Defining a data control policy

The data control policy enables you to manage the risks associated with the accidental transfer of sensitive data from computers.

Each company will have its own definition of sensitive data. Common examples include:

• Customer records containing personally identifiable information.
• Financial data such as credit card numbers.
• Confidential documents.

When the data control policy is enabled, Sophos monitors user actions at common data exit points:

• Transfer of files onto storage devices (removable storage, optical media, and disk-based media).
• Upload of files into applications (corporate web browsers, email clients, and IM clients).

A data control rule is made up of three elements:

• Items to match: Options include file content, file types, and file names.
• Points to monitor: Monitoring points include storage types and applications.
• Actions to take: Available actions include "Allow file transfer and log event" (monitor mode), "Allow transfer on acceptance by user and log event" (training mode), and "Block transfer and log event" (restricted mode).

For example, data control rules can be defined to log the uploading of any spreadsheet using Internet Explorer or to allow for the transfer of customer addresses onto a DVD once the transfer is confirmed by the user.

Defining sensitive data based on content can be complex. Sophos has simplified this task by providing a pre-built library of sensitive data definitions, known as Content Control Lists. The library covers a wide range of personally identifiable and financial data formats and is kept up-to-date by Sophos. As necessary, you can also define custom Content Control Lists.

As with all Sophos policies, the data control policy continues to be enforced on computers even when they are disconnected from your company's network.