Rule
|
|
---|---|
Any keyword |
A file must contain at least one keyword
in the keyword list.
|
All keywords
|
A file must contain all the keywords in the keyword list. |
All keywords within <x> characters
|
A file must contain all the keywords in
the keyword list. In addition, each keyword pair must be within
<x> characters of each other.
For example, the 3 keywords are WEB, DISK, and USB and the specified number of characters
is
20.
If Data Loss Prevention detects
all keywords in the order DISK, WEB, and USB, the number of characters
from the "D" (in DISK) to the "W" (in WEB) and from the "W" to the
"U" (in USB) must be 20 characters or less.
When deciding on the number of characters, remember that a small number, such as 10,
usually
results in a faster scanning time but only covers a relatively small area. This may
reduce the
likelihood of detecting sensitive data, especially in large files. As the number increases,
the area
covered also increases but scanning time might be slower.
|
Combined score for keywords exceeds threshold
|
A file must contain one or more keywords in the keyword list. If only one keyword
was detected,
the score must be higher than the threshold. If there are several keywords, the combined
score must
be higher than the threshold.
Assign
each keyword a score of 1 to 10. A highly confidential word or phrase,
such as "salary increase" for the Human Resources department, should
have a relatively high score. Words or phrases that, by themselves,
do not carry much weight can have lower scores.
Consider the scores assigned to the keywords when configuring the threshold. For example,
if
there are five keywords and three of those keywords are high priority, the threshold
can be equal to
or lower than the combined score of the three high priority keywords. This means that
the detection
of these three keywords is enough to treat the file as sensitive.
|