Data Loss Prevention Policy

Data Loss Prevention (DLP) controls accidental data loss. DLP enables you to monitor and restrict the transfer of files containing sensitive data.

For example, you can prevent a user sending a file containing sensitive data home using web-based email.

You do this by creating rules. You then add the rules to policies, as described below. You can then apply these policies to users, computers and Windows servers.

Data Loss Prevention (DLP) policies include one or more rules that specify conditions and actions to be taken when the rule is matched. When a DLP policy contains several rules, a file that matches any of the rules in the DLP policy violates the policy. A rule can be included in multiple policies. You can add text to the messages shown on protected endpoints or Windows servers when the rules are triggered. There are two types of message:

  • A confirmation notification that asks the user to confirm the file transfer.
  • A block notification that informs the user that they cannot transfer the file.

You can create custom policies or policies from templates. The templates cover standard data protection for different regions. You can apply these policies to users, computers or Windows servers. See About Policies.

Go to Endpoint Protection > Policies to apply DLP.

To set up a policy, do as follows:

  1. Choose whether you want to create a policy from a template or a custom policy.
    • To use a template, select a region and a template and click Create from Template. This adds a pre-defined rule to the policy.

      To add more rules, click Add.

    • To create a custom policy, click Create Custom Policy and click Add. Choose whether you want to an use existing rule or create a new rule. Select the rules you want to add and click Add.
  2. Turn on the options in the Messages For End Users area and click the option names to add your own message to the standard confirmation and block notifications. Each message can have a maximum of 100 characters.
    Note You can turn off either or both of these messages. The standard notification is shown on the endpoint or server. If you leave the message box blank the standard notification is shown.
    1. Enter the message text.
    2. Click Finish.