How to roll out a data control policy

By default, data control is turned off and no rules are specified to monitor or restrict the transfer of files onto storage devices or into applications. We recommend that you introduce data control as follows:

  1. Understand how data control works on your computers:

    • Storage devices: Data control intercepts all files copied onto monitored storage devices using Windows Explorer (this includes the Windows desktop). However, direct saves from within applications, such as Microsoft Word, or transfers made using the command prompt are not intercepted.

      It is possible to force all transfers onto monitored storage devices to be made using Windows Explorer by using either the "Allow transfer on acceptance by user and log event" action or the "Block transfer and log event" action. In either case, any attempt to save directly from within an application or transfer files using the command prompt are blocked by data control, and a desktop alert is displayed to the user requesting that they use Windows Explorer to complete the transfer.

      When a data control policy only contains rules with the "Allow file transfer and log event" action, direct saves from within applications and transfers using the command prompt are not intercepted. This behavior enables users to use storage devices without any restrictions. However, data control events are still only logged for transfers made using Windows Explorer.

      Note This restriction does not apply to application monitoring.

    • Applications: Data control intercepts files and documents uploaded into monitored applications. To ensure only file uploads by users are monitored, some system file locations are excluded from data control monitoring.

      Note If you are monitoring e-mail clients, data control scans all file attachments but does not scan e-mail content. The Sophos Email Security and Data Protection solution can be used if scanning email content is required.
  2. Consider what types of information you want to identify and create rules for. Sophos provides a set of sample rules that you can use to help build your data control policy.
    Caution Content scanning can be an intensive process and this should be taken into consideration when creating content rules. It is important to test the impact of a content rule prior to rolling it out across a large number of computers.
    Note When creating your first policy, we recommend focusing on the detection of large collections of personally identifiable information within documents. Sophos provides sample rules to meet this requirement.
  3. Enable data control scanning, and select the Allow file transfer and log event action in your rules to detect but not block controlled data.
    Caution We recommend that you configure all rules to use this action for the initial deployment. This will enable you to assess the effectiveness of the rules without impacting user productivity.
  4. Deploy your data control policy to a small number of computers to make it easier to analyze data control events triggered by the policy.
  5. Use the data control Event Viewer to view data being used, check for any weaknesses in the test configuration (for example a rule being too sensitive and generating a higher than anticipated volume of events). You can access the Event Viewer by clicking Events > Data Control Events > .
  6. Once the policy has been tested, you can make any required adjustments and roll it out to a larger set of computers within your company. At this stage, you may decide to:
    • Change the actions for some rules as necessary to Allow transfer on acceptance by user and log event or Block transfer and log event.
    • Create different policies for different groups. For example, you may want to allow computers within the human resources department to transfer personally identifiable information, but prevent all other groups from doing so.

For more information on setting up data control policy, see the Sophos Enterprise Console help.