Incident is a record about an application event associated with a possible data leak detected.
When the message content matches the category data and all criteria specified in the policy, the DLP Module generates an incident indicating a violation of this policy. If the email message violates information security according to several policies at once, the DLP Module generates several incidents matching the number of policies violated.
Each incident includes information about the incident object (the message that caused an information security violation), the sender and recipients of the message, the policy violated, and service information, such as the incident ID and the time when the incident was generated.
The security officer processes incidents that has been created by the application. Incident processing may involve, for example, violation recording and possible technical and organizational measures to improve protection of confidential data.
Incident status
Incident status reflects the stage of incident processing. When an incident is generated, it is assigned the New status tag. The security officer changes the incident status over the course of incident processing. Incident processing ends when the security officer assigns one of the statuses with a Closed (<reason>) value to the incident.
Incident status
Status |
Type. |
Value |
|---|---|---|
New |
Open |
New incident. Incident processing has not started. |
In progress |
Open |
An incident investigation is in progress. |
Closed (processed) |
Closed |
The incident has been processed successfully, and the required measures have been taken. |
Closed (false positive) |
Closed |
A policy has been violated, but the transmission of protected data was legitimate. There is no information security violation. Policy settings may need to be revised. |
Closed (not an incident) |
Closed |
A policy has been violated, but the transmission of protected data was authorized by a special order. No additional action is required. |
Closed (other) |
Closed |
The incident has been closed for other reasons. |
Incident priority
The incident priority reflects the urgency with which the incident has to be processed. The application assigns an incident priority upon generating the incident (Low, Medium or High). The priority is assigned based on the value specified in the settings of the policy that has been violated.
Incident archive
Closed incidents may be placed in an archive. Incidents placed in an archive are called archived incidents. Incidents placed in an archive are removed from the list of incidents. If necessary, you can restore incidents from the archive and view them in the list of incidents again.
An incident archive is a specially formatted file with the bak extension. You can create an unlimited number of incident archives.
Archives help to periodically free up the list of incidents by removing closed incidents, thereby optimizing the use of the incident database volume without losing the history of incidents generated and processed.
Statistics and reports
The application displays statistics on new incidents, incidents being processed, and closed incidents. This information helps to evaluate the data protection status and the performance of the security officer. This information can be also used to generate reports.