At this step, define the actions that the application will take on messages violating the policy and specify the recipients to which the application will send policy violation notifications.
To define the actions, configure the following settings:
Deletes the message that caused a policy violation.
If the check box is selected, the application deletes the message that violated the policy. A message is deleted if any part of the message (header, content, or any attachment) violates a policy.
If the check box is cleared, the application skips the message without changes.
Regardless of whether or not the check box is selected, when a policy is violated the application logs the event as a possible data leak and creates an incident.
Assessment of the danger of a potential data leak.
This drop-down list lets you select the priority that the application assigns to an incident upon policy violation: Low, Medium, High. The priority reflects the degree of danger of policy violation and the urgency with which the incident must be processed.
A message copy is attached to incident information.
If the check box is selected, the application attaches a copy of the message that caused a policy violation to incident information for subsequent analysis.
If the check box is cleared, the application does not attach a message copy to incident information.
Adding of policy violation records to Windows Event Viewer.
If the check box is selected, the application records the following policy violation event in Windows Event Viewer: “Level=Warning; Source=KSCM8; Event ID=16000”. The event description contains information about the sender, the recipients, the message subject, about a violated policy and the associated category.
Events about a policy violation may be useful if you use automated systems for collection and analysis of security events (SIEM, Security Information and Event Management) to monitor the state of the organization's information security. Using these events you can obtain topical information on incidents that arise when you are not using the Management Console.
If the check box is cleared, events are not recorded in Windows Event Viewer.
The check box is cleared by default.
To specify notification recipients, configure the following settings:
A policy violation notification is sent to the addresses of security officers.
If the check box is selected, upon a policy violation the application sends a violation notification to the address(es) of security officers. The address or list of addresses of security officers must be specified in advance in the Data Leak Prevention node.
If the check box is cleared, the application does not send notifications to security officers.
Delivery of a policy violation notification to the message sender's manager.
If the check box is selected, upon a policy violation the application sends a notification to the message sender's manager with information about the violation. The application retrieves the address of the sender's manager from Active Directory®.
If the check box is cleared, the application does not send a notification to the message sender's manager.
Delivery of policy violation notifications to additional addresses.
If the check box is selected, upon a policy violation the application sends a violation notification to the additional addresses specified in the entry field.
If the check box is cleared, the application does not send a notification to additional addresses.