating content rules, and implementing a large number of CCLs. It is important to test the impact of a content rule prior to applying it across a large number of users. Deploy your data control policy to a smaller group of pilot users to make it easier to analyze data control events triggered by the policy.
  • Create different policies for different groups. For example, you may want to allow users within the finance department to transfer financial information outside of your organization, but prevent all other groups from doing so.
  • Consider what types of information you want to identify and create rules for. Sophos provides a set of sample policy rules on the Outbound tab of the Data Control page that you can use to help build your data control policy.
  • Although logging of rules based on Content Control Lists (CCLs) is off by default, you can enable various levels of logging in the rule configuration section of the Policy Configuration Wizard. It is important to keep in mind that, in a production environment, selecting Include matched text results in sensitive data being stored on the appliance, and, potentially, backed up to your FTP server. This data is not encrypted.

Deploying CCL-Based Rules

  1. Inspect the initial configuration

    Several disabled default rules are provided on the Outbound tab of the Configuration > Policy > Data Control page. You can use these default rules to see which messages cause particular rules to trigger. By default, logging and copying to the quarantine is disabled.

    See the Description box on the Rule Type page of the Policy Wizard for details of the selected rule.

    1. Select a rule: Click on a default rule that matches the type of sensitive data you want to secure. This will open the Policy Wizard for the data control policy rules, where you can review the settings of the rule, and adjust them to match your requirements.
    2. Configure the CCL(s): On the Rule Config page of the Policy Wizard, you can check that suitable CCLs are enabled, and you can configure the quantity for each CCL.
      Note
      The quantity is a measure of a weighted number of matches a rule needs to find in a message before the rule will trigger. Increasing the quantity will make the rule less likely to trigger, and decreasing the quantity will have the opposite effect.
    3. Select the users: When configuring the rule, you want to ensure that its impact is limited. With this in mind, select a small test group of pilot users for whom the rule will be used.
    4. Select a Main Action: Selecting the Quarantine and continue option for a CCL makes it simpler to check the effectiveness of the rule.
    5. Check notifications: Ensure that notifications are sent to the correct people for testing purposes.
    6. Save and activate the rule: Save the rule, then make it active by clicking the Turn On button next to the rule name.
  2. Calibrate and test data control rules

    You should audit and calibrate a rule's effectiveness before deploying it for all of your users.

    1. Enable logging: On the Rule Config page of the Policy Wizard, you can set the logging level for each rule. The progressive log levels each provide more information as to why a rule was triggered and allow you to monitor the effectiveness of the rules for your particular application. While testing, it is recommended that you select all of the following:
      • Log CCL violations will add log entries showing which CCL list was triggered.
      • Include matched text will also include the exact text that triggered the rule.
        Note
        Logging matched text causes sensitive data to be stored on the appliance, and, potentially, backed up to your FTP server. The data is stored in a format that is not encrypted.
      • Include partial matches will add entries to the logs whenever there is message that contains many of the characteristics identified in a CCL, but not enough to trigger a rule.
    2. Adjust the quantity setting for each rule: Each CCL has a quantity setting that can be adjusted on the Rule Config page of the Configuration > Policy > Data Control Policy Wizard. If, after examining your logs, you find that a CCL is triggering too frequently, you can adjust the quantity setting upwards to decrease sensitivity.
      Important
      CCL default quantity settings are designed to provide a balance between false positives and reducing accidental data loss. To test a given CCL, it is recommended that you ensure that its quantity setting is '1'. If necessary, you can adjust the CCL quantity settings upward.
    3. Test the rule: After you have selected and configured a rule, you will want to ensure that you can check whether the rule is working as you expect. To allow a more thorough analysis of the rule's operation, additional actions can be configured to provide more extensive information:
      • If logging is enabled, you can choose to notify the administrator by using the %%CCL_HITS%% template variable. This will send the administrator the data that is triggering the rule.
        Note
        Only the data that has caused the rule to trigger is provided by this template variable, after which the rule will stop processing and register a violation. However, there may be additional sensitive data contained in the triggering email that can be seen by viewing the email itself.
      • Copy the message to the quarantine. The administrator can then view the entire message that triggered the rule.
    4. Search the mail logs: You can use the Search tab to check the logs and quarantine to see what effect the adjustment has had. Now you can see whether the CCLs are triggering, and what is causing them to trigger. To do this:
      • Perform a log search on the Search tab.
      • Click View log details.
      • A popup is displayed where you can view a list of which CCLs triggered on the Content inspection tab.
      • To view the data that caused a specific CCL violation or warning, click the expand (+) icon next to each CCL. The red icons indicate violations, while yellow icons indicate warnings. Click Expand All to view details of all CCLs.
    5. Search the quarantine: Since log searches only provide the data that caused the rule to trigger, you may want to also view the entire message in the quarantine. To do this:
      • Perform a quarantine search by way of the Search tab.
      • Click on the email you want to view.
      • Click View message details to display the Message Details popup.
      You can view the complete message on the Body tab, and information about the data control policy rule that triggered on the Info tab.
    6. Adjust rule settings: If the rule is not working as expected, you can:
      • Change the selection of CCLs that the rule uses.
      • Change the Quantity setting for a CCL.

    After changing the settings, check the effectiveness of the rule again, using the steps described above. Continue to refine the settings until the rule works the way you want it to. If you still experience unexpected behaviour with data control policies or CCLs, contact Sophos Technical Support, or consider consulting Sophos Professional Services.

  3. Production Deployment

    After you are satisfied that the rule is working as expected, you can activate the rule for all intended users. For email that triggers the rule, it is suggested that you choose one of the following common actions:
    • Encrypt the message using SPX encryption.
    • Block the message and notify the sender.
    • Quarantine the message for further review.
    These options can be selected on the Main Action page of the Policy Wizard.

    After activating the rule, you should consider whether you want to disable logging and quarantining of messages.

Rule Examples

You can use the sample rules on the Outbound tab as-is, build rules that are based on these rules, or use the Policy Wizard to create new rules. Launch the Policy Wizard by clicking Add on the Inbound or Outbound tab of the Data Control page.

For sample rules that are designed to cover common data control scenarios, see the Data Control Examples in the Sophos Knowledgebase. These examples are only intended to provide guidelines. Configure rules as necessary to address the needs of your organization.