Policy Configuration

Define DLP policies by configuring the following settings and deploying the settings to selected agents:

Table 1. Settings that Define a DLP Policy




A DLP rule can consist of multiple templates, channels, and actions. Each rule is a subset of the encompassing DLP policy.


Data Loss Prevention processes rules and templates by priority. If a rule is set to "Pass", Data Loss Prevention processes the next rule in the list. If a rule is set to "Block" or "User Justification", Data Loss Prevention blocks or accepts the user action and does not process that rule/template further.


A DLP template combines data identifiers and logical operators (And, Or, Except) to form condition statements. Only files or data that satisfy a certain condition statement are subject to a DLP rule.

Data Loss Prevention comes with a set of predefined templates and allows administrators to create customized templates.

A DLP rule can contain one or several templates. Data Loss Prevention uses the first-match rule when checking templates. This means that if a file or data matches the data identifiers in a template, Data Loss Prevention no longer checks the other templates.


Channels are entities that transmit sensitive information. Data Loss Prevention supports popular transmission channels, such as email, removable storage devices, and instant messaging applications.


Data Loss Prevention performs one or several actions when it detects an attempt to transmit sensitive information through any of the channels.


Exceptions act as overrides to the configured DLP rules. Configure exceptions to manage non-monitored targets, monitored targets, and compressed file scanning.

Data Identifiers

Data Loss Prevention uses data identifiers to identify sensitive information. Data identifiers include expressions, file attributes, and keywords which act as the building blocks for DLP templates.