+ All Categories
Home > Documents > Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data...

Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data...

Date post: 17-Sep-2018
Category:
Upload: danganh
View: 225 times
Download: 0 times
Share this document with a friend
209
Symantec Enterprise VaultData Classification Services Implementation Guide Enterprise Vault 10.0 Data Loss Prevention 11.6
Transcript
Page 1: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Symantec Enterprise Vault™

Data Classification ServicesImplementation Guide

Enterprise Vault 10.0

Data Loss Prevention 11.6

Page 2: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Symantec Enterprise Vault: Data Classification ServicesImplementation Guide

The software described in this book is furnished under a license agreement and may be usedonly in accordance with the terms of the agreement.

Last updated: 2013-01-16.

Legal NoticeCopyright © 2013 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, the Checkmark Logo, Enterprise Vault, ComplianceAccelerator, and Discovery Accelerator are trademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and other countries. Other names may be trademarksof their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The License Agreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see the Third Party Software fileaccompanying this Symantec product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer softwareas defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software and Documentation by the U.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis Street, Mountain View, CA 94043

http://www.symantec.com

Page 3: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. The Technical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, the Technical Support group works with Product Engineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our website atthe following URL:

http://support.symantec.com

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:

http://support.symantec.com

Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer on which the problem occurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

Page 4: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf your Symantec product requires registration or a license key, access ourTechnical Support web page at the following URL:

http://support.symantec.com

Customer serviceCustomer service information is available at the following URL:

http://support.symantec.com

Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals

Page 5: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Support agreement resourcesIf you want to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

Page 6: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6
Page 7: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 1 Introducing Symantec Enterprise Vault DataClassification Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

About Enterprise Vault Data Classification Services ... . . . . . . . . . . . . . . . . . . . . . . . . 11Key components of Symantec Data Classification Services ... . . . . . . . . . . 12Architecture of Data Classification Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

About classification policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Policy responses ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16How Data Classification Services handles multiple policy

matches ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17About the available detection technologies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Limitations on what Data Classification Services can classify ... . . . . . . . . . . . . 19Overview of the installation and configuration process ... . . . . . . . . . . . . . . . . . . . . 19

Implementing Data Classification Services in a non-Data LossPrevention environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Implementing Data Classification Services in an existing DataLoss Prevention environment .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

About installation tiers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Additional documents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Comment on the documentation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 2 Acquiring the Enterprise Vault Data ClassificationServices software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About downloading Data Classification Services components ... . . . . . . . . . . . . 25Downloading Data Classification Services components ... . . . . . . . . . . . . . . . . . . . . 27

Creating the download directory for Symantec Data LossPrevention files ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Downloading and extracting Symantec Data Loss Preventionfiles ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Preparing Enterprise Vault components for installation .... . . . . . . . . . . . . 28

Contents

Page 8: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Chapter 3 Installing Oracle 11g on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

About the Oracle 11g installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Oracle database requirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Installing Oracle 11g on Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Downloading the Oracle 11g software for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . 35Installing the Oracle 11g software for Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Creating the Symantec Data Loss Prevention database .... . . . . . . . . . . . . . . . . . . . . 37Creating the TNS Listener on Windows .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Configuring the local net service name .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Verifying the Symantec Data Loss Prevention database .... . . . . . . . . . . . . . . . . . . . 44Creating the Oracle user account for Symantec Data Loss Prevention

.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Locking the DBSNMP Oracle user account ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 4 Installing the Data Classification Service . . . . . . . . . . . . . . . . . . . . . . 49

Enforce Server and Classification Server minimumrequirements ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Browser requirements for accessing the Enforce Server

administration console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Installing an Enforce Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Verifying an Enforce Server installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60About the Data Classification for Enterprise Vault Solution Pack .... . . . . . . 61Importing the solution pack .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Classification Server installation preparations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Installing a Classification Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Verifing a Classification Server installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Registering a Classification Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Configuring the Classification Server ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71About post-installation security configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

About server security and SSL/TLS certificates ... . . . . . . . . . . . . . . . . . . . . . . . . . 73About Symantec Data Loss Prevention and antivirus

software .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Corporate firewall configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Windows security lockdown guidelines ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Windows Administrative security settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 5 Configuring the Data Classification Filter . . . . . . . . . . . . . . . . . . . . . . 89

Configuring the Data Classification Filter ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Guidelines on specifying Classification Servers in the registry

file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Contents8

Page 9: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Chapter 6 Creating classification policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

About the installed classification policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Exporting policy detection as a template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Importing Symantec Enterprise Vault Data Classification Services

policy templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Creating a classification policy from a template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Adding a new policy or policy template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Configuring policies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Configuring the Classify Enterprise Vault Content action .... . . . . . . . . . 103Configuring the Message/Email Properties and Attributes

condition .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Enabling classification test mode .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Chapter 7 Supplied classification policies and policytemplates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

About the Enterprise Vault Data Classification policies ... . . . . . . . . . . . . . . . . . . 113Anti-money Laundering policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Attorney-Client Privilege policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Attorney-Client Privilege (Secondary) policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . 116Auto-generated Messages policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Auto-generated news, Feeds & Research (Known Providers)

policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Auto-generated News, Feeds, Research policy ... . . . . . . . . . . . . . . . . . . . . . . . . . 117Compensation Discussions policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Email Containers (attachments) policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Faxes (attachments) policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Legal Documents (attachments) policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Personal Email Domains policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Productivity Documents (attachments) policy ... . . . . . . . . . . . . . . . . . . . . . . . . . 119Solicitations - Charities policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Solicitations - Political policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Solicitations - Private Investment policy ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

About the system-provided policy templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Acceptable Use Enforcement policy templates ... . . . . . . . . . . . . . . . . . . . . . . . . 121Confidential or Classified Data Protection policy templates ... . . . . . . . 132Customer and Employee Data Protection policy templates ... . . . . . . . . 142Network Security Enforcement policy templates ... . . . . . . . . . . . . . . . . . . . . . 149UK and International Regulatory Enforcement policy

templates ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152US Regulatory Enforcement policy templates ... . . . . . . . . . . . . . . . . . . . . . . . . . 159

9Contents

Page 10: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Chapter 8 Upgrading Data Classification Services . . . . . . . . . . . . . . . . . . . . . . . . 195

Upgrading Symantec Data Loss Prevention for Data ClassificationServices ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Downloading and extracting the upgrade software .... . . . . . . . . . . . . . . . . . . . . . . . 196Launching the Upgrade Wizard on the Enforce Server ... . . . . . . . . . . . . . . . . . . . . 196Performing an upgrade with the Upgrade Wizard .... . . . . . . . . . . . . . . . . . . . . . . . . . 198

Appendix A Migrating from Automatic Classification Engine toData Classification Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

About migrating to Data Classification Services ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Contents10

Page 11: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Introducing SymantecEnterprise Vault DataClassification Services

This chapter includes the following topics:

■ About Enterprise Vault Data Classification Services

■ About classification policies

■ About the available detection technologies

■ Limitations on what Data Classification Services can classify

■ Overview of the installation and configuration process

■ Additional documents

■ Comment on the documentation

About Enterprise Vault Data Classification ServicesData Classification Services uses various components of Symantec EnterpriseVault and Symantec Data Loss Prevention to automate the classification ofMicrosoft Exchange messages that are managed in Enterprise Vault. After DataClassification Services has applied classification tags to the messages, users ofapplications like Compliance Accelerator and Discovery Accelerator can use thetags to filter messages when they conduct searches and reviews.

The Data Classification Services components are available from SymantecFileConnect (https://fileconnect.symantec.com).

1Chapter

Page 12: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “About downloading Data Classification Services components” on page 25.

The capabilities that Data Classification Services provides supersede those thatthe Automatic Classification Engine (ACE) provided in earlier versions of EnterpriseVault. You cannot configure Enterprise Vault to work simultaneously with bothACE and Data Classification Services. However, you can migrate from ACE to DataClassification Services by following the instructions later in this guide.

See “About migrating to Data Classification Services” on page 203.

Key components of Symantec Data Classification ServicesTable 1-1 describes the key Data Classification Services components.

Table 1-1 Key components of Enterprise Vault Data Classification Services

DescriptionComponent

The filter works with Enterprise Vault to post Exchange messages toa Classification Server and receive classification results from theserver. Enterprise Vault then uses the classification results to archiveand classify the messages, or delete them, as appropriate.

Data ClassificationFilter

This server is a type of Data Loss Prevention detection server thatreceives messages from the Data Classification Filter and appliespolicies to them to generate classification results. In the same waythat you can have multiple Enterprise Vault servers, you can also havemultiple Classification Servers.

The Classification Server can evaluate messages by using any of theavailable Data Loss Prevention detection technologies, which includeDescribed Content Matching (DCM), Exact Data Matching (EDM), andIndexed Document Matching (IDM). It can also use a new,Classification-specific detection rule that evaluates messages basedon their message (MAPI) attributes.

See “About the available detection technologies” on page 18.

You install and register a Classification Server in the same way thatyou install and register other Data Loss Prevention detection servers.If you already use Data Loss Prevention, see the Symantec Data LossPrevention Installation Guide for more information. If you do notcurrently use Data Loss Prevention, this Implementation Guideprovides installation instructions.

Note: Throughout the Data Loss Prevention documentation, the term“detection server” refers generally to any Data Loss Prevention serverthat detects policy-defined content. In this guide, the same term refersspecifically to the Classification Server for Data Classification Services.

ClassificationServer

Introducing Symantec Enterprise Vault Data Classification ServicesAbout Enterprise Vault Data Classification Services

12

Page 13: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 1-1 Key components of Enterprise Vault Data Classification Services(continued)

DescriptionComponent

Data Classification Services evaluates each message against a set ofclassification policies. Each policy has a defined response that specifieswhat to do with the message. For example, one policy response maybe to archive the message and assign a retention category to it. Anotherresponse may be to delete the message immediately without archivingit. The Classification Server groups all the matching policy responsesfor each message and returns them to the Enterprise Vault server,which processes the message accordingly.

See “About classification policies” on page 15.

Classificationpolicies

The Enforce Server provides a central management platform fordeploying Classification Servers, authoring policies, and managingthe system. You perform all these activities by using a browser-basedadministration console.

Enforce Server

Figure 1-1 shows how these components interact.

Figure 1-1 How Enterprise Vault and Data Classification Services interact

Enterprise Vault Data Classification Services

ActiveDirectory

Exchange OWA

Compliance/DiscoveryAccelerator

Enforce Serveradministration console

Enterprise Vault servers

Classification ServersMessage forclassification

Classificationtags

Policy analysis

13Introducing Symantec Enterprise Vault Data Classification ServicesAbout Enterprise Vault Data Classification Services

Page 14: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The architecture of Data Classification Services does not allow you to install it ina clustered environment. However, you can still deploy Data Classification Servicesin a highly available and load-balanced environment to enhance performance andscalability and eliminate downtime. To do this, you can set up multipleClassification Servers and configure the Data Classification Filter to work withthem all.

See “Configuring the Data Classification Filter” on page 89.

Architecture of Data Classification ServicesFigure 1-2 shows the interactions between the various Data Classification Servicescomponents in more detail.

Figure 1-2 Data Classification Services interactions

Enterprise Vault server

FilterController

Data Classification Filter

Data ClassificationClient

Exchangearchiving

task

Classification Server

Data ClassificationService

Exchange server Vault store

Classification API

Message forclassification

Classificationtags

Enforce Server

Introducing Symantec Enterprise Vault Data Classification ServicesAbout Enterprise Vault Data Classification Services

14

Page 15: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The Data Classification Filter registers with the Enterprise Vault Exchange Agentand receives Exchange messages for classification. It sends the messages to theData Classification Service through the Data Classification Client. The DataClassification Service classifies the messages and sends a reply that indicates anymatched policy responses. The Data Classification Client forwards these responsesto the Data Classification Filter. The filter adds the appropriate metadata to themessages to specify the required archiving and retention policy, and then passesthem back to the Exchange archiving task.

About classification policiesData Classification Services evaluates the content and metadata of each messageagainst the classification policies that you define. As Table 1-2 shows, aclassification policy can contain rules, exceptions, and responses.

Table 1-2 Components of a classification policy

ExampleDescriptionItem

Find keyword "guarantee"within five words of keyword"profit".

One or more conditions that trigger a matchon a message.

A policy can have multiple rules, which youconnect together with AND and ORstatements. This is a flexible and powerfulway to organize rules in a logical way. Forexample, you may decide that one rule cantrigger a response to a message, or you mayprefer that all the rules must match totrigger a response.

Rules

Do not match if the sender isin the Legal department.

Conditions that cause a policy to ignore amessage.

The exceptions are normal conditions, butData Classification Services evaluates themfirst. If any of the exceptions matches, themessage is ignored, no more rules areevaluated, and the message does not triggera response.

Exceptions

15Introducing Symantec Enterprise Vault Data Classification ServicesAbout classification policies

Page 16: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 1-2 Components of a classification policy (continued)

ExampleDescriptionItem

Archive and prioritize forcompliance review.

The action to take if a match is identified.

A number of response options are available.You define responses separately to policies.So, when you create a policy, you choose toattach a response to it.

See “Policy responses” on page 16.

Responses

Data Classification Services comes with 15 Enterprise Vault-specific policies withwhich you can start to classify messages straight away. Alternatively, you cancreate policies from scratch or base them on more than 40 standard templatesthat come with Symantec Data Loss Prevention.

Policy responsesWhen you classify Enterprise Vault content with Data Classification Services, youcan choose to archive and classify messages that match the defined policy, or youcan choose not to archive the messages. For example, the following options areavailable for archiving and classifying messages that match a policy:

Alternatively, you can choose from the following options if you want to indicatethat Enterprise Vault should not archive a message that matches a policy:

See “Configuring the Classify Enterprise Vault Content action” on page 103.

Introducing Symantec Enterprise Vault Data Classification ServicesAbout classification policies

16

Page 17: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

How Data Classification Services handles multiple policy matchesSometimes, when a message matches multiple policies, Enterprise Vault cannottake all the actions in the policy responses. For example, this may be the case iftwo responses request the assignment of two different retention categories to amessage. When this situation arises, the Data Classification Filter determineshow to proceed as follows:

■ It gives greater priority to Archive and classify message responses than toDo not archive message responses.

■ For multiple Archive and classify message responses, it does the following:

■ Applies the longest of the retention periods to the message. If multipleretention categories share the longest period, the filter looks to the responserule order that you have specified to determine which one takes precedence.For example, suppose that a message matches two policies and that youhave attached a different response to each policy. Each response instructsthe filter to assign a different retention category to the message. If the twocategories have different retention periods, the filter applies the longerone to the message. If the categories have equal retention periods, the filterapplies the category whose response has higher priority. You can reorderresponses to raise or lower their priority level.

■ Stores the name of every matching policy in the indexable metadata of themessage under one of the following tags:

Indicates that the message should be included in acompliance review.

evtag.inclusion

Indicates that the message should be excluded from acompliance review.

evtag.exclusion

Provides no information on whether the message shouldbe included in or excluded from a compliance review.

evtag.category

Each tag can contain multiple policy names.

■ For multiple Do not archive message responses, it gives the greatest priorityto Leavemessageinmailbox requests, then to MovemessagetoDeletedItemsfolder requests, and finally to Deletemessageimmediatelyandpermanentlyrequests.

In effect, the Data Classification Filter chooses the safest action when resolvingthe differences between responses.

See “Configuring the Classify Enterprise Vault Content action” on page 103.

17Introducing Symantec Enterprise Vault Data Classification ServicesAbout classification policies

Page 18: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

About the available detection technologiesSymantec Data Loss Prevention provides several types of detection technologies.Each type of technology provides unique capabilities. You can combine detectiontechnologies in policies to achieve precise classification results.

Table 1-3 Available detection technologies

DescriptionTechnology

Detects data with common characteristics, such as keywords,data types, file metadata, protocol signatures, endpointdestinations, and identity patterns.

Described Content Matching(DCM)

Detects the exact identity of data users, message senders,and recipients. Symantec Data Loss Prevention providestwo flavors of Directory Group Matching: synchronized andprofiled. Synchronized DGM uses a connection to a directoryserver instance (Microsoft Active Directory) to matchidentities. Profiled DGM uses a static Exact Data Profile ofa directory server or database to match identities.

Directory Group Matching(DGM)

Detects content that is stored in structured or tabularformat. For example, you can use EDM to classifyconfidential customer information from a database, orsensitive financial information from a spreadsheet.

Exact Data Matching (EDM)

Detects unstructured data from sensitive, proprietarydocuments. The supported document types includeMicrosoft Word, PowerPoint, PDF, design plans, source code,CAD/CAM images, financial reports, and confidentialmergers and acquisition documents.

Indexed Document Matching(IDM)

Performs statistical analysis on unstructured data(documents) to determine if the content is similar to anexample set of documents that you train against.

Vector Machine Learning(VML)

Extends the classification capabilities so that you can matchany type of data, content, or files. You can write scripts,expressions, and plug-ins to customize the classificationengine.

Custom detection methods

For more information on the available detection technologies, see the SymantecData Loss Prevention Administration Guide.

Introducing Symantec Enterprise Vault Data Classification ServicesAbout the available detection technologies

18

Page 19: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Limitations on what Data Classification Services canclassify

Note the following limitations on how Data Classification Services classifiesmessages:

■ In this release, Data Classification Services supports the classification ofmessages through Exchange journal and mailbox archiving only.

■ Data Classification Services cannot classify any messages that users havemanually archived by using the facilities that the Enterprise Vault OutlookAdd-Ins or Enterprise Vault for OWA provide. For example, this is the case forthe messages that users have archived by clicking the Store in Vault buttonin Outlook, or that they have moved or copied into their Virtual Vault folders.

■ Any policy that classifies messages that a specific user has sent does not classifymessages that a delegate user has sent on behalf of this user. For example,suppose that user A allows user B to send messages on her behalf. If you haveset up a policy to classify messages that user A has sent, it ignores any messagesthat user B has sent on A's behalf.

■ Data Classification Services can only classify encrypted messages after anapplication such as the Enterprise Vault Adapter for Secure Messaging andRights Management (SMRM) has decrypted them.

Overviewof the installation and configurationprocessThe procedure that you must follow when you install and configure EnterpriseVault Data Classification Services depends on whether you are an existing userof Symantec Data Loss Prevention.

Implementing Data Classification Services in a non-Data LossPrevention environment

Table 1-4 describes the steps to follow if you are an Enterprise Vault user whohas not previously set up a Symantec Data Loss Prevention environment.

Table 1-4 Installation and configuration process for non-Data Loss Preventionusers

More informationActionStep

See “About the Oracle 11g installation”on page 31.

Install Oracle 11g, and create adatabase using the Symantec Data LossPrevention database template.

Step 1

19Introducing Symantec Enterprise Vault Data Classification ServicesLimitations on what Data Classification Services can classify

Page 20: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 1-4 Installation and configuration process for non-Data Loss Preventionusers (continued)

More informationActionStep

See “Installing an Enforce Server”on page 51.

Install an Enforce Server.Step 2

See “Importing the solution pack”on page 64.

Some policies in the solution pack aremore effective with EDM or IDM rules,for which you require a suitable ExactData Profile or Indexed DocumentProfile. One example is the Anti-moneyLaundering policy. See the SymantecData Loss Prevention AdministrationGuide for guidelines on how to defineand choose these profiles.

Import the Data Classification forEnterprise Vault solution pack on theEnforce Server computer.

Step 3

See “Installing a Classification Server”on page 66.

For a two-tier or three-tier installationonly, install and verify theClassification Server software.

Step 4

See “Registering a ClassificationServer” on page 70.

Register the Classification Serverinstance with the Enforce Server.

Step 5

See “Configuring the Data ClassificationFilter” on page 89.

Configure the Data Classification Filteron each Enterprise Vault server.

Step 6

See “Creating a classification policyfrom a template” on page 98.

Create the required classificationpolicies.

Step 7

Implementing Data Classification Services in an existing Data LossPrevention environment

Table 1-5 describes the steps to follow if you want to add classification policiesto an existing Data Loss Prevention solution.

Table 1-5 Installation and configuration process for existing Data LossPrevention users

More informationActionStep

See “Installing a Classification Server”on page 66.

Install and verify the ClassificationServer software.

Step 1

Introducing Symantec Enterprise Vault Data Classification ServicesOverview of the installation and configuration process

20

Page 21: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 1-5 Installation and configuration process for existing Data LossPrevention users (continued)

More informationActionStep

See “Registering a ClassificationServer” on page 70.

Register the Classification Serverinstance with the Enforce Server.

Step 2

See “Configuring the Data ClassificationFilter” on page 89.

Configure the Data Classification Filteron each Enterprise Vault server.

Step 3

See “Importing Symantec EnterpriseVault Data Classification Servicespolicy templates” on page 97.

Import the Data Classification Servicespolicy template to the Enforce Server.

Step 4

See “Creating a classification policyfrom a template” on page 98.

If you create a policy from a templatethat contains EDM or IDM rules, suchas the Anti-money Laundering policy,the system prompts you to choose anexisting Exact Data Profile or IndexedDocument Profile. See the SymantecData Loss Prevention AdministrationGuide for guidelines on how to defineand choose these profiles.

Create the required classificationpolicies.

Step 5

About installation tiersSymantec Data Loss Prevention supports three different installation types:three-tier, two-tier, and single-tier. Symantec recommends the three-tierinstallation. However, your organization might need to implement a two-tier orsingle-tier installation depending on available resources and organization size.

To implement the single-tier installation, you install the database,the Enforce Server, and a detection server all on the same computer.

See “Importing the solution pack” on page 64.

See “Registering a Classification Server” on page 70.

Single-tier

To implement the two-tier installation, you install the Oracle databaseand the Enforce Server on the same computer. You then installdetection servers on separate computers.

Two-tier

21Introducing Symantec Enterprise Vault Data Classification ServicesOverview of the installation and configuration process

Page 22: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

To implement the three-tier installation, you install the Oracledatabase, the Enforce Server, and a detection server on separatecomputers. Symantec recommends implementing the three-tierinstallation architecture as it enables your database administrationteam to control the database. In this way you can use all of yourcorporate standard tools for database backup, recovery, monitoring,performance, and maintenance. Three-tier installations require thatyou install the Oracle Client (SQL*Plus and Database Utilities) on theEnforce Server to communicate with the Oracle server.

Three-tier

Additional documentsThis guide describes how to install, configure, and upgrade Symantec Data LossPrevention for use with Symantec Enterprise Vault to provide automaticclassification of messages. In addition to this guide, other Symantec Data LossPrevention documents describe the full functionality of the Enforce Server,Classification Server, and policy creation. These documents are available fromSymantec FileConnect (https://fileconnect.symantec.com) along with the softwarefor the Data Classification Services. Additional documents for Enterprise Vaultare also available from the Symantec Support site:

http://www.symantec.com/business/support/index?page=landing&key=50996

Note: The Symantec Data Loss Prevention documentation describesnon-Classification server types that are used by Data Loss Prevention customers.You can ignore reading about these non-Classification servers, since theinformation does not apply to Data Classification Services.

In addition, see the Symantec Enterprise Vault Compatibility Charts for detailsabout supported versions of Data Loss Prevention and Enterprise Vault. TheCompatibility Charts can be found here:

http://www.symantec.com/docs/TECH38537

Table 1-6 Symantec Data Loss Prevention documents used with EnterpriseVault Data Classification Services

DescriptionDocument

Describes how to administer the Enforce Server and ClassificationServer. This document also describes all detection, policy, and responserule features that you can use when configuring classification policies.

Symantec DataLoss PreventionAdministrationGuide

Introducing Symantec Enterprise Vault Data Classification ServicesAdditional documents

22

Page 23: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 1-6 Symantec Data Loss Prevention documents used with EnterpriseVault Data Classification Services (continued)

DescriptionDocument

Describes how to diagnose common problems with SymantecEnterprise Vault Data Classification Services installations. Also, itprovides instructions for performing common maintenance tasks suchas backing up the Enforce Server database and monitoring log files.

Symantec DataLoss PreventionSystemMaintenanceGuide

The Enforce Server administration console provides context-sensitivehelp pages to help you create, configure, and manage classificationpolicies and Classification Servers.

Symantec DataLoss PreventionOnline Help

Describes the known and fixed issues in this release of the EnforceServer and Classification Server.

You can find the latest version of the Release Notes by accessing thefollowing article in the Symantec Data Loss Prevention knowledgebase:

https://kb-vontu.altiris.com/article.asp?article=55642

(You must have an account for the knowledgebase to access thisarticle.)

If you upgrade Data Loss Prevention with a minor release update, youcan find the Release Notes for that update in the ZIP file that containsthe Upgrader software.

Symantec DataLoss PreventionRelease Notes

Describes how to migrate from the previous versions of SymantecData Loss Prevention Enforce Servers and Classification Servers tothe most current version.

Symantec DataLoss PreventionUpgrade Guide

For detailed information on the full system requirements for Symantec Data LossPrevention, see the Symantec Data Loss Prevention System Requirements andCompatibilityGuide. This guide is updated as new information becomes available.You can find the latest version of the guide by accessing the following article inthe Symantec Data Loss Prevention knowledgebase:

https://kb-vontu.altiris.com/article.asp?article=55645

(You must have an account for the knowledgebase to access this article.)

Comment on the documentationLet us know what you like and dislike about the documentation. Were you able tofind the information you needed quickly? Was the information clearly presented?

23Introducing Symantec Enterprise Vault Data Classification ServicesComment on the documentation

Page 24: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Report errors and omissions, or tell us what you would find useful in futureversions of our guides and online help.

Please include the following information with your comment:

■ The title and product version of the guide on which you want to comment.

■ The topic (if relevant) on which you want to comment.

■ Your name.

Email your comment to [email protected]. Please only use this address tocomment on product documentation.

We appreciate your feedback.

Introducing Symantec Enterprise Vault Data Classification ServicesComment on the documentation

24

Page 25: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Acquiring the EnterpriseVault Data ClassificationServices software

This chapter includes the following topics:

■ About downloading Data Classification Services components

■ Downloading Data Classification Services components

About downloading Data Classification Servicescomponents

Data Classification Services software is delivered in a series of .zip files that youdownload from FileConnect (https://fileconnect.symantec.com). Place all of yourdownloaded files in a download directory; do not create your own subdirectories.

See “Creating the download directory for Symantec Data Loss Prevention files”on page 27.

Note: The files that are listed contain a version number. In the table, an "x"represents the most current version number. Download the most recent versionof the software.

2Chapter

Page 26: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 2-1 The Data Classification Services components

DescriptionComponent

The Symantec EnterpriseVault solution.

Symantec_Enterprise_Vault_10_0_x_Win_Multilingual.zip

The Symantec Data LossPrevention solution.

Symantec_DLP_11.6_Platform_Win-IN.zip

The installation tools includescripts and a databasetemplate file that you use tocreate the Oracle 11gdatabase and user account.

If you have an existing Oracleinstallation that was notpurchased from Symantec,use these files to create theSymantec Data LossPrevention database and useraccount.

Oracle_11.2.0.3.0_Server_Installation_Tools_Win.zip

These .zip files containinstallers and scripts that youuse to install a new instanceof Oracle software for usewith Symantec Data LossPrevention.

If you have purchased anOracle license from Symantecfor use with Symantec DataLoss Prevention, use thesefiles to install your Oraclesoftware and to create theSymantec Data LossPrevention database.

Oracle_11.2.0.3.0_Server_Win32_1of2.zip andOracle_11.2.0.3.0_Server_Win32_2of2.zip

or

Oracle_11.2.0.3.0_Server_Win64_1of2.zip andOracle_11.2.0.3.0_Server_Win64_2of2.zip

The Symantec Data LossPrevention documentationset.

Symantec_DLP_11.6_DCS_ Docs_Win-IN.zip

The policy templates that youmust import if you havealready installed a solutionpack.

Symantec_DLP_11.6_DCS_Policy_Templates-IN.zip

Acquiring the Enterprise Vault Data Classification Services softwareAbout downloading Data Classification Services components

26

Page 27: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 2-1 The Data Classification Services components (continued)

DescriptionComponent

The Symantec Data LossPrevention upgrade engine.

Symantec_DLP_11.6_Upgrader_Win-IN.zip

See “Downloading Data Classification Services components” on page 27.

DownloadingDataClassificationServices componentsUse the following process to download and prepare the Symantec DataClassification components for installation:

Table 2-2 Downloading Symantec Data Classification components

DescriptionProcessStep

See “Creating the download directory forSymantec Data Loss Prevention files”on page 27.

Create your download directory.Step 1

See “Downloading and extracting SymantecData Loss Prevention files” on page 28.

Download and extract your software.Step 2

See “Preparing Enterprise Vaultcomponents for installation” on page 28.

Create the Symantec EnterpriseVault installation disc.

Step 5

Creating the download directory for Symantec Data Loss Preventionfiles

On the computer that will become the Enforce Server, create a download directory.The download directory is where you download and extract the installation filesfor your Symantec Data Loss Prevention software. This directory is referred toas “DownloadHome” in the rest of this document. For example, if you create aDLP_files directory, your DownloadHome is c:\DLP_files. You do not need toplace the Symantec Enterprise Vault software, which is installed separately, intothe directory that you create for Symantec Data Loss Prevention.

Note: Do not use c:\Vontu\ because this directory is used later as the defaultinstallation directory by the installer.

See “Downloading and extracting Symantec Data Loss Prevention files” on page 28.

27Acquiring the Enterprise Vault Data Classification Services softwareDownloading Data Classification Services components

Page 28: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Downloading and extracting Symantec Data Loss Prevention filesSymantec Data Loss Prevention software contains multiple components (.zipfiles). You must download all of the Symantec Data Loss Prevention files fromFileConnect to obtain all of your software. FileConnect only initiates the downloadof one component compressed file at a time.

To download Data Loss Prevention software from FileConnect

1 On the Enterprise Vault 10.0 FileConnect page, click the name of each filethat you want to download. (You can only select one at a time, so you mustrepeat the process for each of the items.)

2 Click HTTP Download, and click Select.

3 Click Begin Downloading.

4 Specify that the file be saved in your DownloadHome directory.

5 After the download has been initiated, you are returned to the File Selectscreen. Choose which component to download next.

6 When all of your product component compressed archive files have beendownloaded, extract the files directly into the DownloadHome directory.

Each DLP .zip file has a common folder structure with a top-level foldercalled DLP. You must extract the contents of the .zip files so that the resultingfolder structure resembles the example:

c:\DLP_files\ (or whatever you chose as your DownloadHome)

DLP\

Symantec_DLP_11_Win\

11.6_Win\

...

New_Installs\

x64\

ProtectInstaller_11.6.exe

...

7 Verify that your files have extracted into the proper folder structure.

Preparing Enterprise Vault components for installationThis procedure is the first step to installing Symantec Enterprise Vault. If youhave previously installed the software, disregard this procedure.

For more information on how to install Symantec Enterprise Vault, see theSymantec Enterprise Vault Installing and Configuring Guide.

Acquiring the Enterprise Vault Data Classification Services softwareDownloading Data Classification Services components

28

Page 29: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

To prepare the Enterprise Vault component for installation

1 Download and extract theSymantec_Enterprise_Vault_10_x_x_Win_Multilingual.zip to your localdrive.

2 Burn the Symantec_Enterprise_Vault_10_x_x_Win_Multilingual.iso toa DVD disc.

3 After the .iso file has been burned to the disc, you can either re-insert thedisc into the computer or mount the image directly to the computer. Openthe top-level readme file. This file guides you through important steps beforeyou can begin installation.

Note: Symantec Enterprise Vault is often installed on multiple servers, all ofwhich must be prepared for the installation process.

See “About downloading Data Classification Services components” on page 25.

29Acquiring the Enterprise Vault Data Classification Services softwareDownloading Data Classification Services components

Page 30: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Acquiring the Enterprise Vault Data Classification Services softwareDownloading Data Classification Services components

30

Page 31: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Installing Oracle 11g onWindows

This chapter includes the following topics:

■ About the Oracle 11g installation

■ Oracle database requirements

■ Installing Oracle 11g on Windows

■ Downloading the Oracle 11g software for Windows

■ Installing the Oracle 11g software for Windows

■ Creating the Symantec Data Loss Prevention database

■ Creating the TNS Listener on Windows

■ Configuring the local net service name

■ Verifying the Symantec Data Loss Prevention database

■ Creating the Oracle user account for Symantec Data Loss Prevention

■ Locking the DBSNMP Oracle user account

About the Oracle 11g installationTo use Symantec Data Loss Prevention, install Oracle 11g Release 2 and create adatabase using the Symantec Data Loss Prevention database template. You mustalso create an Oracle user account with the correct permissions to access andmodify the database. The Enforce Server uses this account to store configurationand incident data for the Symantec Data Loss Prevention deployment.

3Chapter

Page 32: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

You can perform a two-tier or single-tier Symantec Data Loss Preventioninstallation. In both of these cases, the database runs on the same computer asthe Enforce Server. Alternatively, you can perform a three-tier Symantec DataLoss Prevention installation. In this case, the database runs on a different computerfrom the Enforce Server.

If you implement a three-tier installation, you must install the Oracle Client(SQL*Plus and Database Utilities) on the Enforce Server. Installation of the OracleClient enables database communications between the Oracle database server andthe Enforce Server. The Symantec Data Loss Prevention installer needs SQL*Plusto create tables and views on the Enforce Server. For this reason, the Windowsuser account that is used to install Symantec Data Loss Prevention needs accessto SQL*Plus.

For full details on how to install the Oracle 11g Database Client software, see theplatform-specific documentation from Oracle Corporation, available from theOracle Documentation Library athttp://www.oracle.com/pls/db111/portal.portal_db?selected=11.

Note:After you create the Symantec Data Loss Prevention database and completethe Symantec Data Loss Prevention installation, you can change the databasepassword. To change the database password, you use the Symantec Data LossPrevention DBPasswordChanger utility.

For more information about the Symantec Data Loss PreventionDBPasswordChanger utility, see theSymantecDataLossPreventionAdministrationGuide.

Oracle database requirementsAll new Symantec Data Loss Prevention installations must install and use Oracle11g version 11.2.0.3 (32-bit or 64-bit) with the most recent Critical Patch Update.You can obtain Oracle 11g and the necessary patches from Symantec when youdownload your Data Classification Services software.

You cannot install a new Symantec Data Loss Prevention version 11 Enforce Serverwith an Oracle 10g database.

Symantec Data Loss Prevention requires the Oracle database to use the AL32UTF8character set. If your database is configured for a different character set, theinstaller notifies you and cancels the installation.

You can install Oracle on a dedicated server (a three-tier deployment) or on thesame computer as the Enforce Server (a two-tier or one-tier deployment):

■ Three-tier deployment.

Installing Oracle 11g on WindowsOracle database requirements

32

Page 33: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

System requirements for a dedicated Oracle server are listed below. Note thatdedicated Oracle server deployments also require that you install the Oracle11g Client on the Enforce Server computer to communicate with the remoteOracle 11g instance.

■ One- and two-tier deployments.When installed on the Enforce Server computer, the Oracle systemrequirements are the same as those of the Enforce Server.

If you install Oracle 11g on a dedicated server, that computer must meet thefollowing minimum system requirements for Symantec Data Loss Prevention:

■ Microsoft Windows Server 2003 (for Oracle Standard Edition only) or laterversion of 5.x (32-bit) or Windows Server 2008 (Standard or Enterprise edition)R2 (64-bit version).

■ One of the following operating systems:

■ Microsoft Windows Server 2003 (32-bit)(with Oracle Standard Edition only)

■ Microsoft Windows Server 2008 R2 (64-bit)

■ Microsoft Windows Server 2008 R2 SP1 (64-bit)

■ Red Hat Enterprise Linux 5.2 through 5.8 (32-bit)(with Oracle Standard Edition only)

■ Red Hat Enterprise Linux 5.2 through 5.8 (64-bit)

■ 6 GB of RAM

■ 6 GB of swap space (equal to RAM)

■ 500 GB – 1 TB of disk space for the Enforce database

Note: Support for 32-bit platforms for Oracle will be discontinued in a futureversion of Symantec Data Loss Prevention. Symantec recommends that customersmigrate to 64-bit systems as soon as possible.

The exact amount of disk space that is required for the Enforce database dependson variables such as:

■ The number of policies you plan to initially deploy

■ The number of policies you plan to add over time

See “Creating a classification policy from a template” on page 98.

33Installing Oracle 11g on WindowsOracle database requirements

Page 34: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Installing Oracle 11g on WindowsInstall Oracle 11g and create the Symantec Data Loss Prevention database byperforming the following steps on the server computer that will host the Oracledatabase.

Table 3-1 Installing Oracle 11g and creating the Symantec Data LossPrevention database

DescriptionActionStep

See the Oracle Web pages forthe system requirements forOracle 11g and the SymantecData Loss Prevention SystemRequirements andCompatibility Guide.

Review the systemrequirements for the Oracle11g.

Step 1

See “Downloading the Oracle11g software for Windows”on page 35.

Download the Oracle 11gsoftware.

Step 2

See “Installing the Oracle 11gsoftware for Windows”on page 35.

Install Oracle 11g.Step 3

See “Creating the SymantecData Loss Preventiondatabase” on page 37.

Create the Symantec DataLoss Prevention database.

Step 4

See “Creating the TNSListener on Windows”on page 40.

Create the database listener.Step 5

See “Configuring the localnet service name”on page 43.

Configure the local netservice name.

Step 6

See “Creating the Oracle useraccount for Symantec DataLoss Prevention ” on page 45.

Create the Symantec DataLoss Prevention databaseuser.

Step 7

See “Locking the DBSNMPOracle user account”on page 46.

Lock the DBSNMP accountfor security purposes.

Step 8

Installing Oracle 11g on WindowsInstalling Oracle 11g on Windows

34

Page 35: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 3-1 Installing Oracle 11g and creating the Symantec Data LossPrevention database (continued)

DescriptionActionStep

The latestOracle 11gRelease2CriticalPatchUpdateGuideexplains how to downloadand apply the CPU for Oracle.

Install the Oracle CriticalPatch Update (CPU).

Step 9

Downloading the Oracle 11g software for WindowsYou should have received a Symantec Serial Number Certificate with your orderthat lists a serial number for each of your products. If you did not receive thecertificate, contact Symantec Customer Care as described athttp://www.symantec.com/business/support/assistance_care.jsp. If youhave multiple serial numbers, locate the serial number that corresponds to OracleStandard Edition.

Go to https://fileconnect.symantec.com and enter the serial number. Proceedto the list of available downloads and download and extract the following files:

■ Oracle_11.2.0.3.0_Server_Win32_1of2.zip andOracle_11.2.0.3.0_Server_Win32_2of2.zip (for 32-bit installations)

These ZIP files contain the 32-bit Oracle 11g Release 2 software(win32_11.2.0.3_database_1of2.zip andwin32_11.2.0.3_database_2of2.zip).

■ Oracle_11.2.0.3.0_Server_Win64_1of2.zip andOracle_11.2.0.3.0_Server_Win64_2of2.zip (for 64-bit installations)

This ZIP file contains the 64-bit Oracle 11g Release 2 software(win64_11.2.0.3_database_1of2.zip andwin64_11.2.0.3_database_2of2.zip).

■ Oracle_11.2.0.3.0_Server_Installation_Tools_Win.zip

This ZIP file contains the Symantec Data Loss Prevention Oracle databasetemplate and database user SQL script(11g_r2_32_bit_Installation_Tools.zip and11g_r2_64_bit_Installation_Tools.zip).

Installing the Oracle 11g software for WindowsThe Enforce Server uses the Oracle thin driver and the Oracle Client. SymantecData Loss Prevention packages the JAR files for the Oracle thin driver with the

35Installing Oracle 11g on WindowsDownloading the Oracle 11g software for Windows

Page 36: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Symantec Data Loss Prevention software. But, you must also install the OracleClient. The Symantec Data Loss Prevention installer needs SQL*Plus to createtables and views on the Enforce Server. Therefore, the Windows user account thatis used to install Symantec Data Loss Prevention must be able to access toSQL*Plus.

To install Oracle 11g Release 2

1 Shut down the following services if they are running in Windows Services:

■ All Oracle services

■ Distributed Transaction Coordinator service

To view the services go to Start > Control Panel > Administrative Tools >Computer Management, and then expand Services and Applications andclick Services.

2 Unzip the required software installation files:

■ For 32 bit systems, unzip the win32_11.2.0.3_database_1of2.zip andwin32_11.2.0.3_database_2of2.zip files into a common temporarydirectory.

■ For 64-bit systems, unzip the win64_11.2.0.3_database_1of2.zip andwin64_11.2.0.3_database_2of2.zip files into a common temporarydirectory.

3 To install the Oracle software, navigate to the database directory that islocated inside the common temporary directory and double-click the OracleUniversal Installer file, setup.exe.

4 On the ConfigureSecurityUpdates panel, deselect Iwishtoreceivesecurityupdates via My Oracle Support, and click Next.

A dialog box displays that asks you to confirm that you wish to remainuninformed of critical security issues. Select Yes.

Symantec certifies and provides Oracle Critical Patch Updates for use withSymantec Data Loss Prevention, along with detailed installation instructions.You do not need to receive these updates from Oracle Support.

5 On the Downloadsoftwareupdates panel, select Skipsoftwareupdates andclick Next.

6 On the Select Installation Options panel, select Install database softwareonly and click Next.

7 On the Grid Installation Options panel, select Single instance databaseinstallation and click Next.

Installing Oracle 11g on WindowsInstalling the Oracle 11g software for Windows

36

Page 37: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

8 On the Select Product Languages panel, click Next to accept English as thedefault language.

9 On the Select Database Edition panel, select Standard Edition and clickNext.

10 On the Specify Installation Location panel, enter the following paths in thespecified fields, and click Next:

■ Oracle Base: Enter c:\oracle

■ Software Location: Enter c:\oracle\product\11.2.0.3\db_1

Note: All example paths in this document use the installation directoryc:\oracle\product\11.2.0\db_1. If you specify a different installationdirectory, substitute the correct path as necessary throughout this document.

The installer application performs a prerequisite check and displays theresults.

11 On the Summary panel, click Install to begin the installation.

The installer application installs the Oracle 11g software to your computer.

12 On the Finish panel, click Close to exit the installer application.

Creating theSymantecDataLossPreventiondatabasePerform the following procedure to create the Symantec Data Loss Preventiondatabase.

37Installing Oracle 11g on WindowsCreating the Symantec Data Loss Prevention database

Page 38: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Note: If you are installing Oracle 11g on a 64-bit computer to migrate an existing32-bit Symantec Data Loss Prevention database, do not perform this procedure.

To create the Symantec Data Loss Prevention database

1 Set the ORACLE_HOME environment variable for your new installation. Opena command prompt, and enter:

set ORACLE_HOME=c:\oracle\product\11.2.0.3\db_1

If you installed Oracle 11g into a different location, substitute the correctdirectory in this command.

You may want to configure your Windows system to automatically set theORACLE_HOME environment variable each time you log on. See your Windowsdocumentation for details about setting environment variables.

2 Extract the database template file (.dbt file) from the11g_r2_32_bit_Installation_Tools.zip or11g_r2_64_bit_Installation_Tools.zip file to the%ORACLE_HOME%\assistants\dbca\templates folder. For example, copyOracle_11g_Database_for_Vontu_v11_32_bit.dbt for 32-bit installations,or copy Oracle_11g_Database_for_Vontu_v11_64_bit.dbt for 64-bitinstallations.

3 Click the Windows Start menu and locate the Start > All Programs > Oracle- OraDb11g_home1 > Configuration and Migration Tools menu item.

4 Right click on the Start > All Programs > Oracle - OraDb11g_home1 menuitem and select Rename.

5 Rename the OraDb11g_home1 portion of the menu item to Oracle_11.2.0.3.

6 Start the Oracle Database Configuration Assistant to create the SymantecData Loss Prevention database. Choose Start > All Programs > Oracle -Oracle_11.2.0.3 > Configuration and Migration Tools > DatabaseConfiguration Assistant.

7 On the Welcome panel, click Next.

8 On the Operations panel, select Create a Database and click Next.

Installing Oracle 11g on WindowsCreating the Symantec Data Loss Prevention database

38

Page 39: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

9 On the DatabaseTemplates panel, select Oracle11gDatabaseforVontuv1132 bit for 32-bit installations, or select Oracle 11g Database for Vontu v1164 bit for 64-bit installations. Click Next.

Caution:You must use the Symantec Data Loss Prevention template to createthe database. Do not use an alternate template or reuse an existing databaseinstance. If you do not use the supplied template, failures can occur whenyou use Symantec Data Loss Prevention. Failures can also occur later whenyou try to upgrade the product.

10 On the DatabaseIdentification panel, set the database name (Global DatabaseName) and the Oracle System Identifier (SID) by performing the followingsteps in this order:

■ Enter protect in the Global Database Name field.The SID field is automatically set to protect. Keep the SID and the GlobalDatabase Name fields as the same value, "protect."

■ Click Next.

■ Write down the database name and SID for later use when you install theSymantec Data Loss Prevention software.

11 On the Management Options panel, perform the following steps in order:

■ Deselect Configure Enterprise Manager.

■ Select the Automatic Maintenance Tasks tab and deselect Enableautomatic maintenance tasks.

■ Click Next.

12 On the Database Credentials panel, perform the following steps in order:

■ Select Use the Same Administrative Password for All Accounts.

■ Enter a password in the Password field.

■ Re-enter the same password in the Confirm Password field.

■ Click Next.

Follow these guidelines to create acceptable passwords:

■ Passwords cannot contain more than 30 characters.

■ Passwords cannot contain double quotation marks, commas, orbackslashes.

■ Avoid using the & character.

39Installing Oracle 11g on WindowsCreating the Symantec Data Loss Prevention database

Page 40: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Passwords are case-sensitive by default. You can change the casesensitivity through an Oracle configuration setting.

■ If your password uses special characters other than _, #, or $, or if yourpassword begins with a number, you must enclose the password in doublequotes when you configure it.

If you enter a password that does not meet these guidelines, Oracle keepsprompting for a password. You must enter a password. Do not kill the OracleDatabase Configuration Assistant.

Note: You can optionally use different passwords for each user account type.The various user account types are SYS, SYSTEM, DBSNMP, and SYSMAN.

13 On the Database File Locations panel, accept the default selection, UseDatabase File Locations from Template, and click Finish.

The Database Configuration Assistant displays a Confirmation window witha summary of the database configuration.

14 Click OK on the Confirmation window to create the database.

The database creation can take up to 20 minutes to complete. If the databasecreation process fails or hangs, check the Oracle Database ConfigurationAssistant logs (located in the %ORACLE_HOME%\cfgtoollogs\dbca\SID folder)for errors (for example,c:\oracle\product\11.2.0.3\db_1\cfgtoollogs\dbca\protect).

When the database creation process is complete, another DatabaseConfiguration Assistant window opens and displays the database details.

15 Click Exit.

16 If the database service (OracleServicePROTECT) is down, start it usingWindows Services. To view services, choose Start > Control Panel >AdministrativeTools>ComputerManagement>ServicesandApplications,and then open Services.

Creating the TNS Listener on WindowsPerform the following procedure to create a TNS listener for the Symantec DataLoss Prevention database.

Installing Oracle 11g on WindowsCreating the TNS Listener on Windows

40

Page 41: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

To create the TNS Listener

1 (Optional) If you logged on as a domain user, you must set the sqlnet.ora

file SQLNET.AUTHENTICATION_SERVICES=() value to none. Otherwise, proceedto step 2.

To set the sqlnet.ora file SQLNET.AUTHENTICATION_SERVICES=() value,perform the following steps in this order:

■ Open sqlnet.ora, located in the %Oracle_Home%\network\admin folder(for example, c:\oracle\product\11.2.0\db_1\NETWORK\ADMIN), usinga text editor.

■ Change the SQLNET.AUTHENTICATION_SERVICES=(NTS)value to none:

SQLNET.AUTHENTICATION_SERVICES=(none)

■ Save and close the sqlnet.ora file.

2 Start the Oracle Net Configuration Assistant by selecting Start>AllPrograms> Oracle 11.2.0.3 > Configuration and Migration Tools > Net ConfigurationAssistant.

3 On the Welcome panel, select Listener configuration and click Next.

4 On the Listener Configuration, Listener panel, select Add and click Next.

5 On the Listener Configuration, Listener Name panel, enter a listener nameand click Next.

Note:Use the default listener name, LISTENER, unless you must use a differentname.

6 On the ListenerConfiguration,SelectProtocols panel, select the TCP protocoland click Next.

7 On the Listener Configuration, TCP/IP Protocol panel, select Use thestandard port number of 1521 and click Next.

8 On the Listener Configuration, More Listeners? panel, select No and clickNext.

9 On the Listener Configuration Done panel, click Next.

10 Leave the Oracle Net Configuration Assistant open to configure the Local NetService Name.

See “Configuring the local net service name” on page 43.

41Installing Oracle 11g on WindowsCreating the TNS Listener on Windows

Page 42: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

11 On the computer that runs your Oracle database, open a command prompt.The command window must run as Administrator. (See your MicrosoftWindows documentation.)

12 Run the following command:

lsnrctl stop

13 Open the following file in a text editor:

%ORACLE_HOME%\network\admin\listener.ora

14 Locate the following line:

(ADDRESS = (PROTOCOL = IPC)(KEY = <key_value>))

15 Change key_value to PROTECT.

16 Add the following line to the end of the file:

SECURE_REGISTER_LISTENER = (IPC)

17 Save the file and exit the text editor.

18 Run the following command:

lsnrctl start

19 Run the following commands to connect to the database using SQL Plus:

sqlplus /nolog

conn sys/<password> as sysdba

20 Run the following command:

ALTER SYSTEM SET local_listener =

'(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=PROTECT)))' SCOPE=both;

21 Run the following command to register the listener:

ALTER SYSTEM REGISTER;

22 Exit SQL Plus by running the following command:

exit

Installing Oracle 11g on WindowsCreating the TNS Listener on Windows

42

Page 43: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

23 Run the following command to verify the change:

24 lsnrctl services

The command output should display a message similar to the following:

Services Summary...

Service "protect" has 1 instance(s).

Instance "protect", status READY, has 1 handler(s) for this service...

Handler(s):

"DEDICATED" established:0 refused:0 state:ready

LOCAL SERVER

The command completed successfully

Configuring the local net service namePerform the following procedure to configure the Local Net Service Name for theSymantec Data Loss Prevention database.

To configure the local net service name

1 If the Oracle Net Configuration Assistant is not already running, start it byselecting Start > All Programs > Oracle 11.2.0.3 > Configuration andMigration Tools > Net Configuration Assistant.

2 On the Welcome panel, select Local Net Service Name configuration andclick Next.

3 On the Net Service Name Configuration panel, select Add and click Next.

4 On the NetServiceNameConfiguration,ServiceName panel, enter "protect"in the Service Name field and click Next.

5 On the Net Service Name Configuration, Select Protocols panel, select TCPand click Next.

6 On the Net Service Name Configuration, TCP/IP Protocol panel:

■ Enter the IP address of the Oracle server computer in the Hostname field.

■ Select Use the standard port number of 1521 (the default value).

■ Click Next.

7 On the Net Service Name Configuration, Test panel, select No, do not testand click Next.

Do not test the service configuration, because the listener has not yet started.

8 On the Net Service Name Configuration, Net Service Name panel, selectaccept the default name of "protect" and click Next.

43Installing Oracle 11g on WindowsConfiguring the local net service name

Page 44: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

9 On the NetServiceNameConfiguration,AnotherNetServiceName? panel,select No and click Next.

10 On the Net Service Name Configuration Done panel, select Next.

11 Click Finish to exit the Oracle Net Configuration Assistant.

Verifying the Symantec Data Loss Preventiondatabase

After creating the Symantec Data Loss Prevention database, you should verifythat it was created correctly.

To verify that the database was created correctly

1 Open a new command prompt and start SQL*Plus:

sqlplus /nolog

Using a new command prompt ensures that your Path environment variableincludes the SQL*Plus directory.

2 Log on as the SYS user:

SQL> connect sys/password@protect as sysdba

Where password represents the SYS password.

3 Run the following query:

SQL> SELECT * FROM v$version;

Installing Oracle 11g on WindowsVerifying the Symantec Data Loss Prevention database

44

Page 45: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

4 Make sure that the output from the query contains the following information,which identifies the software components as version 11.2.0.3. For a 32-bitinstallation, the output should read:

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Release 11.2.0.3.0 - Production

PL/SQL Release 11.2.0.3.0 - Production

CORE 11.2.0.3.0 Production

TNS for 32-bit Windows: Version 11.2.0.3.0 - Production

NLSRTL Version 11.2.0.3.0 - Production

For a 64-bit installation, the output should read:

BANNER

--------------------------------------------------------------------------------

Oracle Database 11g Release 11.2.0.3.0 - 64-bit Production

PL/SQL Release 11.2.0.3.0 - Production

CORE 11.2.0.3.0 Production

TNS for 64-bit Windows: Version 11.2.0.3.0 - Production

NLSRTL Version 11.2.0.3.0 - Production

5 Exit SQL*Plus:

SQL> exit

Creating the Oracle user account for Symantec DataLoss Prevention

Perform the following procedure to create an Oracle user account and name it“protect.”

To create the new Oracle user account named protect

1 Extract the SQL script file, oracle_create_user.sql, from the11g_r2_32_bit_Installation_Tools.zip or11g_r2_64_bit_Installation_Tools.zip file to a local directory.

2 Open a command prompt and go to the directory where you extracted theoracle_create_user.sql file.

45Installing Oracle 11g on WindowsCreating the Oracle user account for Symantec Data Loss Prevention

Page 46: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

3 Start SQL*Plus:

sqlplus /nolog

4 Run the oracle_create_user.sql script:

SQL> @oracle_create_user.sql

5 At the Please enter the password for sys user prompt, enter the passwordfor the SYS user.

6 At the Please enter sid prompt, enter "protect."

7 At the Pleaseenterrequiredusernametobecreated prompt, enter "protect"for the user name.

8 At the Please enter a password for the new username prompt, enter a newpassword.

Follow these guidelines to create acceptable passwords:

■ Passwords cannot contain more than 30 characters.

■ Passwords cannot contain double quotation marks, commas, orbackslashes.

■ Avoid using the & character.

■ Passwords are case-sensitive by default. You can change the casesensitivity through an Oracle configuration setting.

■ If your password uses special characters other than _, #, or $, or if yourpassword begins with a number, you must enclose the password in doublequotes when you configure it.

Store the password in a secure location for future use. You must use thispassword to install Symantec Data Loss Prevention. If you need to changethe password after you install Symantec Data Loss Prevention, see theSymantec Data Loss Prevention Administration Guide for instructions.

Locking the DBSNMP Oracle user accountTo maintain security, you should lock the Oracle DBSNMP user account.

Installing Oracle 11g on WindowsLocking the DBSNMP Oracle user account

46

Page 47: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

To lock the Oracle DBSNMP user account

1 Open a command prompt and start SQL*Plus:

sqlplus /nolog

2 Log on as the SYS user:

SQL> connect sys/password as sysdba

Where password is the SYS password.

3 Lock the DBSNMP user account:

SQL> ALTER USER dbsnmp ACCOUNT LOCK;

4 Exit SQL*Plus:

SQL> exit

47Installing Oracle 11g on WindowsLocking the DBSNMP Oracle user account

Page 48: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Installing Oracle 11g on WindowsLocking the DBSNMP Oracle user account

48

Page 49: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Installing the DataClassification Service

This chapter includes the following topics:

■ Enforce Server and Classification Server minimum requirements

■ Installing an Enforce Server

■ Verifying an Enforce Server installation

■ About the Data Classification for Enterprise Vault Solution Pack

■ Importing the solution pack

■ Classification Server installation preparations

■ Installing a Classification Server

■ Verifing a Classification Server installation

■ Registering a Classification Server

■ Configuring the Classification Server

■ About post-installation security configuration

Enforce Server and Classification Server minimumrequirements

The following table describes the minimum system requirements for running theEnforce Server or a Classification Server on dedicated server hardware.

4Chapter

Page 50: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-1 Enforce Server and Classification Server minimum systemrequirements

Classification Server minimumrequirements

Enforce Server minimum requirementsComponent

2 x 3.0-GHz CPUs for small or medium enterprises

2 x 3.0 GHz dual-core CPUs for large or very large enterprises

Processor

6–8 GB RAM for small or medium enterprises

8-16 GB RAM for large or very large enterprises

Memory

140 GB Ultra SCSI500 GB, RAID 1+0 or RAID 5 for small ormedium enterprises

1 TB, RAID 1+0 or RAID 5 for large or verylarge enterprises

Disk requirements

To communicate with Enforce Server:

1 copper or fiber 1 Gb/100 Mb Ethernet NIC

To communicate with detection servers:

1 copper or fiber 1 Gb/100 Mb Ethernet NIC

NICs

Microsoft Windows Server 2003, Enterprise Edition (32-bit) with Service Pack 2 or later

or

Microsoft Windows Server 2008 R2, Standard Edition (64-bit) or later

or

Microsoft Windows Server 2008 R2, Enterprise Edition (64-bit) or later

Operating system

Symantec also supports running the Enforce Server or a Classification Server onthe following virtualization products:

■ VMware ESX version 3.5 (32-bit or 64-bit hardware)

■ VMware ESX version 4.0 (64-bit hardware)

■ VMware ESX version 4.1 (64-bit hardware)

■ VMware ESXi version 4.1 (64-bit hardware)

At a minimum, ensure that each virtual server environment matches the systemrequirements for the servers that are described in this document. A variety offactors influence performance of virtual machine configurations, including thenumber of CPUs, the amount of dedicated RAM, and the resource reservationsfor CPU cycles and RAM. The virtualization overhead and guest operating systemoverhead can lead to a performance degradation in throughput for large datasetscompared to a system running on physical hardware. Use your own test resultsas a basis for sizing deployments to virtual machines.

Installing the Data Classification ServiceEnforce Server and Classification Server minimum requirements

50

Page 51: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

For detailed information on the full system requirements for Symantec Data LossPrevention, see the Symantec Data Loss Prevention System Requirements andCompatibilityGuide. This guide is updated as new information becomes available.You can find the latest version of the guide by accessing the following article inthe Symantec Data Loss Prevention knowledgebase (You must have an accountfor the knowledgebase to access this article.):

https://kb-vontu.altiris.com/article.asp?article=55043

Browser requirements for accessing the Enforce Server administrationconsole

Windows clients can access the Enforce Server administration console using anyof the following browsers:

■ Microsoft Internet Explorer 8.x, 9.x

■ Mozilla Firefox versions 8 through 12

Installing an Enforce ServerThe instructions that follow describe how to install an Enforce Server.

Before you install an Enforce Server:

■ Complete the preinstallation steps.

■ Verify that the system is ready for installation.

■ Ensure that the Oracle software and Symantec Data Loss Prevention databaseis installed on the appropriate system.

■ For single- and two-tier Symantec Data Loss Prevention installations, Oracleis installed on the same computer as the Enforce Server.

■ For a three-tier installation, Oracle is installed on a separate server. For athree-tier installation, the Oracle Client (SQL*Plus and Database Utilities)must be installed on the Enforce Server computer to enable communicationwith the Oracle server.

■ Before you begin, make sure that you have access and permission to run theSymantec Data Loss Prevention installer software:ProtectInstaller_11.6.exe for 32-bit platforms orProtectInstaller64_11.6.exe for 64-bit platforms.

If you intend to run Symantec Data Loss Prevention using Federal InformationProcessing Standards (FIPS) encryption, you must first prepare for FIPS encryption.You must also run the ProtectInstaller with the appropriate FIPS parameter.

51Installing the Data Classification ServiceInstalling an Enforce Server

Page 52: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

For more information about FIPS encryption, see the Symantec Data LossPrevention Administration Guide.

Note: The following instructions assume that the ProtectInstaller_11.6.exe

or ProtectInstaller64_11.6.exe file and license file have been copied into thec:\temp directory on the Enforce Server computer.

To install an Enforce Server

1 Symantec recommends that you disable any antivirus, pop-up blocker, andregistry protection software before you begin the Symantec Data LossPrevention installation process.

2 Log on (or remote log on) as Administrator to the Enforce Server system onwhich you intend to install Enforce.

3 Go to the folder where you copied the ProtectInstaller_11.6.exe orProtectInstaller64_11.6.exe file (c:\temp).

4 Double-clickProtectInstaller_11.6.exeorProtectInstaller64_11.6.exeto execute the file, and click OK.

5 In the Welcome panel, click Next.

6 After you review the license agreement, select I accept the agreement, andclick Next.

Note: This license file that you require is the one that you generated forEnterprise Vault with Data Classification Services.

7 In the Select Components panel, select the type of installation you areperforming and then click Next.

There are four choices:

■ EnforceSelect Enforce to install Symantec Data Loss Prevention on an EnforceServer for two- or three-tier installations. When you select Enforce, theIndexer is also automatically selected by default.

■ DetectionSelect Detection to install a detection server as part of a two- or three-tierinstallation.

■ IndexerSelect Indexer to install a remote indexer.

Installing the Data Classification ServiceInstalling an Enforce Server

52

Page 53: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Single TierSelect Single Tier to install all components on a single system.

Choose Enforce if you are deploying a two-tier or three-tier system. SelectSingle Tier to install a single tier system.

8 In the LicenseFile panel, browse to the directory containing your license file.Select the license file, and click Next.

License files have names in the format name.slf.

9 In the Select Destination Directory panel, accept the default destinationdirectory, or enter an alternate directory, and click Next. The defaultinstallation directory is:

c:\SymantecDLP

Symantec recommends that you use the default destination directory.References to the "installation directory" in Symantec Data Loss Preventiondocumentation are to this default location.

Enter directory names, account names, passwords, IP addresses, and portnumbers that you create or specify during the installation process usingstandard 7-bit ASCII characters only. Extended (hi-ASCII) and double-bytecharacters are not supported.

Note: Do not install Symantec Data Loss Prevention in any directory thatincludes spaces in its path. For example, c:\Program Files\SymantecDLP isnot a valid installation folder because there is a space between “Program”and “Files.”

10 In the Select Start Menu Folder panel, enter the Start Menu folder whereyou want the Symantec Data Loss Prevention shortcuts to appear.

The default is Symantec Data Loss Prevention.

11 Select one of the following options and then click Next.

■ Create shortcuts for all usersThe shortcuts are available in the same location for all users of the EnforceServer.

■ Don’t create a Start Menu folderThe Symantec Data Loss Prevention shortcuts are not available from theStart menu.

53Installing the Data Classification ServiceInstalling an Enforce Server

Page 54: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

12 In the System Account panel, create the Symantec Data Loss Preventionsystem account user name and password and confirm the password. Thenclick Next.

This account is used to manage Symantec Data Loss Prevention services. Thedefault user name is “protect.”

Note: The password you enter for the System Account must conform to thepassword policy of the server. For example, the server may require allpasswords to include special characters.

13 In the Transport Configuration panel (this panel only appears when duringsingle-tier installations), enter an unused port number that Symantec DataLoss Prevention servers can use to communicate with each other and clickNext. The default port is 8100.

14 In the Symantec Management Console panel, click Next to continue. Thisoption does not apply when installing Enterprise Vault Data ClassificationServices.

15 In the Oracle Database Server Information panel, enter the location of theOracle database server. Specify one of the following options in the OracleDatabase Server field:

■ Two-tier installation (Enforce and Oracle servers on the same system):The Oracle Server location is 127.0.0.1.

■ Three-tier installation (Enforce Server and Oracle server on differentsystems): Specify the Oracle server host name or IP address. To installinto a test environment that has no DNS available, use the IP address ofthe Oracle database server.

16 Enter the Oracle Listener Port, or accept the default, and click Next.

17 In the Oracle Database User Configuration panel, enter the Symantec DataLoss Prevention database user name and password. Confirm the passwordand enter the database SID (typically “protect”), then click Next.

If your Oracle database is not the correct version, you are warned and offeredthe choice of continuing or canceling the installation. You can continue andupgrade the Oracle database later.

Note: Symantec Data Loss Prevention requires the Oracle database to use theAL32UTF8 character set. If your database is configured for a differentcharacter set, you are notified and the installation is canceled. Correct theproblem and re-run the installer.

Installing the Data Classification ServiceInstalling an Enforce Server

54

Page 55: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

18 In the AdditionalLocale panel, select an alternate locale, or accept the defaultof None, and click Next.

Locale controls the format of numbers and dates, and how lists and reportsare alphabetically sorted. If you accept the default choice of None, English isthe locale for this Symantec Data Loss Prevention installation. If you choosean alternate locale, that locale becomes the default for this installation, butindividual users can select English as a locale for their use.

See the Symantec Data Loss Prevention Administration Guide for moreinformation on locales.

19 Select one of the following options in the Initialize DLP Database panel:

■ For a new Symantec Data Loss Prevention installation, make sure thatthe Initialize Enforce Data box is checked and then click Next.You can also check this box if you are reinstalling and want to overwritethe existing Enforce schema and all data. Note that this action cannot beundone. If this check box is selected, the data in your existing SymantecData Loss Prevention database is destroyed after you click Next.

■ Clear the Initialize Enforce Data check box if you want to perform arecovery operation.Clearing the check box skips the database initialization process. If youchoose skip the database initialization, you must specify the uniqueCryptoMasterKey.properties file for the existing database that you wantto use.

55Installing the Data Classification ServiceInstalling an Enforce Server

Page 56: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

20 In the Single Sign On Option panel, select the sign-on option that you wantto use for accessing the Enforce Server administration console, then clickNext:

DescriptionOption

Select this option if you want to integratethe Enforce Server with a single Symantec

Symantec Protection Console

Protection Center (SPC) instance. WithSPC integration, a user first logs into theSPC console, and may then access theEnforce Server administration consolefrom within the SPC interface.

To fully integrate SPC with the EnforceServer, register an SPC instance andconfigure SPC users after the installationis complete. See the Symantec Data LossPreventionAdministrationGuide for moreinformation.

Select this option if you want users toautomatically log on to the Enforce Server

Certificate Authentication

administration console using clientcertificates that are generated by yourpublic key infrastructure (PKI).

If you choose certificate authentication,import the certificate authority (CA)certificates that are required to validateusers' client certificates. You also need tocreate Enforce Server user accounts tomap common name (CN) values incertificates to Symantec Data LossPrevention roles. See the Symantec DataLoss PreventionAdministrationGuide formore information.

Select None if you want users to log ontothe Enforce Server administration console

None

using passwords that were entered at thesign-on page.

Note: If you are unsure of which sign-on mechanism to use, select None touse the forms-based sign-on mechanism. Forms-based sign-on with passwordauthentication is the default mechanism used in previous versions ofSymantec Data Loss Prevention. You can choose to configure certificate

Installing the Data Classification ServiceInstalling an Enforce Server

56

Page 57: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

authentication or SPC-integrated authentication after you complete theinstallation, using instructions in the Symantec Data Loss PreventionAdministration Guide.

21 If you selected either Symantec Protection Console or None as your log onoption, skip this step.

In the ImportCertificates panel, select options for certificate authentication,then click Next:

DescriptionOption

Select Import Certificates if you want toimport certificate authority (CA)certificates during the Enforce Serverinstallation. CA certificates are requiredto validate client certificates when youchoose Certificate Authentication signon. If the necessary CA certificates areavailable on the Enforce Server computer,select Import Certificates and clickBrowse to navigate to the directory wherethe .cer files are located.

Uncheck Import Certificates if thenecessary certificates are not available onthe Enforce Server computer, or if you donot want to import certificates at thistime. You can import the requiredcertificates after installation usinginstructions in the Symantec Data LossPrevention Administration Guide.

Import Certificates

Select Certificate Directory

Select this option if you want to supportpassword authentication with forms-basedsign-on in addition to single sign-on withcertificate authentication. Symantecrecommends that you select option thisas a backup option while you configureand test certificate authentication withyour PKI. You can disable passwordauthentication and forms-based sign-onafter you have validated that certificateauthentication is correctly configured foryour system.

Allow Form Based Authentication

57Installing the Data Classification ServiceInstalling an Enforce Server

Page 58: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

22 If you chose to initialize the Enforce Server database, skip this step.

If you chose to re-use an existing Enforce Server database, the installerdisplays the Key Ignition Configuration panel. Click Browse and navigateto select the unique CryptoMasterKey.properties file that was used toencrypt the database.

Note:Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file. An exact copy of this fileis required if you intend to reuse the existing Symantec Data Loss Preventiondatabase. If you do not have the CryptoMasterKey.properties file for theexisting Enforce Server database, contact Symantec Technical Support torecover the file.

Click Next to continue the installation.

Installing the Data Classification ServiceInstalling an Enforce Server

58

Page 59: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

23 If you chose to re-use an existing Enforce Server database, skip this step.

In the Administrator Credentials panel, specify information according tothe sign-on option that you selected and click Next:

DescriptionOption

If you chose an option to supportpassword authentication with forms-basedlog on, enter a password for the EnforceServer Administrator account in both thePassword and Re-enterPassword fields.

The Administrator password must containa minimum of eight characters. You canchange the Administrator password fromthe Enforce Server administration consoleat any time.

Note:These fields are not displayed if youselected Certificate Authentication butyou did not select Allow Form BasedAuthentication. In this case, you mustlog on to the Enforce Serveradministration console using a clientcertificate that contains theadministrator's common name value.

Password

Re-enter Password

If you chose to support certificateauthentication, enter the Common Name(CN) value that corresponds to the EnforceServer Administrator user. The EnforceServer will assign administrator privilegesto the user who logs on with a clientcertificate that contains this CN value.

Note: This field is displayed only if youselected Certificate Authentication.

Common Name (CN)

24 The installation process begins. After the Installation Wizard extracts thefiles, it connects to the database using the name and password that youentered earlier. The wizard then creates the database tables. If any problemswith the database are discovered, a notification message appears.

After a successful installation, a completion notice appears.

Select the StartServices check box to start the Symantec Data Loss Preventionservices. The services can be also started or stopped through the operatingsystem.

59Installing the Data Classification ServiceInstalling an Enforce Server

Page 60: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

25 Click Finish.

26 Restart any antivirus, pop-up blocker, or other protection software that youdisabled before starting the Symantec Data Loss Prevention installationprocess.

27 Verify that the Enforce Server is properly installed.

See “Verifying an Enforce Server installation” on page 60.

28 Import a Symantec Data Loss Prevention solution pack immediately afterinstalling the Enforce Server, and before installing any detection servers.

29 Back up the unique CryptoMasterKey.properties file for your installationand store the file in a safe place. This file is required for Symantec Data LossPrevention to encrypt and decrypt the Enforce Server database.

Note:Each Symantec Data Loss Prevention installation encrypts its databaseusing a unique CryptoMasterKey.properties file. An exact copy of this fileis required if you intend to reuse the existing Symantec Data Loss Preventiondatabase. If the CryptoMasterKey.properties file becomes lost or corruptedand you do not have a backup, contact Symantec Technical Support to recoverthe file.

Verifying an Enforce Server installationAfter installing an Enforce Server, verify that it is operating correctly beforeimporting a solution pack.

To verify the Enforce Server installation

1 Confirm that Oracle Services (OracleOraDb11g_home1TNSListener andOracleServicePROTECT) automatically start upon system restart.

2 If you selected the option StartServices, then confirm that all of the SymantecData Loss Prevention Services are running under the System Account username that you specified during installation.

Note that on Windows platforms, all services run under the System Accountuser name (by default, “protect”), except for the Vontu Update services, whichrun username_update (by default, “protect_update”).

Symantec Data Loss Prevention includes the following services:

■ Vontu Manager

■ Vontu Incident Persister

Installing the Data Classification ServiceVerifying an Enforce Server installation

60

Page 61: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Vontu Notifier

■ Vontu Update

■ Vontu Monitor Controller

3 If the Symantec Data Loss Prevention services do not start, check the log filesfor possible issues (for example, connectivity, password, or database accessissues).

■ The Symantec Data Loss Prevention installation log isc:\SymantecDLP\.install4j\installation.log.

■ Symantec Data Loss Prevention operational logs are inc:\SymantecDLP\Protect\logs.

■ Oracle logs can be found in c:\app\Administrator\admin\protect onthe Oracle server computer.

4 Once you have verified the Enforce Server installation, you can log on to theEnforce Server to view the administration console. Using the administrationconsole, go to System > Settings > General and confirm that all of yourlicenses have been correctly activated.

See theSymantecDataLossPreventionAdministrationGuide for informationabout logging on to, and using, the Enforce Server administration console.

About the Data Classification for Enterprise VaultSolution Pack

The Data Classification for Enterprise Vault Solution Pack contains all of theinitial policies, roles, reports, and incident statuses that you can use. You mustinstall the Solution Pack to the Enforce Server before you install or register newClassification Server instances.

Note: You can use the installed solution pack policies as-is or modify them tocreate your own classification policies. Keep in mind that if you modify or deletean installed Solution Pack policy, you cannot recover the original policy byreinstalling the Solution Pack. If you want to preserve the original policies, usethe installed policies to create policy templates. Use the templates to create yourown custom policies.

See “About the installed classification policies” on page 95.

The Data Classification for Enterprise Vault Solution Pack file is namedData_Classification_Enterprise_Vault_v11.6.vsp. The Solution Pack file is

61Installing the Data Classification ServiceAbout the Data Classification for Enterprise Vault Solution Pack

Page 62: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

in the same compressed file as the Symantec Data Loss Prevention installer. Whenyou unzip the file, the solution packs are copied to the DLPDownloadHome

\DLP\Symantec_DLP_11_Win\11.6\Solution_Packs\ directory whereDLPDownloadHome is the name of your installation directory.

The Solution Pack also installs the user accounts and the roles that are describedin Table 4-2. You can add additional roles as needed for your organization.

Table 4-2 Users and roles installed with the Solution Pack

Role description andprivileges

Assigned roleUser name

This role is provided as analternative to the built-inSymantec Data LossPrevention Administratorrole. It contains the followingrole permissions:

■ User Administration(Superuser)

■ Server Administration

■ View (all incidents andclassification events)

This role can access allincidents, but has no policymanagement privileges.

Sys AdminAdmin

Installing the Data Classification ServiceAbout the Data Classification for Enterprise Vault Solution Pack

62

Page 63: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-2 Users and roles installed with the Solution Pack (continued)

Role description andprivileges

Assigned roleUser name

This role is provided forcreating and managingclassification policies. Itcontains the following rolepermissions:

■ View (classificationevents only)

■ Actions:

■ Remediate incidents

■ Look up attributes

■ Delete incidents

■ Export Web Archive

■ XML Export

■ CSV Attachment inEmail Reports

■ Display Attributes (allshared attributes)

■ Matches

■ History

■ Body

■ Attachments

■ Sender

■ Recipients

■ Subject

■ Original Message

■ Edit all Custom Attributes

This role can access allincidents. It can also authorpolicies and response rules,and can access all policygroups.

Reporting and PolicyAuthoring

User 1

The Solution Pack creates two incident status groups that can be used as you testyour classification policies. While a policy operates in test mode, creates openincidents with a status value of New. You can evaluate and close an individualincident by setting its status value to Positive if the incidents correctly classifythe content. Or, you can close an incident by setting its status value to FalsePositive if incorrect content triggered the policy classification. You can then view

63Installing the Data Classification ServiceAbout the Data Classification for Enterprise Vault Solution Pack

Page 64: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

test incidents using the saved reports that are installed with the solution packdescribed in Table 4-3.

Table 4-3 Saved reports installed with the Solution Pack

DescriptionApplied filtersReport name

Lists all classification events,sorted by policy, status, anddate.

noneEvents - All

Lists false positiveclassification events sortedby policy and date.

Status = False PositiveFalse Positive Events

Lists positive classificationevents sorted by policy anddate.

Status = PositivePositive Events

Importing the solution packYou import the Data Classification for Enterprise Vault solution pack on theEnforce Server computer. The following rules apply when you import the solutionpack:

■ You must import the solution pack immediately after you install the EnforceServer and before you install any detection server. (If you performed asingle-tier installation, you must import the solution pack immediately afterthe installation is complete.)

■ Only import a solution pack that was created for the specific Enforce Serverversion you installed. Do not import a solution pack that was released with aprevious version of the Symantec Data Loss Prevention software.

■ Do not attempt to import more than one solution pack on the same EnforceServer, as the solution pack import fails.

■ Do not import a solution pack on an Enforce Server that was modified afterthe initial installation; the solution pack import fails.

■ After you import a solution pack, you cannot change the installation to use adifferent solution pack at a later time.

Installing the Data Classification ServiceImporting the solution pack

64

Page 65: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

To import the solution pack

1 Log on (or remote log on) as Administrator to the Enforce Server computer.

2 Copy the solution pack file fromDLPDownloadHome\DLP\Symantec_DLP_11_Win

\11.6_Win\Solution_Packs\ to a temporary directory. The solution pack isnamed Data_Classification_Enterprise_Vault_v11.6.vsp.

3 In Windows Services, stop all Symantec Data Loss Prevention services exceptfor the Notifier service. The Notifier service must remain running.

Stop the following services:

■ Vontu Update

■ Vontu Incident Persister

■ Vontu Manager

■ Vontu Monitor (if a single-tier installation)

■ Vontu Monitor Controller

4 From the command-line prompt, change to the\Vontu\protect\bindirectoryon the Enforce Server. This directory contains theSolutionPackInstaller.exe application. For example:

cd c:\Vontu\Protect\bin

5 Import the solution pack by running SolutionPackInstaller.exe from thecommand line and specifying the solution pack directory path and file name.The solution pack directory must not contain spaces.

For example, if you placed a copy of the solution pack in the directory of theEnforce Server, you would enter:

SolutionPackInstaller.exe import c:\Vontu\Data_Classification_Enterprise_Vault_v11.6.vsp

6 Check the solution pack installer messages to be sure that the installationhas succeeded without error.

7 Restart the Symantec Data Loss Prevention services you stopped.

Make sure that the Vontu Notifier service is also running. If the Notifierservice is not running, start Notifier first, and then start the other SymantecData Loss Prevention services:

■ Vontu Notifier

■ Vontu Manager

■ Vontu Monitor (if a single-tier installation)

65Installing the Data Classification ServiceImporting the solution pack

Page 66: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Vontu Incident Persister

■ Vontu Update

■ Vontu Monitor Controller

8 After you have completed importing the solution pack, complete theinstallation by installing and registering a Classification Server.

Classification Server installation preparationsBefore installing a Classification Server:

■ You must install the Enforce Server (or a single-tier Symantec Data LossPrevention installation) and import a solution pack before installing aClassification Server .

■ Complete the preinstallation steps on the Classification Server system.

■ Verify that the system is ready for Classification Server installation.

■ Before you begin, make sure that you have access and permission to run theSymantec Data Loss Prevention installer software:ProtectInstaller_11.6.exe for 32-bit installations orProtectInstaller64_11.6.exe for 64-bit installations.

See “Installing a Classification Server” on page 66.

Installing a Classification ServerFollow this procedure to install the detection server software on a server computer.Note that you specify the type of detection server during the server registrationprocess that follows this installation process.

Note: Symantec recommends that you disable any antivirus, pop-up blocker, andregistry-protection software before you begin the detection server installationprocess.

Note: The following instructions assume that the ProtectInstaller_11.6.exe

or ProtectInstaller64_11.6.exe file has been copied into the c:\temp directoryon the server computer.

Installing the Data Classification ServiceClassification Server installation preparations

66

Page 67: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Note: The Classification Server must remain as part of Active Directory.Classification cannot match on user groups based on Active Directory unless it isinstalled on the domain. The Enforce Server does not need to remain as part ofActive Directory.

To install a Classification Server

1 Make sure that installation preparations are complete.

See “Classification Server installation preparations” on page 66.

2 Log on (or remote logon) as Administrator to the computer that is intendedfor the server.

3 Copy the Symantec Data Loss Prevention installer(ProtectInstaller_11.6.exe or ProtectInstaller64_11.6.exe) from theEnforce Server to a local directory on the detection server.

ProtectInstaller_11.6.exeandProtectInstaller64_11.6.exeare includedin your software download (DLPDownloadHome directory). It should have beencopied to a local directory on the Enforce Server during the Enforce Serverinstallation process.

4 Click Start > Run > Browse to navigate to the folder where you copied theProtectInstaller_11.6.exe or ProtectInstaller64_11.6.exe file.

5 Double-clickProtectInstaller_11.6.exeorProtectInstaller64_11.6.exeto execute the file, and click OK.

The installer files unpack, and the Welcome panel of the Installation Wizardappears.

6 Click Next.

The License Agreement panel appears.

7 After reviewing the license agreement, select I accept the agreement, andclick Next.

The Select Components panel appears.

8 In the Select Components panel, select Detection and click Next.

9 In the Hosted Network Prevent panel, click Next to continue. This optiondoes not apply when installing Enterprise Vault Data Classification Services.

67Installing the Data Classification ServiceInstalling a Classification Server

Page 68: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

10 In the Select Destination Directory panel, accept the default destinationdirectory, or enter an alternate directory, and click Next. For example:

c:\SymantecDLP

Symantec recommends that you use the default destination directory.However, you can click Browse to navigate to a different installation locationinstead.

Directory names, IP addresses, and port numbers created or specified duringthe installation process must be entered in standard 7-bit ASCII charactersonly. Extended (hi-ASCII) and double-byte characters are not supported.

Note: Do not install Symantec Data Loss Prevention in a folder or path thatincludes spaces. For example, c:\Program Files\SymantecDLP is not a validinstallation location.

11 In the Select Start Menu Folder panel, enter the Start Menu folder whereyou want the Symantec Data Loss Prevention shortcuts to appear.

The default is Symantec DLP.

12 Select one of the following options:

■ Create shortcuts for all usersThe shortcuts are available in the same location for all users of the EnforceServer.

■ Don’t create a Start Menu folderThe Symantec Data Loss Prevention shortcuts are not available from theStart menu.

13 In the System Account panel, create the Symantec Data Loss Preventionsystem account user name and password, and confirm the password. Thenclick Next.

This account is used to manage the Symantec Data Loss Prevention services.

The password you enter for the System Account must conform to the passwordpolicy of the server operating system. For example, the server on which youinstall Symantec Data Loss Prevention may require that all passwords includespecial characters.

The Transport Configuration panel appears.

14 Enter the following settings and then click Next.

■ Port. Accept the default port number (8100) on which the detection servershould accept connections from the Enforce Server. If you cannot use the

Installing the Data Classification ServiceInstalling a Classification Server

68

Page 69: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

default port, you can change it to any port higher than port 1024, in therange of 1024–65535.

■ Network Interface (bind address). Enter the detection server networkinterface to use to communicate with the Enforce Server. If there is onlyone network interface, leave this field blank.

The Installing panel appears, and displays a progress bar. After a successfulinstallation, the Completing panel appears.

15 Check the Start Services box, to start the Symantec Data Loss Preventionservices and then Click Finish.

The services can also be started or stopped using the Windows Services utility.

Note that starting all of the services can take up to a minute. The installationprogram window may persist for a while, during the startup of the services.

16 Restart any antivirus, pop-up blocker, or other protection software that youdisabled before starting the Symantec Data Loss Prevention installationprocess.

17 Verify the detection server installation.

See “Verifing a Classification Server installation” on page 69.

18 Use the Enforce Server administration console to register the server with theEnforce Server.

During the server registration process, you select the type of detection server.

See “Registering a Classification Server” on page 70.

Verifing a Classification Server installationAfter installing a server, verify that it is correctly installed before you register it.

See “Installing a Classification Server” on page 66.

To verify a Classification Server installation

1 If you selected the option StartServices, then confirm that the Vontu Monitorand Vontu Update services are running.

2 If the Symantec Data Loss Prevention services do not start, check log filesfor possible issues (for example, connectivity, password, or database accessissues).

■ The Symantec Data Loss Prevention installation log isc:\SymantecDLP\.install4j\installation.log

69Installing the Data Classification ServiceVerifing a Classification Server installation

Page 70: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Symantec Data Loss Prevention operational logs are inc:\SymantecDLP\Protect\logs

Registering a Classification ServerBefore registering a server, you must install and verify the server software.

See “Installing a Classification Server” on page 66.

See “Verifing a Classification Server installation” on page 69.

After the detection server is installed, use the Enforce Server administrationconsole to register the detection server as a Classification Server.

To register a Classification Server

1 Log on to the Enforce Server as Administrator.

2 Go to System > Servers > Overview.

The System Overview page appears.

3 Click Add Server.

4 Select Classification and click Next.

5 Enter the General information. This information defines how the servercommunicates with the Enforce Server.

■ In Name, enter a unique name for the detection server.

■ In Host, enter the detection server’s host name or IP address. (For asingle-tier installation, click the Same as Enforce check box to autofillthe host information.)

■ In Port, enter the port number the detection server uses to communicatewith the Enforce Server. If you chose the default port when you installedthe detection server, then enter 8100. However, if you changed the defaultport, then enter the same port number here (it can be any port higher than1024).

The additional configuration options displayed on the ConfigureServer pagevary according to the type of server you selected.

6 Specify the remaining configuration options as appropriate.

See the Symantec Data Loss Prevention Administration Guide for details onhow to configure each type of server.

7 Click Save.

The Server Detail screen for that server appears.

Installing the Data Classification ServiceRegistering a Classification Server

70

Page 71: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

8 If necessary, click Server Settings or other configuration tabs to specifyadditional configuration parameters.

9 If necessary, restart the server by clicking Recycle on the Server Detailscreen. Or you can start the Vontu services manually on the server itself.

10 To verify that the server was registered, return to the System Overview page.Verify that the detection server appears in the server list, and that the serverstatus is Running.

Also verify that the server type Classification appears in the Channels columnfor the server.

11 To verify the type of certificates that the server uses, select System>Servers> Alerts. Examine the list of alerts to determine the type certificates thatSymantec Data Loss Prevention servers use:

■ If servers use the built-in certificate, the Enforce Server shows a warningevent with code 2709: Using built-in certificate.

■ If servers use unique, generated certificates, the Enforce Server shows aninfo event with code 2710: Using user generated certificate.

Configuring the Classification ServerYou configure each Classification Server from its Configure Server screen.

Note: You firewall policies must be configured to allow communication betweenthe Enforce Server, Classification Server, and all Enterprise Vault for MicrosoftExchange Servers .

To configure the Classification Server

1 In the Enforce Server administration console, go to the Overview screen(System > Servers > Overview).

2 Click the name of the server that you want to configure.

The Server Detail screen for the server appears.

3 Click Configure.

The Configure Server screen appears.

4 In the General section, specify the server name, host, and port that is usedfor communicating with the Enforce Server.

71Installing the Data Classification ServiceConfiguring the Classification Server

Page 72: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

5 In the Classification section, specify the connection properties that the DataClassification for Enterprise Vault filter uses to communicate with theClassification Server. The options are as follows:

Enter the maximum number of concurrent sessionsthat the Classification Server accepts from DataClassification for Enterprise Vault filters. The defaultis 12. The maximum number of sessions that aClassification Server can support depends on the CPUand memory available to the server.

Maximum number ofsessions

Enter the maximum number of milliseconds that aData Classification for Enterprise Vault filter canremain idle before the Classification Server terminatesthe session. The default value is 30000 milliseconds.

Session Timeout (inmilliseconds)

Specify the port number on which the ClassificationServer accepts connections from Data Classificationfor Enterprise Vault filters. The default port is 10080.

Note: You must ensure that the Classification Serverport is configured to accept incoming TCP traffic fromall Enterprise Vault for Microsoft Exchange Servers.

Classification Service Port

6 Click Save.

7 Click Server Settings.

8 Locate the ContentExtraction.MaxContentSize setting in the list of settings.

9 The ContentExtraction.MaxContentSize setting specifies the maximum sizeof a message body or message attachment that the Classification Serverinspects for classification. By default the maximum is set to 30 megabytes(30M). If you want to classify larger messages or attachments, increase thevalue. For example, enter 50M to inspect messages up to 50 megabytes.

10 Click Save.

11 Click Done.

About post-installation security configurationSymantec Data Loss Prevention secures communications between all SymantecData Loss Prevention servers. This task is accomplished by encrypting thetransmitted data and requiring servers to authenticate with each other.

Although the Symantec Data Loss Prevention installation is secure, the connectionbetween Data Loss Prevention and Enterprise Vault is not secure. You should

Installing the Data Classification ServiceAbout post-installation security configuration

72

Page 73: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

manually secure the connection between the Enterprise Vault servers and theData Loss Prevention servers.

See “About browser certificates” on page 74.

See “Symantec Data Loss Prevention directory and file exclusion from antivirusscans” on page 78.

See “Corporate firewall configuration” on page 79.

About server security and SSL/TLS certificatesSymantec Data Loss Prevention uses Secure Socket Layer/Transport Layer Security(SSL/TLS) to encrypt all data that is transmitted between servers. It also uses theSSL/TLS protocol for mutual authentication between servers. Servers implementauthentication by the mandatory use of client and server-side certificates.

The Enforce Server administration console Web application enables users to viewand manage incidents and policies and to configure Symantec Data LossPrevention. You access this interface with a Web browser. The Enforce Serverand browser communicate through a secure SSL/TLS connection. To ensureconfidentiality, all communication between the Enforce Server and the browseris encrypted using a symmetric key. During connection initiation, the EnforceServer and the browser negotiate the encryption algorithm. The negotiationincludes the algorithm, key size, and encoding, as well as the encryption key itself.

A "certificate" is a keystore file used with a keystore password. The terms"certificate" and "keystore file" are often used interchangeably. By default, all theconnections between the Symantec Data Loss Prevention servers, and the EnforceServer and the browser, use a self-signed certificate. This certificate is securelyembedded inside the Symantec Data Loss Prevention software. By default, everySymantec Data Loss Prevention server at every customer installation uses thissame certificate.

Although the existing default security meets stringent standards, Symantecprovides thekeytoolandsslkeytoolutilities to enhance your encryption security:

■ The keytool utility generates a new certificate to encrypt communicationbetween your Web browser and the Enforce Server. This certificate is uniqueto your installation.See “About browser certificates” on page 74.See “Generating a unique browser certificate” on page 74.

■ The sslkeytool utility generates new SSL server certificates to securecommunications between your Enforce Server and your detection servers.These certificates are unique to your installation. The new certificates replacethe single default certificate that comes with all Symantec Data Loss Prevention

73Installing the Data Classification ServiceAbout post-installation security configuration

Page 74: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

installations. You store one certificate on the Enforce Server, and one certificateon each detection server in your installation.

Note: Symantec recommends that you create dedicated certificates forcommunication with your Symantec Data Loss Prevention servers. When youconfigure the Enforce Server to use a generated certificate, all detection serversin your installation must also use generated certificates. You cannot use thebuilt-in certificate with some detection servers and the built-in certificate withother servers.

See “Configuring certificates for secure communication” in the SymantecDataLoss Prevention Installation Guide for Windows for information aboutgenerating and installing certificates.

About browser certificatesA Web browser using a secure connection (HTTPS) requires an SSL certificate.The SSL certificate can be self-signed or signed by a certificate authority. With acertificate, the user authenticates to other users and services, or to data integrityand authentication services, using digital signatures. It also enables users to cachethe public keys (in the form of certificates) of their communicating peers. Becausea certificate signed by a certificate authority is automatically trusted by browsers,the browser does not issue a warning when you connect to the Enforce Serveradministration console. With a self-signed certificate, the browser issues a warningand asks if you want to connect.

The default certificate installed with Symantec Data Loss Prevention is a standard,self-signed certificate. This certificate is embedded securely inside the SymantecData Loss Prevention software. By default, all Symantec Data Loss Preventioninstallations at all customer sites use this same certificate. Symantec recommendsthat you replace the default certificate with a new, unique certificate for yourorganization’s installation. The new certificate can be either self-signed or signedby a certificate authority.

See “Generating a unique browser certificate” on page 74.

See “About server security and SSL/TLS certificates” on page 73.

Generating a unique browser certificate

By default, connections between the Enforce Server and the browser use a single,self-signed certificate. This certificate is embedded securely inside the SymantecData Loss Prevention software.

Installing the Data Classification ServiceAbout post-installation security configuration

74

Page 75: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The keytool utility manages keys and certificates. This utility enables users toadminister their own public and private key pairs and associated certificates foruse in self-authentication.

To generate a unique Enforce Server self-signed certificate for your installation

1 Collect the following information:

■ Common Name: The fully qualified DNS name of the Enforce Server. Thismust be the actual name of the server accessible by all the clients.For example, https://Server_name.

■ Organization Name: The name of your company or organization.For example, Acme, Inc.

■ Organizational unit : The name of your division, department, unit, etc.(Optional)For example, Engineering

■ City: The city, town, or area where you are located.For example, San Francisco

■ State: The name of your state, province, or region.For example, California or CA

■ Country: Your two-letter country code.For example, US

■ Expiration: The certificate expiration time in number of days.For example: 90

2 Stop all the Vontu services on the Enforce Server.

3 On the Enforce Server, go to the \Vontu\jre\bin directory.

The keytool software is located in this directory.

4 Use keytool to create the self-signed certificate (keystore file). This keystorefile can also be used to obtain a certificate from a certificate authority.

From within the \bin directory, run the following command with theinformation collected earlier:

keytool -genkey -alias tomcat -keyalg RSA -keysize 1024

-keystore .keystore -validity NNN -storepass protect

-dname "cN=common_name, O=organization_name,

Ou=organization_unit, L=city, S=state, C=XX"

Where:

75Installing the Data Classification ServiceAbout post-installation security configuration

Page 76: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ The -aliasparameter specifies the name of this certificate key. This nameis used to identify this certificate when running other keytool commands.The value for the -alias parameter must be tomcat.

■ The -keystore parameter specifies the name and location of the keystorefile which must be .keystore located in this directory. This is specifiedby using -keystore .keystore

■ The -keyalg parameter specifies the algorithm to be used to generate thekey pair. In this case, the algorithm to specify is RSA.

■ The -keysize parameter specifies the size of each key to be generated.For example, 1024.

■ The -validity parameter specifies the number of days the certificate isgood for. For example, -validity 365 specifies that the certificate is goodfor 365 days (or one year). The number of days you choose to specify forthe -validity parameter is up to you. If a certificate is used for longerthan the number of days specified by -validity, an "Expired" messageappears by the browser when it accesses the Enforce Server administrationconsole. The best practice is to replace an expired certificate with a newone.

■ The -storepass parameter specifies the password used to protect theintegrity of the keystore. The value for the -storepass parameter mustbe protect.

■ The dname parameter specifies the X.500 Distinguished Name to beassociated with this alias. It is used as the issuer and subject fields in aself-signed certificate. The parameters that follow are the value of thedname parameter.

■ The -CN parameter specifies your name. For example, CN=linda wu

■ The Oparameter specifies your organization's name. For example, O=AcmeInc.

■ The Ou parameter specifies your organization's unit or division name. Forexample, Ou=Engineering Department

■ The L parameter specifies your city. For example, L=San Francisco

■ The S parameter specifies your state or province. For example,S=California

■ The Cparameter specifies the two-letter countrycode of your country. Forexample, C=US

Installing the Data Classification ServiceAbout post-installation security configuration

76

Page 77: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ If you are asked for a keypass password, hit Return to make the keypasspassword the same as the storepass password.

An updated .keystore file is generated.

5 (Optional) Rename or move the existing .keystore file from the\Protect\tomcat\conf directory.

6 Copy the updated .keystore file into the c:\Vontu\Protect\tomcat\conf

directory.

7 Restart the Vontu services on the Enforce Server.

As an alternative to using a self-signed certificate, you can use a certificate issuedby an internal or external certificate authority (CA). Consult your certificateauthority for instructions on how to obtain a CA-signed certificate. Certificateauthorities provide a root certificate and a signed certificate. When usingcertificates signed by a CA, they need to be imported into the Enforce Server usingthe following commands:

keytool -import -alias root -keystore .keystore -trustcacerts -file root_certificate

keytool -import -alias tomcat -keystore .keystore -trustcacerts -file signed_certificate

See “About server security and SSL/TLS certificates” on page 73.

Note: If you use SPC authentication and the CA certificate for the Enforce Serveris updated after your register an SPC instance, you must re-register the SPCinstance. If you register an SPC instance you use a self-signed certificate for theEnforce Server, The Enforce Server automatically regenerates the certificate afterthe certificate expires.

About Symantec Data Loss Prevention and antivirus softwareSymantec recommends installing antivirus software on your Symantec Data LossPrevention servers. However, antivirus software may interpret Symantec DataLoss Prevention activity as virus-like behavior. Therefore, certain files anddirectories must be excluded from antivirus scans. These files and directoriesinclude the Symantec Data Loss Prevention and Oracle directories on your servers.If you do not have antivirus software installed on your Symantec Data LossPrevention servers (not recommended), you can skip these antivirus-relatedpost-installation tasks.

See “Symantec Data Loss Prevention directory and file exclusion from antivirusscans” on page 78.

See “Oracle directory and file exclusion from antivirus scans” on page 78.

77Installing the Data Classification ServiceAbout post-installation security configuration

Page 78: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Symantec Data Loss Prevention directory and file exclusionfrom antivirus scansWhen the Symantec Data Loss Prevention application accesses files and directories,it can appear to antivirus software as if it were a virus. Therefore, you must excludecertain directories from antivirus scans on Symantec Data Loss Prevention servers.

Using your antivirus software, remove the following Enforce Server directoriesfrom antivirus scanning:

■ \Vontu\Protect\incidents

■ \Vontu\Protect\index

■ \Vontu\Protect\logs (with subdirectories)

■ \Vontu\Protect\temp (with subdirectories)

■ \Vontu\Protect\tomcat\temp

■ \Vontu\Protect\tomcat\work

Using your antivirus software, remove the following detection server directoriesfrom antivirus scanning:

■ \drop

■ \drop_pcap

■ \icap_spool

■ \packet_spool

■ \Vontu\Protect\incidents

■ \Vontu\Protect\index

■ \Vontu\Protect\logs (with subdirectories)

■ \Vontu\Protect\temp (with subdirectories)

Consult your antivirus software documentation for information on how to excludedirectories and files from antivirus scans.

See “About Symantec Data Loss Prevention and antivirus software” on page 77.

See “Oracle directory and file exclusion from antivirus scans” on page 78.

Oracle directory and file exclusion from antivirus scansWhen the Symantec Data Loss Prevention application accesses files and directories,it can appear to antivirus software as if it were a virus. Therefore, you must excludecertain directories from antivirus scans on Symantec Data Loss Prevention servers.

Installing the Data Classification ServiceAbout post-installation security configuration

78

Page 79: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Using your antivirus software, exclude the following Oracle directories fromantivirus scanning:

■ C:\app\Administrator\oradata\protect

■ C:\app\Administrator\product\11.2.0\dbhome_1

Most of the Oracle files to be excluded are located in these directories, butadditional files are located in other directories. Use the Oracle Enterprise Manager(OEM) to check for additional files and exclude their directories from antivirusscanning. Use OEM to view the location of the following database files:

■ Data files, which have the file extension *.DBF

■ Control files, which have the file extension *.CTL

■ The REDO.LOG file

Exclude all the directories with these files from antivirus scanning.

See “About Symantec Data Loss Prevention and antivirus software” on page 77.

See “Symantec Data Loss Prevention directory and file exclusion from antivirusscans” on page 78.

Corporate firewall configurationIf the Enforce Server is installed inside your corporate LAN behind a firewall andyour detection servers are installed in the DMZ your corporate firewall settingsneed to:

■ Allow connections from the Enforce Server on the corporate network to thedetection servers in the DMZ. Configure your firewall to accept connectionson the port you entered when installing the detection servers. By default, theEnforce Server and the detection servers communicate over port 8100. Youcan configure the servers to use any port higher than 1024. Use the same portnumber for all your detection servers.

■ Allow Windows Remote Desktop Client connections (TCP port 3389). Thisfeature can be useful for setup purposes.

■ Allow the Classification Server port to accept incoming TCP traffic from allEnterprise Vault for Microsoft Exchange Servers. By default, the ClassificationServer communicates over port 10080.See “Configuring the Classification Server” on page 71.

Symantec Data Loss Prevention servers communicate with the Enforce Serverover a single port number. Port 8100 is the default, but you can configure SymantecData Loss Prevention to use any port higher than 1024. Review your firewall

79Installing the Data Classification ServiceAbout post-installation security configuration

Page 80: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

settings and close any ports that are not required for communication betweenthe Enforce Server and the detection servers.

Windows security lockdown guidelinesYou should complete a set of hardening procedures after you install or upgradea Symantec Data Loss Prevention server. Adapt these guidelines to suit yourorganization’s standards for secure communications and hardening procedures.

The following Windows services must be running:

■ Alerter

■ COM+ Event System

■ DCOM Server Process Launcher

■ Defwatch for Symantec (may not always be present)

■ DNS Client

■ Event log

■ Interix Subsystem Startup (for UNIX Services for Windows for RAs)

■ IPSEC Services

■ Logical Disk Manager

■ Network connections

■ OracleOraDb11g_home1TNSListener or OracleOraDb10g_home1TNSListenerThe service name is different if you use a non-default Oracle home directory.

■ OracleServicePROTECT (on the Enforce Server only)

■ Plug and play

■ Protected Storage

■ Remote procedure call (RPC)

■ Removable Storage

■ Security Accounts Manager

■ Server (required only for Enforce if EDMs are used)

■ Symantec AntiVirus

■ System Event Notification

■ Task Scheduler

■ TCP/IP NetBIOS Helper Service

Installing the Data Classification ServiceAbout post-installation security configuration

80

Page 81: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Terminal Services

■ User Name Mapping (for UNIX Services for Windows for RAs)

■ Vontu Incident Persister (for Enforce Server only)

■ Vontu Manager (for Enforce Server only)

■ Vontu Monitor (for detection servers only)

■ Vontu Notifier (for Enforce Server only)

■ Vontu Update

■ Windows Management (Instrumentation)

■ Windows Management (Instrumentation Driver Extensions Workstation)

■ Windows Time (required if no alternative Enforce/detection server systemclock synchronization is implemented)

■ Workstation (required for Alerter Service)

The following Windows services should be disabled:

■ Dist. File System

■ Dist. Link Tracking Client

■ Dist. Link Tracking Server

■ Dist. Transaction Coordinator

■ Error Reporting Service

■ Help & Support

■ Messenger

■ Print Spooler

■ Remote Registry

■ Wireless Config

Consult your Windows Server documentation for information on these services.

Windows Administrative security settingsThe following tables provide recommended administrative settings available ona Microsoft Windows system for additional security hardening.

Consult your Windows Server documentation for information on these settings.

The following Local Policy settings are described in the following tables:

■ Table 4-4 lists the Account Lockout Policy settings.

81Installing the Data Classification ServiceAbout post-installation security configuration

Page 82: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Table 4-5 lists the Password Policy settings .

■ Table 4-6 lists the local Audit Policy settings.

■ Table 4-7 lists the User Rights Assignment settings.

■ Table 4-8 lists the Security Options settings.

Table 4-4 Security settings > Account Policies > Account Lockout Policy

Recommended security settingsPolicy

0Account lockout duration

3 invalid logon attemptsAccount lockout threshold

15 minutesReset account lockout counter after

Table 4-5 Security settings > Account Policies > Password Policy

Recommended security settingsPassword policy

24 passwords rememberedEnforce password history

60 daysMaximum password age

2 daysMinimum password age

10 charactersMinimum password length

EnabledPassword must meet complexityrequirements

DisabledStore passwords using reversible encryption

Table 4-6 Security settings > Local Policies > Audit Policy

Recommended security settingsLocal audit

Success, FailureAudit account logon events

Success, FailureAudit account management

Success, FailureAudit directory service access

Success, FailureAudit logon events

Success, FailureAudit object access

Success, FailureAudit policy change

Success, FailureAudit privilege use

Installing the Data Classification ServiceAbout post-installation security configuration

82

Page 83: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-6 Security settings > Local Policies > Audit Policy (continued)

Recommended security settingsLocal audit

No auditingAudit process tracking

Success, FailureAudit system events

Table 4-7 Security settings > Local Policies > User rights assignment

Recommended security settingsUser rights assignment

Administrators, Backup OperatorsRestore files and directories

Administrators, Power Users, BackupOperators

Shut down the system

Synchronize directory service data

AdministratorsTake ownership of files or other objects

Everyone, Administrators, Users, PowerUsers, Backup Operators

Access this computer from the network

Act as part of the operating system

Add workstations to domain

LOCAL SERVICE, NETWORK SERVICE,Administrators

Adjust memory quotas for a process

Administrators, Users, Power Users, BackupOperators

Allow log on locally

Administrators, Remote Desktop UsersAllow log on through Services

Administrators, Backup OperatorsBack up files and directories

Everyone, Administrators, Users, PowerUsers, Backup Operators

Bypass traverse checking

Administrators, Power UsersChange the system time

AdministratorsCreate a page file

Create a token object

Administrators, SERVICECreate global objects

Create permanent shared objects

AdministratorsDebug programs

83Installing the Data Classification ServiceAbout post-installation security configuration

Page 84: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-7 Security settings > Local Policies > User rights assignment(continued)

Recommended security settingsUser rights assignment

Deny access to this computer from thenetwork

Deny log on as a batch job

Deny log on as a service

Deny log on locally

Deny log on through Remote DesktopServices

Enable computer and user accounts to betrusted for delegation

AdministratorsForce shutdown from a remote system

LOCAL SERVICE, NETWORK SERVICEGenerate security audits

Administrators, SERVICEImpersonate a client after authentication

AdministratorsIncrease scheduling priority

AdministratorsLoad and unload device drivers

Lock pages in memory

LOCAL SERVICELog on as a batch job

NETWORK SERVICELog on as a service

AdministratorsManage auditing and security log

AdministratorsModify firmware environment values

AdministratorsPerform volume maintenance tasks

Administrators, Power UsersProfile single process

AdministratorsProfile system performance

Administrators, Power UsersRemove computer from docking station

LOCAL SERVICE, NETWORK SERVICEReplace a process level token

Administrators, Backup OperatorsRestore files and directories

Installing the Data Classification ServiceAbout post-installation security configuration

84

Page 85: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-7 Security settings > Local Policies > User rights assignment(continued)

Recommended security settingsUser rights assignment

Administrators, Power Users, BackupOperators

Shut down the system

Synchronize directory service data

AdministratorsTake ownership of files or other objects

Table 4-8 Security settings > Local Policies > Security options

Recommended security settingsSecurity options

EnabledAccounts: Administrator account status

DisabledAccounts: Guest account status

EnabledAccounts: Limit local account use of blankpasswords to console logon only

protectdemoAccounts: Rename administrator account

GuestAccounts: Rename guest account

DisabledAudit: Audit the access of global systemobjects

DisabledAudit: Audit the use of Backup and Restoreprivilege

DisabledAudit: Shut down system immediately ifunable to log security audits

EnabledDevices: Allow undock without having to logon

AdministratorsDevices: Allowed to format and ejectremovable media

EnabledDevices: Prevent users from installingprinter drivers

EnabledDevices: Restrict CD-ROM access to locallylogged-on user only

EnabledDevices: Restrict floppy access to locallylogged-on user only

85Installing the Data Classification ServiceAbout post-installation security configuration

Page 86: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-8 Security settings > Local Policies > Security options (continued)

Recommended security settingsSecurity options

Do not allow installationDevices: Unsigned driver installationbehavior

EnabledDomain controller: Allow server operatorsto schedule tasks

Not DefinedDomain controller: LDAP machine signingrequirements

Not DefinedDomain controller: Refuse machine accountpassword changes

EnabledDomain member: Digitally encrypt or signsecure channel data (always)

EnabledDomain member: Digitally encrypt securechannel data (when possible)

EnabledDomain member: Digitally sign securechannel data (when possible)

DisabledDomain member: Disable server accountpassword changes

30 daysDomain member: Maximum server accountpassword age

EnabledDomain member: Require strong (Windows2000 or later) session key

EnabledInteractive logon: Do not display last username

DisabledInteractive logon: Do not requireCTRL+ALT+DEL

Interactive logon: Message text for usersattempting to log on

Not DefinedInteractive logon: Message title for usersattempting to log on

10 logonsInteractive logon: Number of previous logonsto cache (in case domain controller is notavailable)

Installing the Data Classification ServiceAbout post-installation security configuration

86

Page 87: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-8 Security settings > Local Policies > Security options (continued)

Recommended security settingsSecurity options

14 daysInteractive logon: Prompt user to changepassword before expiration

DisabledInteractive logon: Require domain controllerauthentication to unlock workstation

DisabledInteractive logon: Require smart card

Force LogoffInteractive logon: Smart card removalbehavior

EnabledMicrosoft network client: Digitally signcommunications (always)

EnabledMicrosoft network client: Digitally signcommunications (if server agrees)

DisabledMicrosoft network client: Send unencryptedpassword to third-party SMB servers

15 minutesMicrosoft network server: Amount of idletime required before suspending session

EnabledMicrosoft network server: Digitally signcommunications (always)

EnabledMicrosoft network server: Digitally signcommunications (if client agrees)

EnabledMicrosoft network server: Disconnect clientswhen logon hours expire

DisabledNetwork access: Allow anonymous SID/Nametranslation

EnabledNetwork access: Do not allow anonymousenumeration of SAM accounts

DisabledNetwork access: Do not allow anonymousenumeration of SAM accounts and shares

DisabledNetwork access: Do not allow storage ofcredentials or passwords for networkauthentication

DisabledNetwork access: Let Everyone permissionsapply to anonymous users

87Installing the Data Classification ServiceAbout post-installation security configuration

Page 88: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 4-8 Security settings > Local Policies > Security options (continued)

Recommended security settingsSecurity options

COMNAP, COMNODE, SQL\QUERY,SPOOLSS, EPMAPPER, LOCATOR, TrkWks,TrkSvr

Network access: Named Pipes that can beaccessed anonymously

System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion

Network access: Remotely accessible registrypaths

System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog

Network access: Remotely accessible registrypaths and sub-paths

Installing the Data Classification ServiceAbout post-installation security configuration

88

Page 89: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Configuring the DataClassification Filter

This chapter includes the following topics:

■ Configuring the Data Classification Filter

■ Guidelines on specifying Classification Servers in the registry file

Configuring the Data Classification FilterEnterprise Vault Data Classification Services comes with a registry file,DataClassificationServicesx64.reg, with which you can quickly configure theregistry settings for the Data Classification Filter.

By editing the file and importing its contents into the registry of each EnterpriseVault server, you can enable the Data Classification Filter on that server.

To configure the Data Classification Filter

1 Locate the registry file in the Enterprise Vault installation folder (typically,C:\Program Files (x86)\Enterprise Vault).

2 Open the registry file in a text editor such as Windows Notepad.

3 Remove the semicolon (;) from the start of any line that you want touncomment.

4 Modify each line as necessary. Note the following points:

■ If you have enabled multiple filters of various types, the number withwhich you associate the Data Classification Filter determines the orderin which Enterprise Vault applies it. So, in the following example,Enterprise Vault applies the Data Classification Filter before it appliesany other filter:

5Chapter

Page 90: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

"1"="EnterpriseVault.DataClassificationFilter"

If you have previously added other filters, ensure that their numbers areconsecutive and that none shares the same number as the DataClassification Filter. The Journaling Connector for Compliance Acceleratormust have the last number in the sequence. For more information, seethe "Configuring filtering" and "Configuring custom properties" chaptersof the SettingupExchangeServerArchivingmanual. See also the followingarticle on the Symantec Enterprise Support site:http://www.symantec.com/docs/TECH51254

■ The MoveOnFilterFailure lines control whether Enterprise Vault movesmessages to the Failed External Filter mailbox folder when the DataClassification Filter cannot process them. Enterprise Vault creates thisfolder automatically in the appropriate journal mailbox or user mailbox.For more information on the Failed External Filter folder and otherFailed... mailbox folders, see the Setting up Exchange Server Archivingmanual and the following article on the Symantec Enterprise Supportsite:http://www.symantec.com/docs/TECH55742

■ In the following line, you must replace the dcsurl string with the name orIP address of a Classification Server:"1"="http://dcsurl:10080/classification/classify"

For example:"1"="http://dcs.symantec.com:10080/classification/classify"

For high availability and load balancing, you can add more ClassificationServers by specifying them in the same form. Ensure that the numbers ofthe registry subkeys are consecutive. For example, you might specify thenames of three Classification Servers as follows:

You must observe a number of guidelines when you specify the requiredClassification Servers in the registry file.

Configuring the Data Classification FilterConfiguring the Data Classification Filter

90

Page 91: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “Guidelines on specifying Classification Servers in the registry file”on page 92.

5 If you want to set any of the miscellaneous configuration options to a valueother than the default value (shown below), uncomment the appropriate lineand set its value as required. Note that all these options take hexadecimalvalues and that the values shown in the .reg file are not the defaults.

■ ShutdownThresholdMinutes

If Data Classification Services cannot classify a message for a period longerthan this setting, the filter instructs the Enterprise Vault Exchange Agentto shut down. (The task controller restarts the agent a number of timesbefore finally failing the archiving task. This lets you remedy the situationwithout having to restart all the Enterprise Vault agents.) The defaultshutdown threshold is 15 minutes.

■ WarningThresholdSeconds

If Data Classification Services cannot classify a message for a period longerthan this setting, it logs a warning in the event log to show the status ofthe servers. The default is 60 seconds.

■ EnableTestModeLog

You can configure the Classification Server so that, instead of affectingthe archiving process, policies show what would take place if they wereused. Then you can check that you have configured the policies correctly.On the Classification Server, policies that match in test mode generatesome incidents that you can view in the incident report. On the EnterpriseVault server, setting EnableTestModeLog to 1 creates a log file for eachagent. The log files are under the Enterprise

Vault\Reports\DataClassificationServices folder. Each log filecontains the details of any messages that at least one policy in test modehas classified and matched. All policies that match for the message arelisted, and not just the ones that are in test mode.See “Enabling classification test mode” on page 110.

■ MessageTimeoutSeconds

This option lets you specify the number of seconds before the filter givesup waiting for Data Classification Services to classify a message. Thedefault is 300 seconds.

Caution: If you set too low a value for this option, Data ClassificationServices may never classify some messages. Make sure that you specifya higher value for the ShutdownThresholdMinutes option than forMessageTimeoutSeconds.

91Configuring the Data Classification FilterConfiguring the Data Classification Filter

Page 92: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

6 Save and close the registry file.

On a Windows Server 2008 R2 computer, you require elevated permissionsto create or modify files in the Program Files folder. If you cannot save theregistry file in its current location, save it to the Windows desktop or anyfolder where you have write access.

7 In Windows Explorer, double-click the file to import its contents into theregistry.

8 Restart the Journaling tasks or Exchange mailbox tasks as necessary.

The following message is sent to the Enterprise Vault event log when thetasks start:

EventID = 45329

Description = External Filter

'EnterpriseVault.DataClassificationFilter' initialising...

Note: Restart the Journaling tasks or Exchange mailbox tasks each time thatyou add, remove, or modify a Classification Server entry in the registry file.

Guidelines on specifying Classification Servers in theregistry file

Observe the following guidelines when you specify the URLs of the requiredClassification Servers in the registry file:

■ Enterprise Vault and Data Classification Services cannot communicate witheach other over a secure (HTTPS) connection. Therefore, you must only specifyURLs that begin with "http://" in the registry file.

Caution:As the connections between Enterprise Vault and Data ClassificationServices are insecure, you may want to take additional measures to protectyour sensitive data.

See “About post-installation security configuration” on page 72.

■ If a Classification Server is part of a workgroup, you must specify the IP addressof the server in the dcsurl string; you cannot specify its fully-qualified domainname. However, if the Classification Server is part of a domain, you can specifyits IP address or its fully-qualified domain name.

Configuring the Data Classification FilterGuidelines on specifying Classification Servers in the registry file

92

Page 93: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ The URLs must not contain double-byte characters.

93Configuring the Data Classification FilterGuidelines on specifying Classification Servers in the registry file

Page 94: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Configuring the Data Classification FilterGuidelines on specifying Classification Servers in the registry file

94

Page 95: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Creating classificationpolicies

This chapter includes the following topics:

■ About the installed classification policies

■ Creating a classification policy from a template

■ Adding a new policy or policy template

■ Configuring policies

About the installed classification policiesThe Data Classification for Enterprise Vault Solution Pack installs all of the initialpolicies, roles, reports, and incident statuses that you can use. The Solution Packalso installs an automated response rule named ClassifyEnterpriseVaultContentthat defines the Classification: Classify Enterprise Vault Content action. Eachof the installed Solution Pack policies uses this rule, and you can modify and usethe response rule in your own custom policies.

By default, all of the classification policies that the Solution Pack installs areinactive and are configured to operate in test mode. The Solution Pack places allpolicies in a new policy group named “Data_Classification_ EV_v11.6.” Table 6-1describes the installed policies.

Table 6-1 Classification policies installed with the Solution Pack

Policy DescriptionPolicy Name

Detects discussions and documents aboutirregular financial transactions.

Anti-money laundering

6Chapter

Page 96: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-1 Classification policies installed with the Solution Pack (continued)

Policy DescriptionPolicy Name

Detects documents and email messages thatexhibit the first doctrine of Attorney-Clientrelations.

Attorney-Client Privilege

Detects documents and email messages thatexhibit the second doctrine ofAttorney-Client relations.

Attorney-Client Privilege (Secondary)

Detects system replies, such as out of officemessages.

Auto-generated Messages

Detects messages from known news andresearch provider email domains.

Auto-generated news, feeds, & research(known providers)

Detects messages from news providers andfeeds using common keywords.

Auto-generated news, feeds, research

Detects common keyword identifiers thatare found in compensation discussionsbetween employees and human resources ormanagement.

Compensation Discussions

Detects attached email containers.Email Containers (attachments)

Detects fax attachments.Faxes (attachments)

Detects legal documents.Legal Documents (attachments)

Detects email that is sent from or sent toknown personal email and Web maildomains.

Personal email domains

Detects common office file types.Productivity Documents (attachments)

Detects charitable solicitations.Solicitations - Charities

Detects political solicitations and donations.Solicitations - Political

Detects solicitations for venture or privateinvestments.

Solicitations -Private Investment

You can use the installed policies as-is or modify them to create your ownclassification policies. Keep in mind that if you modify or delete an installedSolution Pack policy, you cannot recover the original policy by reinstalling theSolution Pack. If you want to preserve the original policies, export the installedpolicies to create duplicate policy templates and create your own custom policies.

Creating classification policiesAbout the installed classification policies

96

Page 97: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “Exporting policy detection as a template” on page 97.

Exporting policy detection as a templateYou can export policy detection rules and exceptions in a template (XML file). Youcannot export policy response rules. You can only export one policy template ata time.

To export a policy as a template

1 Log on to the Enforce Server administration console with administratorprivileges.

2 Navigate to the Manage > Policies > Policy List > Configure Policy screenfor the policy you want to export.

3 At the bottom of the ConfigurePolicy screen, click the Export this policy asa template link.

4 Save the policy to a local or network destination of your choice.

For example, the system exports a policy named Webmail to the policytemplate file Webmail.xml which you can save to your local drive.

Importing Symantec Enterprise Vault Data Classification Servicespolicy templates

TheData Classification Services policy template .zip file contains the templatesthat you would find in the Symantec Enterprise Vault Data Classification Servicessolution pack. Only import the Data Classification Services policy template if youhave already installed a different solution pack than the Data ClassificationServices solution pack.

See “Implementing Data Classification Services in a non-Data Loss Preventionenvironment” on page 19.

You must have policy system privileges to import policy templates.

To import theSymantecEnterpriseVaultDataClassificationServicespolicy templateto the Enforce Server

1 Download the Symantec_DLP_11.6_DCS_Policy_Templates-IN.zip file fromthe FileConnect page to the local drive of your Enforce Server.

2 Unzip the file and place the policy template XML file(s) in the\Vontu\Protect\config\templates directory on the Enforce Server host.

You can import multiple policies by placing them all in the templates directory.

97Creating classification policiesAbout the installed classification policies

Page 98: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

3 Make sure that the directory and file(s) are readable by the "protect" systemuser.

4 Log on to the Enforce Server administration console with policy authoringprivileges.

5 Navigate to Manage > Policies > Policy List and click Add Policy.

6 Choose the option Add a policy from a template and click Next.

7 Scroll down to the bottom of the template list to the Imported Templatessection.

You should see an entry for each XML file you placed in the templatesdirectory.

8 Select the imported policy template and click Next to configure it.

See “Configuring policies” on page 102.

Creating a classification policy from a templateYou can create a policy from a system-provided template or from a template youimport to the Enforce Server.

Table 6-2 Create a classification policy from a template

DescriptionActionStep

See “Adding a new policy or policy template” on page 101.Add a policy from atemplate.

Step 1

At the Manage > Policies > Policy List > New Policy -TemplateList screen the system lists all policy templates.

System-provided template categories:

■ See “Acceptable Use Enforcement policy templates”on page 121.

■ See “Confidential or Classified Data Protection policytemplates” on page 132.

■ See “Customer and Employee Data Protection policytemplates” on page 142.

■ See “UK and International Regulatory Enforcementpolicy templates” on page 152.

■ See “US Regulatory Enforcement policy templates”on page 159.

Imported Templates appear individually after import.

Choose the templateyou want to use.

Step 2

Creating classification policiesCreating a classification policy from a template

98

Page 99: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-2 Create a classification policy from a template (continued)

DescriptionActionStep

For example, select the Attorney-ClientPrivilege policytemplate and click Next.

Click Next toconfigure the policy.

Step 3

If the template relies on one or more Data Profiles, thesystem prompts you to select each:

■ Exact Data Profile

■ Indexed Document Profile

If you do not have a Data Profile, you can either:

■ Cancel the policy definition process, define the profile,and resume creating the policy from the template.

■ Click Next to configure the policy.

On creation of the policy, the system drops any rulesor exceptions that rely on the Data Profile.

Note: You should use a profile if a template calls for it.

Note: Some policies are more effective with EDM or IDMrules, for which you require a suitable Exact Data Profileor Indexed Document Profile. One example is theAnti-money Laundering policy. You must add an ExactData Profile manually to the Anti-money Launderingpolicy.

See the Symantec Data Loss Prevention AdministrationGuide for more information about EDM and IDM profilesand how to create them.

Choose a Data Profile(if prompted).

Step 4

99Creating classification policiesCreating a classification policy from a template

Page 100: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-2 Create a classification policy from a template (continued)

DescriptionActionStep

If you intend to modify a system-defined template, youmay want to change the name so you can distinguish itfrom the original.

The Classification Server uses the name of the policy asthe classification tag for the policies that trigger theClassify Enterprise Vault Content action. If the policyname contains a space, you must enclose the name inquotes in the value field when searching for the tag inEnterprise Vault for Microsoft Exchange.

See “Configuring the Classify Enterprise Vault Contentaction” on page 103.

Note: If you want to export the policy as a template, thepolicy name must be less than 60 characters. If it is more,the template does not appear in the ImportedTemplatessection of the Template List screen.

Edit the policy nameor description(optional).

Step 5

If you have defined a policy group, select the correctgroup name from the Policy Group list.

If you have not defined a policy group, the system deploysthe policy to the Default Policy Group.

Select a policy group(if necessary).

Step 6

Configure the policy actions to specify whether or notEnterprise Vault should take action as directed byClassification responses.

See “Enabling classification test mode” on page 110.

Configure the PolicyActions settings (testmode).

Step 7

The Configure Policy screen displays the rules andexceptions (if any) provided by the policy.

You can modify, add, and remove policy rules andexceptions to meet your requirements.

See “Configuring the Message/Email Properties andAttributes condition” on page 108.

Edit the policy rules orexceptions (ifnecessary).

Step 8

Creating classification policiesCreating a classification policy from a template

100

Page 101: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-2 Create a classification policy from a template (continued)

DescriptionActionStep

Click Save to save the policy.

You can export policy detection as a template for sharingor archiving.

See “Exporting policy detection as a template” on page 97.

For example, if you changed the configuration of asystem-defined policy template, you may want to exportit for sharing across environments.

Save the policy andexport it (optional).

Step 9

If you enabled test mode for the policy, tune the policyusing same data that the policy should and should notdetect.

Review the incidents that the policy generates in theIncidents > Classification page. Then, refine the policyrules and exceptions as necessary to reduce false positivesand false negatives.

See “Enabling classification test mode” on page 110.

Test and tune thepolicy (recommended).

Step 10

Add a response rule to classify Exchanges messages. TheClassify Enterprise Vault Content action is required toclassify messages and return a classification tag toEnterprise Vault for Microsoft Exchange.

See “Configuring the Classify Enterprise Vault Contentaction” on page 103.

Add response rules.Step 11

Adding a new policy or policy templateAs a policy author you can define a new policy from scratch or from a template.

To add a new policy or a policy template

1 Click Add Policy at the Manage > Polices > Policy List screen.

2 Choose the type of policy you want to add at the New Policy screen.

Select Add a blank policy to add a new empty policy.

Select Add a policy from a template to add a policy from a template.

3 Click Next to configure the policy or the policy template.

Click Cancel to not add a policy and return to the Policy List screen.

101Creating classification policiesAdding a new policy or policy template

Page 102: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Configuring policiesThe Manage > Policies > Policy List > Configure Policy screen is the home pagefor configuring policies.

Table 6-3 Configuring policies

DescriptionAction

Add a new blank policy.

See “Adding a new policy or policy template”on page 101.

Create a policy from a template.

Select an existing policy at the Manage>Policies> Policy List screen to edit it.

Define a new policy, or edit an existingpolicy.

The policy name must be unique in the policygroup you deploy the policy to.

The Classification Server uses the name of thepolicy as the classification tag for the policiesthat trigger the Classify Enterprise Vault Contentaction. If the policy name contains a space, youmust enclose the name in quotes in the valuefield when searching for the tag in EnterpriseVault for Microsoft Exchange.

See “Configuring the Classify Enterprise VaultContent action” on page 103.

To import a policy as a template, the policy namemust be less than 60 characters, otherwise it doesnot appear in the Imported Templates list.

Enter a policy Name and Description.

The Default Policy Group is selected if there isno policy group configured.

Select the Policy Group from the listwhere the policy is to be deployed.

You can enable (default setting) or disable apolicy. A disabled policy is deployed but does notclassify messages.

Set the Status for the policy.

Configure the policy actions to specify whetheror not Enterprise Vault should take action asdirected by Classification responses.

See “Enabling classification test mode”on page 110.

Configure the Policy Actions settings(test mode).

Creating classification policiesConfiguring policies

102

Page 103: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-3 Configuring policies (continued)

DescriptionAction

Click Add Rule to add a rule.

See “Configuring the Message/Email Propertiesand Attributes condition” on page 108.

Select an existing rule to edit it.

Add a rule to the policy, or edit anexisting rule.

For a valid policy, you must configure at leastone rule that declares at least one condition.Compound conditions and exceptions areoptional.

Configure the rule with one or moreconditions.

Click Add Exception to add it.

Select an existing exception to edit it.

Optionally, add one or more policyexceptions, or edit an existing exception.

Configure any exception(s).

Click Save to save the policy configuration to theEnforce Server database.

Save the policy configuration.

Optionally, you can export the policy rules andexceptions as a template.

See “Exporting policy detection as a template”on page 97.

Export the policy as a template(optional).

You configure response rules independent ofpolicies. To classify Exchanges messages, youmust use the Classify Enterprise Vault Contentaction.

See “Configuring the Classify Enterprise VaultContent action” on page 103.

Add a response rule to the policy thatuses the Classify Enterprise VaultContent action.

Configuring the Classify Enterprise Vault Content actionThe Classification: Classify Enterprise Vault Content response rule defines theclassification result tags that the Classification Server generates for an Exchangemessage that matches a detection policy. The Classification Server delivers theretention category and classification tag to the Data Classification for EnterpriseVault filter that posted the Exchange message for detection. The classificationtag always corresponds to the name of the policy that triggers the response ruleaction.

103Creating classification policiesConfiguring policies

Page 104: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Symantec Enterprise Vault for Microsoft Exchange can then use the retentioncategory and classification tag to perform archiving, delete messages, or flag themessage for compliance reviews or E-Discovery searches.

To configure the Classify Enterprise Vault Content response rule action

1 Configure a response rule at the Configure Response Rule screen (Manage> Response Rules).

2 Add the Classification: Classify Enterprise Vault Content action type fromthe Actions list.

3 Configure the parameters to classify the Enterprise Vault message.

See Table 6-4 on page 104.

4 Click Save to save the configuration.

Table 6-4 Classification: Classify Enterprise Vault Content parameters

DescriptionParameter

Select this option to indicate that Symantec Enterprise Vault should archivethe message that matched the detection rule. If you select this option, alsouse the Assignretentioncategory menu to specify the retention categorythat Enterprise Vault assigns.

Archive andclassifymessage

Creating classification policiesConfiguring policies

104

Page 105: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-4 Classification: Classify Enterprise Vault Content parameters(continued)

DescriptionParameter

The Assign retention category menu lists all of the retention categoriesthat you have configured for use with the Data Classification for EnterpriseVault solution. If you configure the response rule to archive a message,also select the appropriate retention category from this menu.

You should configure the retention category names in this menu to matchthose categories that are available on Enterprise Vault servers.

See “Configuring the retention categories that are available forclassification” on page 106.

If you select Donotoverrideretentioncategory, the Classification Servercommunicates to Enterprise Vault that no retention category has beenassigned. Enterprise Vault uses the retention category that is alreadyavailable with the message and applies it during the archiving process.

When you configure a response rule, if you do not select the classificationtype of response rule, then Enterprise Vault cannot receive any responsefrom the Symantec Enterprise Vault Data Classification Services. EnterpriseVault applies the retention category that is already available on themessage. If the associated policy was running in test mode, the incident iscreated, but Enterprise Vault does not receive any response from theClassification Server. Not even test mode logs on Enterprise Vault areupdated.

Assignretentioncategory

If you configure the response rule to archive the message, you can alsoselect Prioritizemessagesforcompliancereview to prioritize the messagefor review. The Discovery Accelerator and Compliance Accelerator productscan use this classification tag to filter messages during searches or audits.

When you select this option, two additional choices are presented:

■ Include in review—Includes the message in subsequent searches andaudits.

■ Excludefromreview—Excludes the message from subsequent searchesand audits.

See the Discovery Accelerator and Compliance Accelerator documentationfor more information about searching and auditing messages in EnterpriseVault.

Compliancereview

105Creating classification policiesConfiguring policies

Page 106: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-4 Classification: Classify Enterprise Vault Content parameters(continued)

DescriptionParameter

Choose this option to indicate that Symantec Enterprise Vault should notarchive the message that matched the detection rule.

When you select this option, the following choices are presented to specifythe way in which Enterprise Vault should discard the message:

■ Deletemessageimmediatelyandpermanently—Enterprise Vault shoulddelete the message immediately.

■ Movemessage toDeleted Items folder—Enterprise Vault should movethe message to the Deleted Items folder. The message may be deletedat a later time when the folder is emptied.

■ Leavemessage inmailbox—Enterprise Vault should leave the messagein the mailbox and mark it as “Do not archive.”

If you select this option but later decide to clear the “Do Not Archive”property on messages, you can do so by setting the ClearDoNotArchiveand ClearDoNotJournal registry values on the Enterprise Vault server.See theEnterpriseVaultRegistryValuesmanual for instructions. Thesevalues permit the Exchange mailbox and Exchange Journaling tasks toarchive the messages.

Note: If you are monitoring a Journal mailbox, you may see messagesmarked as "Do not archive" in the journal Inbox and in the Deleted itemsfolder. Messages that are marked as "Do not archive" are not automaticallyre-located. You can manually move the messages into the deleted itemsfolder.

Do notarchivemessage

Configuring the retention categories that are available forclassificationThe Classification: Classify Enterprise Vault Content response rule defines theclassification result tags that a Classification Server generates for an Exchangemessage that matches a detection policy. If you configure this response rule toperform the Archive and classify message action, you also specify the retentioncategory that Enterprise Vault should apply to the archived message. The list ofavailable retention categories that is shown in the Enforce Server administrationconsole is defined using a configuration file, RetentionCategories.config.

See “Configuring the Classify Enterprise Vault Content action” on page 103.

When you first install the Data Classification Services solution, you must createa RetentionCategories.config file to include the retention categories that areavailable in Enterprise Vault servers. If you change the retention categories that

Creating classification policiesConfiguring policies

106

Page 107: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

are available in an Enterprise Vault deployment, you should also manually changethe available categories that are defined in RetentionCategories.config.

Note:The RetentionCategories.config file supports UTF-8 character encodingwithout byte order markers (BOM).

To configure the retention categories that are available for classification

1 One each Enterprise Vault server, run the ExportRetentionCategories.execommand-line utility that is installed in the Enterprise Vault program folder.(To display usage instructions, execute the utility without supplying anycommand-line options). You must open the command-line utility from a userwith administrator privileges

2 Follow the on-screen instructions to generate a file that lists the retentioncategories available in the Enterprise Vault server. The following retentioncategories are always excluded from the file:

■ The retention categories for managed folders.

■ For English deployments, any retention category with the name <Do notoverride retention category> does not apply a new retention category.Instead, a retention category that is already available for the message isapplied during the archiving process.

Keep in mind that hidden retention categories are included in the resultingfile.

3 Repeat steps 1 and 2 for each Enterprise Vault server in your deployment.

4 If you generated files for multiple Enterprise Vault servers, use a text editorto merge the contents of each file into a single file.

5 Rename the file that contains all retention categories toRetentionCategories.config.

6 Log on to the Enforce Server computer using Administrator or superuserprivileges.

7 Copy the RetentionCategories.config file that you created to the config

subdirectory of the Symantec Data Loss Prevention product installationdirectory. The default directory is c:\Vontu\Protect\config.

8 Restart the Enforce Server to apply the changes.

See theSymantecDataLossPreventionAdministrationGuide for informationabout starting and stopping Symantec Data Loss Prevention services.

107Creating classification policiesConfiguring policies

Page 108: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Configuring the Message/Email Properties and Attributes conditionThe Message/Email Properties and Attributes detection rule enables you toclassify Microsoft Exchange email messages based on specific message attributes.This detection rule is only applied to Microsoft Exchange messages that aredelivered from a Data Classification for Enterprise Vault filter to a ClassificationServer.

The Message/EmailPropertiesandAttributes detection rule examines the variousMessaging Application Programming Interface (MAPI) properties and attributesthat Exchange has assigned to the email. Use these attributes to determine whethera message should be archived or deleted, and whether to flag the message forcompliance review or E-Discovery searches.

Table 6-5 Message/Email Properties and Attributes condition parameters

DescriptionMAPIAttribute

This attribute describes the sensitivity of the message.

Select Message Sensitivity and then select one or more of the followingsensitivity levels:

■ Normal■ Personal■ Private■ Confidential

The detection rule matches if the message contains any of the selectedMessage Sensitivity levels.

MessageSensitivity

Creating classification policiesConfiguring policies

108

Page 109: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-5 Message/Email Properties and Attributes condition parameters(continued)

DescriptionMAPIAttribute

This attribute describes the type of message, or the type of content thatthe message contains. Select Message Class and then select one or moreclasses from the Available Message Classes column. Use the arrows tomove selected classes into the Selected Message Classes column.

The following classes of interpersonal messages (IPM) appear in theAvailable Message Classes column:

■ IPM.Activity*—Journal entries, business notes, and phone logs.

■ IPM.Appointment*—Calendar appointments.

■ IPM.Contact*—Accounts and business contacts.

■ IPM.Document*—Document files.

■ IPM.Note*—Email messages that were received from a MAPI source(Exchange email).

■ IPM.Post*—Email messages that were received from an SMTP source,rather than a MAPI source.

■ IPM.Stickynote*—Notes.

■ IPM.Task*—Tasks, projects, and campaigns.

■ REPORT.IPM.*—Message delivery and non-delivery receipts, messageread receipts, and message disposition notifications.

Certain message classes, such as IPM.Note, can be classified both whenjournal and mailbox archiving is enabled in Enterprise Vault for MicrosoftExchange. Other classes, such as IPM.contact, IPM.task, andIPM.Appointment are not present in the journal and are classified onlywhen Enterprise Vault performs mailbox archiving.

Use the Other field to specify message classes to examine in addition toor in place of those classes that are listed in the AvailableMessageClassescolumn. Use the asterisk wildcard to specify multiple message subclasses.Ensure that any new mailbox classes that you add are also specified inthe ExchangeMessageClasses andExchangeMailboxPolicy>MessageClasses tab in Enterprise Vault. (Enterprise Vault archives all journalclasses that are delivered from the Classification Server; you do not haveto configure individual message classes for journal archiving.)

MessageClass

Select this option to create a compound rule. All conditions must matchfor the rule to trigger an incident. You can add any available conditionfrom the drop-down menu.

Note: Exchange messages that are delivered from a Classification Serverdo not include envelope information.

Also Match

109Creating classification policiesConfiguring policies

Page 110: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Enabling classification test modeWhen you create or configure any policy (Manage > Policies > Policy List), theConfigurePolicy screen contains options in the PolicyActions section that applyonly to classification policies. You may choose to place Classification policies intest mode during the initial configuration of your Data Classification for EnterpriseVault deployment, or while tuning individual classification policies. When aclassification policy runs in test mode, the Classification Server adds a test modetag to any classification results that are returned to the Enterprise Vault DataClassification Filter for that policy. Enterprise Vault for Microsoft Exchange usesthe tag to ignore the outcome of the classification response for that policy, butstill performs archiving as if no classification service is running.

When a classification policy runs in test mode, the Enforce Server creates aclassification event each time a message matches the policy. You can view theseclassification events in the incident lists of the Enforce Server administrationconsole (Incidents > Classification). The test mode configuration also enablesyou to limit the number of classification events that are recorded.

Note:The Enforce Server creates classification events only for those policies thatrun in test mode. When you disable test mode for production use, no classificationincidents are recorded for that policy.

After you are confident that the classification policy works as intended, you candisable test mode so that Enterprise Vault actively classifies or deletes messagesas defined in the policy.

Table 6-6 Classifying policy detection matches

DescriptionParameter

This setting is enabled by default and adds a test mode flag tothe policy detection result for this policy. The flag indicates thatEnterprise Vault should perform no action for the returnedclassification result.

To classify Enterprise Vault content using this policy, uncheckthis option.

Enable ClassificationTest Mode

Creating classification policiesConfiguring policies

110

Page 111: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 6-6 Classifying policy detection matches (continued)

DescriptionParameter

This setting specifies the maximum number of classificationevents that Symantec Data Loss Prevention creates for thispolicy while in test mode. Limit the number of classificationevents for test mode policies, because each message that isposted to the Classification Server should generate aclassification result. Specify a limit that enables you to evaluatethe performance of your classification policy. You may chooseto delete these classification events from the Enforce Serverdatabase after you activate the policy (disable test mode). Thedefault setting records a maximum of 100 events.

You can view recorded test-mode classification events byselecting Incidents > Classification.

Maximum forClassification TestMode Events

111Creating classification policiesConfiguring policies

Page 112: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Creating classification policiesConfiguring policies

112

Page 113: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Supplied classificationpolicies and policytemplates

This chapter includes the following topics:

■ About the Enterprise Vault Data Classification policies

■ About the system-provided policy templates

About theEnterpriseVaultDataClassificationpoliciesThe Enterprise Vault Data Classification policies let you classify messagesaccording to Enterprise Vault-specific detection rules. Many of these policiesmatch the Automatic Classification Engine policies that you may have used withearlier versions of Enterprise Vault.

Table 7-1 Enterprise Vault Data Classification initial policies

DescriptionPolicy

This policy detects irregular financial transactiondiscussions and documents.

See “Anti-money Laundering policy” on page 115.

Anti-money Laundering

This policy detects documents (including email messages)that exhibit the first doctrine of attorney-client relations.

See “Attorney-Client Privilege policy” on page 116.

Attorney-Client Privilege

7Chapter

Page 114: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-1 Enterprise Vault Data Classification initial policies (continued)

DescriptionPolicy

This policy detects documents (including email messages)that exhibit the second doctrine of attorney-client relations.

See “Attorney-Client Privilege (Secondary) policy”on page 116.

Attorney-Client Privilege(Secondary)

This policy detects read receipts, meeting responses,out-of-office replies, delivery notifications, and so on.

See “Auto-generated Messages policy” on page 116.

Auto-generated Messages

This policy detects messages from the email domains ofknown news and research providers.

See “Auto-generated news, Feeds & Research (KnownProviders) policy” on page 117.

Auto-generatednews,Feeds& Research (KnownProviders)

This policy looks for keyword indicators of subscriptionsand press releases.

See “Auto-generated News, Feeds, Research policy”on page 117.

Auto-generated News,Feeds, Research

This policy detects common keyword identifiers that maybe found in compensation discussions between employeesand HR or management.

See “Compensation Discussions policy” on page 117.

Compensation Discussions

This policy detects attached email containers.

See “Email Containers (attachments) policy” on page 118.

Email Containers(attachments)

This policy detects fax attachments.

See “Faxes (attachments) policy” on page 118.

Faxes (attachments)

This policy detects documents of a legal nature.

See “Legal Documents (attachments) policy” on page 118.

Legal Documents(attachments)

This policy detects messages that have been sent from orto known personal email domains and web mail domains.

See “Personal Email Domains policy” on page 119.

Personal Email Domains

This policy detects regular office file types.

See “Productivity Documents (attachments) policy”on page 119.

Productivity Documents(attachments)

Supplied classification policies and policy templatesAbout the Enterprise Vault Data Classification policies

114

Page 115: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-1 Enterprise Vault Data Classification initial policies (continued)

DescriptionPolicy

This policy detects charitable solicitations.

See “Solicitations - Charities policy” on page 119.

Solicitations - Charities

This policy detects political solicitations and donations.

See “Solicitations - Political policy” on page 119.

Solicitations - Political

This policy detects solicitations for venture or privateinvestments.

See “Solicitations - Private Investment policy” on page 120.

Solicitations - PrivateInvestment

Anti-money Laundering policyThe Anti-money Laundering policy detects irregular financial transactiondiscussions and documents.

Irregular transaction watchlist

This rule tries to find keywords that indicate money transfer or riskwithin a short distance of keywords that indicate shell, overseas, orhidden entities. For example, the rule looks for the phrase "do notdisclose" within a short distance of the phrase "Swiss account".

DCM Rule

This rule looks for two identifiers or more from the following list:

■ Account Number

■ ABA Routing Number

■ Last Name

Note:The rule requires a suitable Exact Data Profile. See theSymantecData Loss Prevention Administration Guide for guidelines on how todefine and choose a profile.

EDM Rule

ABA Routing Numbers (Data identifiers)

This condition detects nine-digit numbers. It validates the numberusing the final check digit. This condition eliminates common testnumbers, such as 123456789, number ranges that are reserved forfuture use, and numbers that contain all the same digit. The conditionalso requires the presence of an ABA-related keyword.

DCM Rule

115Supplied classification policies and policy templatesAbout the Enterprise Vault Data Classification policies

Page 116: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Attorney-Client Privilege policyThe Attorney-Client Privilege policy detects documents, including emailmessages, which exhibit the first doctrine of attorney-client relations. This doctrineprotects communications between attorneys and their clients from disclosure,provided that certain criteria are met (and subject to certain exceptions).

Attorney-Client language tags

This rule looks for attorney-type identifier keywords that appear inproximity to communication or privilege identifier keywords. Forexample, the rule looks for the keyword "Attorney-client" within ashort distance of the keyword "Litigation".

DCM Rule

Attorney-Client Privilege (Secondary) policyThe Attorney-Client Privilege (Secondary) policy detects documents, includingemail messages, which exhibit the second doctrine of attorney-client relations.This doctrine is designed to prevent the disclosure to adversaries of materialsthat an attorney has prepared for a client in anticipation of litigation.

Attorney Client work product tags

This rule looks for attorney-type identifier keywords that appear inproximity to work product identifier keywords, and in which themessages contain one or more attachments. For example, the rulelooks for the keyword "Attorney-client" within a short distance of thekeyword "contract".

DCM Rule

Attorney work product (Attachments)

This rule looks for a match on keywords such as "Agreement" and"Contract" in combination with the specified file types.

DCM Rule

Auto-generated Messages policyThe Auto-generated Messages policy detects read receipts, meeting responses,out-of-office replies, delivery notifications, and so on.

System receipts

This rule evaluates keywords such as the following on messageenvelopes only:

■ Accepted:

■ Out of Office*

■ Undelivered mail returned

DCM Rule

Supplied classification policies and policy templatesAbout the Enterprise Vault Data Classification policies

116

Page 117: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Out of Office text

This rule looks for instances of phrases such as "away from the office"and "unable to respond" that occur in proximity to phrases such as"contact my manager" and "for anything urgent".

DCM Rule

Well known Exchange system messages, Out of Office responses

This rule uses MAPI attributes to detect non-delivery, receipt, andout-of-office responses.

MAPI AttributeRule

Auto-generated news, Feeds & Research (Known Providers) policyThe Auto-generated news, Feeds & Research (Known Providers) policy detectsmessages from the email domains of known news and research providers.

Known news senders

This rule looks for messages that have been sent from common newsemail domains, such as the following:

■ Alerts.yahoo.com

■ Cnn.com

■ News.google.com

DCM Rule

Auto-generated News, Feeds, Research policyThe Auto-generated News, Feeds, Research policy looks for keyword indicatorsof subscriptions and press releases.

Press Release, Research, Subscriptions

This rule looks for keyword indicators of subscriptions and pressreleases. For example, the rule looks for the phrase "for immediaterelease", or instances where the phrase "manage your subscription"occurs in proximity to the phrase "click here".

DCM Rule

Compensation Discussions policyThe CompensationDiscussions policy detects common keyword identifiers thatmay be found in compensation discussions between employees and HR ormanagement.

117Supplied classification policies and policy templatesAbout the Enterprise Vault Data Classification policies

Page 118: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Compensation

This rule looks for keyword markers of salary, bonus, or fee structuresin proximity with keywords that refer to performance, rating, orpayments. For example, the rule looks for the keyword "compensation"within a short distance of the phrase "job well done".

DCM Rule

Email Containers (attachments) policyThe EmailContainers (attachments) policy detects message attachments of typePST or NSF.

Email Container Attachments

This rule acts only on attachments and triggers when it finds eitherof the following file types:

■ NSF

■ PST

DCM Rule

Faxes (attachments) policyThe Faxes (attachments) policy detects fax attachments.

Fax keywords and attachments

This compound rule attempts to detect fax transmissions incombination with a list of fax file types.

DCM Rule

Legal Documents (attachments) policyThe Legal Documents (attachments) policy detects documents of a legal nature.

Legal Documents (Attachments)

This rule checks message attachments for keywords such as thefollowing, which may indicate legal or contractual documentation:

■ Agreement

■ Contract

■ Deposition

■ Subpoena

DCM Rule

Supplied classification policies and policy templatesAbout the Enterprise Vault Data Classification policies

118

Page 119: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Personal Email Domains policyThe Personal Email Domains policy detects messages that have been sent fromor to known personal email domains and web mail domains.

Personal and Webmail domains

This rule evaluates sender and recipient information on envelopes,looking for messages that have been sent from or to a list of knownpersonal email domains and web mail domains.

DCM Rule

Productivity Documents (attachments) policyThe ProductivityDocuments (attachments) policy detects message attachmentsin commonly used office formats.

Office Productivity Attachments

This rule acts on attachments only. It triggers when it findsattachments that are in any common office format, such as thefollowing:

■ Excel spreadsheet

■ PDF

■ PowerPoint

■ Unicode text

■ Word

DCM Rule

Solicitations - Charities policyThe Solicitations - Charities policy detects charitable solicitations.

Charitable Solicitations

This rule tries to detect contribution language in the vicinity ofcharitable foundation language. For example, the rule looks for thephrase "your support" within a short distance of the keyword "church".

DCM Rule

Solicitations - Political policyThe Solicitations - Political policy detects political solicitations and donations.

119Supplied classification policies and policy templatesAbout the Enterprise Vault Data Classification policies

Page 120: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Political Solicitations

This rule tries to detect instances of contribution language within ashort distance of election or candidate language. For example, therule looks for the phrase "your backing" within a short distance of thekeyword "Candidate".

DCM Rule

Solicitations - Private Investment policyThe Solicitations -Private Investment policy detects solicitations for venture orprivate investments.

Private Investment Solicitations

This rule tries to detect solicitation language within a short distanceof private placement language. For example, the rule looks for thephrase "financial assistance" within a short distance of the keyword"start-up".

DCM Rule

About the system-provided policy templatesSymantec Data Loss Prevention comes with the following categories of policytemplates, which you can use as the basis for new policies:

■ Acceptable Use Enforcement.See “Acceptable Use Enforcement policy templates” on page 121.

■ Confidential or Classified Data Protection.See “Confidential or Classified Data Protection policy templates” on page 132.

■ Customer and Employee Data Protection.See “Customer and Employee Data Protection policy templates” on page 142.

■ Network Security Enforcement.See “Network Security Enforcement policy templates” on page 149.

■ UK and International Regulatory Enforcement.See “UK and International Regulatory Enforcement policy templates”on page 152.

■ US Regulatory Enforcement.See “US Regulatory Enforcement policy templates” on page 159.

Supplied classification policies and policy templatesAbout the system-provided policy templates

120

Page 121: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Acceptable Use Enforcement policy templatesSymantec Data Loss Prevention provides several policy templates for allowingacceptable uses of information.

Table 7-2 Acceptable Use Enforcement policy templates

DescriptionPolicy template

This policy detects forbidden communications withcompetitors.

See “Competitor Communications policy template”on page 122.

Competitor Communications

This policy detects access to specified websites.

See “Forbidden Websites policy template” on page 122.

Forbidden Websites

This policy detects any reference to gambling.

See “Gambling policy template” on page 123.

Gambling

This policy detects conversations about illegal drugs andcontrolled substances.

See “Illegal Drugs policy template” on page 123.

Illegal Drugs

This policy detects various types of video and audio files.

See “Media Files policy template” on page 124.

Media Files

This policy detects the use of offensive language.

See “Offensive Language policy template” on page 124.

Offensive Language

This policy detects the use of racist language.

See “Racist Language policy template” on page 125.

Racist Language

This policy detects various file types that are generallyinappropriate to send out of the company.

See “Restricted Files policy template” on page 125.

Restricted Files

This policy detects communications with specifiedrecipients.

See “Restricted Recipients policy template” on page 125.

Restricted Recipients

This policy detects vulgar, sexually explicit, andpornographic content.

See “Sexually Explicit Language policy template” on page 126.

Sexually Explicit Language

121Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 122: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-2 Acceptable Use Enforcement policy templates (continued)

DescriptionPolicy template

This policy detects violent language and discussions aboutweapons.

See “Violence and Weapons policy template” on page 126.

Violence & Weapons

This policy detects usage of a variety of web mail services.

See “Webmail policy template” on page 126.

Webmail

This policy detects Yahoo message board activity.

See “Yahoo Message Board Activity policy template”on page 127.

Yahoo Message BoardActivity

This policy detects Yahoo and MSN Messenger activity overport 80.

See “Yahoo and MSN Messengers on Port 80 policytemplate” on page 129.

Yahoo and MSN Messengerson Port 80

Competitor Communications policy templateThe Competitor Communications policy detects forbidden communications withcompetitors.

Competitor List

This rule looks for keywords (domains) from the "Competitor Domains"dictionary, which is user-defined.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Forbidden Websites policy templateThe Forbidden Websites policy detects access to specified Web sites.

Forbidden Websites

This rule looks for any keywords in the "Forbidden Websites"dictionary, which is user-defined.

DCM Rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

122

Page 123: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

To enable a Forbidden Website policy to process GET requests appropriately

1 Configure your web proxy server to forward GET requests to the NetworkPrevent (Web) server.

2 Set the L7.processGets Advanced setting on the Network Prevent (Web) serverto "true" (which is the default).

3 Reduce the L7.minSizeofGetURL Advanced setting on the Network Prevent(Web) server from the default of 100 to a number of bytes (characters) smallerthan the length of the shortest Web site that the policy specifies.

Note:Reducing the minimum size of GETs increases the number of URLs thathave to be processed, which increases the server's traffic load. One approachis to calculate the number of characters in the shortest URL specified in thelist of forbidden URLs and set the minimum size to that number. Anotherapproach is to set the minimum URL size to 10 as that should cover all cases.

4 You may need to adjust the "Ignore Requests Smaller Than" setting in theICAP configuration of the Network Prevent server from the default 4096bytes. This value stops processing of incoming Web pages that contain fewerbytes than the number specified. If a page of a forbidden Web site URL mightbe smaller than that number, the setting should be reduced appropriately.

See “Exporting policy detection as a template” on page 97.

Gambling policy templateThis policy detects any reference to gambling.

Suspicious Gambling Keywords

This rule looks for five instances of keywords from the "GamblingKeywords, Confirmed" dictionary.

DCM Rule

Less Suspicious Gambling Keywords

This rule looks for 10 instances of keywords from the "GamblingKeywords, Suspect" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Illegal Drugs policy templateThis policy detects conversations about illegal drugs and controlled substances.

123Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 124: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Street Drugs

This rule looks for five instances of keywords from the "Street DrugNames" dictionary.

DCM Rule

Mass Produced Controlled Substances

This rule looks for five instances of keywords from the "ManufacturedControlled Substances" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Media Files policy templateThe Media Files policy detects various types of video and audio files (includingmp3).

Media Files

This rule looks for the following media file types:

■ qt

■ riff

■ macromedia_dir

■ midi

■ mp3

■ mpeg_movie

■ quickdraw

■ realaudio

■ wav

■ video_win

■ vrml

DCM Rule

Media Files Extensions

This rule looks for file name extensions from the "Media FilesExtensions" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Offensive Language policy templateThe Offensive Language policy detects the use of offensive language.

Supplied classification policies and policy templatesAbout the system-provided policy templates

124

Page 125: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Offensive Language, Explicit

This rule looks for any single keyword in the "Offensive Language,Explicit" dictionary.

DCM Rule

Offensive Language, General

This rule looks for any three instances of keywords in the "OffensiveLanguage, General" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Racist Language policy templateThe Racist Language policy detects the use of racist language.

Racist Language

This rule looks for any single keyword in the "Racist Language"dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Restricted Files policy templateThe Restricted Files policy detects various file types that are generallyinappropriate to send out of the company, such as Microsoft Access and executablefiles.

MSAccess Files and Executables

This rule looks for files of the specified types: access, exe, and exe_unix.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Restricted Recipients policy templateThe Restricted Recipients policy detects communications with specified recipients,such as former employees.

Restricted Recipients

This rule looks for messages to recipients with email addresses in the"Restricted Recipients" dictionary.

DCM Rules

See “Exporting policy detection as a template” on page 97.

125Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 126: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Sexually Explicit Language policy templateThe Sexually Explicit Language policy detects vulgar, sexually explicit, andpornographic language content.

Sexually Explicit Keywords, Confirmed

This rule looks for any single keyword in the "Sex. Explicit Keywords,Confirmed" dictionary.

DCM Rule

Sexually Explicit Keywords, Suspected

This rule looks for any three instances of keywords in the "Sex. ExplicitWords, Suspect" dictionary.

DCM Rule

Sexually Explicit Keywords, Possible

This rule looks for any three instances of keywords in the "Sex. ExplicitWords, Possible" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Violence and Weapons policy templateThe Violence and Weapons policy detects violent language and discussions aboutweapons.

Violence and Weapons

This rule is a compound rule with two conditions; both must matchto trigger an incident. This rule looks for a keyword from the "ViolenceKeywords" dictionary and a keyword from the "Weapons Keywords"dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Webmail policy templateThe Webmail policy detects the use of a variety of Webmail services, includingYahoo, Google, and Hotmail.

Supplied classification policies and policy templatesAbout the system-provided policy templates

126

Page 127: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-3

DescriptionCondition(s)TypeName

This condition checks for the URL domainmail.yahoo.com.

Recipient MatchesPattern (DCM)

Compounddetection rule

Yahoo

This condition checks for the keywordym/compose.

Content MatchesKeyword (DCM)

This condition checks for the URL domainhotmail.msn.com.

Recipient MatchesPattern (DCM)

Compounddetection rule

Hotmail

This condition checks for the keywordcompose?&curmbox.

Content MatchesKeyword (DCM)

This condition checks for the URLgomailus.go.com.

Recipient MatchesPattern (DCM)

Compounddetection rule

Go

This condition checks for the keywordcompose.

Content MatchesKeyword (DCM)

This condition checks for the URL domainaol.com.

Recipient MatchesPattern (DCM)

Compounddetection rule

AOL

This condition checks for the keywordcompose.

Content MatchesKeyword (DCM)

This condition checks for the URL domaingmail.google.com.

Recipient MatchesPattern (DCM)

Compounddetection rule

Gmail

This condition checks for the keywordgmail.

Content MatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

Yahoo Message Board Activity policy templateThe Yahoo Message Board policy template detects Yahoo message board activity.

The Yahoo Message Board detection rule is a compound method that looks formessages posted to the Yahoo message board you specify.

Table 7-4 describes its configuration details.

127Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 128: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-4 Yahoo Message Board detection rule

ConfigurationConditionMethod

Yahoo Message Board (Keyword Match):

■ Case insensitive.

■ Match Keyword: post.messages.yahoo.com/bbs.

■ Match on whole words only.

■ Check for existence (do not count multiple matches).

■ Look in envelope, subject, body, attachments.

■ Match must occur in the same component for bothconditions.

Content MatchesKeyword (DCM)

Compoundrule

AND

Yahoo Message Board (Keyword Match):

■ Case insensitive.

■ Match Keyword: board=<enter board number>.

■ Match on whole words only.

■ Check for existence (do not count multiple matches).

■ Look in envelope, subject, body, attachments.

■ Match must occur in the same component for bothconditions.

Content MatchesKeyword (DCM)

The Finance Message Board URL detection rule detects messages posted to theYahoo Finance message board.

Table 7-5 describes its configuration.

Table 7-5 Finance Message Board URL detection rule

ConfigurationConditionMethod

Finance Message Board URL (Keyword Match):

■ Case insensitive.

■ Match Keyword: messages.finance.yahoo.com.

■ Match on whole words only.

■ Check for existence (do not count multiple matches).

■ Look in envelope, subject, body, attachments.

Content MatchesKeyword (DCM)

Simplerule

The Board URLs detection rule detects messages posted to the Yahoo or YahooFinance message boards by the URL of either.

Table 7-6 describes its configuration details.

Supplied classification policies and policy templatesAbout the system-provided policy templates

128

Page 129: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-6 Board URLs detection rule

ConfigurationConditionMethod

Board URLs (Recipient):

■ Recipient URL:messages.yahoo.com,messages.finance.yahoo.com.

■ At least 1 recipient(s) must match.

■ Matches on the entire message (not configurable).

Recipient MatchesPattern (DCM)

Simplerule

See “Exporting policy detection as a template” on page 97.

Yahoo and MSN Messengers on Port 80 policy templateThe Yahoo and MSN Messengers on Port 80 policy detects Yahoo and MSNMessenger activity over port 80.

The Yahoo IM detection rule looks for keyword matches on both ymsg andshttp.msg.yahoo.com.

129Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 130: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-7 Yahoo IM detection rule

ConfigurationConditionMethod

Yahoo IM (Keyword Match):

■ Case insensitive.

■ Match keyword: ymsg.

■ Match on whole words only.

■ Count all matches and report an incident for eachmatch.

■ Look for matches in the envelope, subject, body, andattachments.

■ Match must occur in the same component for bothconditions in the rule.

Content MatchesKeyword (DCM)

Compoundrule

AND

Yahoo IM (Keyword Match):

■ Case insensitive.

■ Match keyword: shttp.msg.yahoo.com.

■ Match on whole words only.

■ Count all matches and report an incident for eachmatch.

■ Look for matches in the envelope, subject, body, andattachments.

■ Match must occur in the same component for bothconditions in the rule.

Content MatchesKeyword (DCM)

The MSN IM detection rule looks for matches on three keywords in the samemessage component.

Supplied classification policies and policy templatesAbout the system-provided policy templates

130

Page 131: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-8 MSN IM detection rule

ConfigurationConditionMethod

MSN IM (Keyword Match):

■ Case insensitive.

■ Match keyword: msg.

■ Match on whole words only.

■ Count all matches and report an incident for eachmatch.

■ Look for matches in the envelope, subject, body, andattachments.

■ Match must occur in the same component for allconditions in the rule.

Content MatchesKeyword (DCM)

Compoundrule

AND

MSN IM (Keyword Match):

■ Case insensitive.

■ Match keyword: x-msn.

■ Match on whole words only.

■ Count all matches and report an incident for eachmatch.

■ Look for matches in the envelope, subject, body, andattachments.

■ Match must occur in the same component for allconditions in the rule.

Content MatchesKeyword (DCM)

AND

MSN IM (Keyword Match):

■ Case insensitive.

■ Match keyword: charset=utf-8.

■ Match on whole words only.

■ Count all matches and report an incident for eachmatch.

■ Look for matches in the envelope, subject, body, andattachments.

■ Match must occur in the same component for allconditions in the rule.

Content MatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

131Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 132: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Confidential or Classified Data Protection policy templatesSymantec Data Loss Prevention provides several policy templates for Confidentialor Classified Data Protection.

Table 7-9 Confidential or Classified Data Protection policy templates

DescriptionPolicy template

This policy detects company-confidential documents.

See “Confidential Documents policy template” on page 133.

Confidential Documents

This policy detects various types of design documents.

See “Design Documents policy template” on page 134.

Design Documents

This policy detects the use of encryption by a variety ofmethods.

See “Encrypted Data policy template” on page 134.

Encrypted Data

This policy detects financial data and information.

See “Financial Information policy template” on page 135.

Financial Information

This policy detects information and communications aboutupcoming merger and acquisition activity.

See “Merger and Acquisition Agreements policy template”on page 136.

Merger and AcquisitionAgreements

This policy detects specific SKU or pricing information.

See “Price Information policy template” on page 137.

Price Information

This policy detects discussions of sensitive projects.

See “Project Data policy template” on page 138.

Project Data

This policy detects various types of video and audio files.

See “Proprietary Media Files policy template” on page 138.

Proprietary Media Files

This policy detects various types of publishing documents.

See “Publishing Documents policy template” on page 139.

Publishing Documents

This policy detects active job searches.

See “Resumes policy template” on page 140.

Resumes

This policy detects various types of source code.

See “Source Code policy template” on page 140.

Source Code

Supplied classification policies and policy templatesAbout the system-provided policy templates

132

Page 133: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-9 Confidential or Classified Data Protection policy templates(continued)

DescriptionPolicy template

This policy detects communications that refer to Vontu ordata loss prevention systems and possible avoidance ofdetection. This policy is most useful for deployments thatare not widely known among monitored users.

See “Symantec DLP Awareness and Avoidance policytemplate” on page 141.

Symantec DLP Awarenessand Avoidance

Confidential Documents policy templateThis policy detects company-confidential documents at risk of exposure.

Table 7-10 Rules comprising the Confidential Documents template

DescriptionTypeRule

This rule looks for content from specific documentsregistered as confidential; returns a match if 80% or moreof the source document is found. If you do not have anIndexed Document Profile configured this rule is dropped.

Simple IDM Rule with onecondition

Confidential Documents,Indexed

This rule looks for a combination of keywords from the"Confidential Keywords" list and the following file types:

■ Microsoft Excel Macro

■ Microsoft Excel

■ Microsoft Works Spreadsheet

■ SYLK Spreadshet

■ Corel Quattro Pro

■ Multiplan Spreadsheet

■ Comma Separate Values

■ Applix Spreadsheets

■ Lotus 1-2-3

■ Microsoft Word

■ Adobe PDF

■ Microsoft PowerPoint

Compound DCM Rule:Attachment/File Type andKeyword Match. Bothconditions must match forthe rule to trigger anincident.

Confidential Documents

This compound rule looks for a combination of keywordsfrom the "Proprietary Keywords" dictionary and the abovereferenced file types.

Compound DCM Rule:Attachment/File Type andKeyword Match

Proprietary Documents

133Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 134: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-10 Rules comprising the Confidential Documents template (continued)

DescriptionTypeRule

This compound rule looks for a combination of keywordsfrom the "Internal Use Only Keywords" dictionary andthe above referenced file types.

Compound DCM Rule:Attachment/File Type andKeyword Match

Internal Use OnlyDocuments

This compound rule looks for a combination of keywordsfrom the "Not For Distribution Words" dictionary and theabove referenced file types.

Compound DCM Rule:Attachment/File Type andKeyword Match

Documents Not ForDistribution

See “Exporting policy detection as a template” on page 97.

Design Documents policy templateThis policy detects various types of design documents, such as CAD/CAM, at riskof exposure.

Design Documents, Indexed

This rule looks for content from specific design documents registeredas proprietary. It returns a match if the engine detects 80% or moreof the source document.

IDM Rule

Design Document Extensions

This rule looks for the specified file name extensions found in the"Design Document Extensions" dictionary.

DCM Rule

Design Documents

This rule looks for the following specified file types:

■ cad_draw

■ dwg

DCM Rule

Note: Both file types and file name extensions are used because the policy doesnot detect the true file type for all the required documents.

See “Exporting policy detection as a template” on page 97.

Encrypted Data policy templateThis policy detects the use of encryption by a variety of methods including S/MIME,PGP, GPG, and file password protection.

Supplied classification policies and policy templatesAbout the system-provided policy templates

134

Page 135: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Password Protected Files

This rule looks for the following file types: encrypted_zip,encrypted_doc, encrypted_xls, or encrypted_ppt.

DCM Rule

PGP Files

This rule looks for the following file type: pgp.

DCM Rule

GPG Files

This rule looks for a keyword from the "GPG Encryption Keywords"dictionary.

DCM Rule

S/MIME

This rule looks for a keyword from the "S/MIME Encryption Keywords"dictionary.

DCM Rule

HushMail Transmissions

This rule looks for a match from a list of recipient URLs.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Financial Information policy templateThe Financial Information policy detects financial data and information.

Financial Information, Indexed

This rule looks for content from specific financial information filesregistered as proprietary; returns a match if 80% or more of the sourcedocument is found.

IDM Rule

135Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 136: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Financial Information

This rule looks for the combination of specified file types, keywordsfrom the "Financial Keywords" dictionary, and keywords from the"Confidential/Proprietary Words" dictionary.

The specified file types are as follows:

■ excel_macro

■ xls

■ works_spread

■ sylk

■ quattro_pro

■ mod

■ csv

■ applix_spread

■ 123

DCM Rule

See “Exporting policy detection as a template” on page 97.

Merger and Acquisition Agreements policy templateThe Mergers and Acquisition Agreements policy template detects contracts andofficial documentation concerning merger and acquisition activity.

You can modify this template with company-specific code words to detect specificdeals.

The Merger and Acquisition Agreements template provides a single compounddetection rule. All conditions in the rule must match for the rule to trigger anincident.

Table 7-11 Merger and Acquisition Agreements compound detection rule

ConfigurationCondition

■ Match any keyword: merger, agreement, contract, letter ofintent, term sheet, plan of reorganization

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Contract SpecificKeywords (KeywordMatch)

Supplied classification policies and policy templatesAbout the system-provided policy templates

136

Page 137: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-11 Merger and Acquisition Agreements compound detection rule(continued)

ConfigurationCondition

■ Match any keyword: subsidiary, subsidiaries, affiliate,acquiror, merger sub, covenantor, acquired company,acquiring company, surviving corporation, survivingcompany

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Acquisition CorporateStructure Keywords(Keyword Match)

■ Match any keyword: merger stock, merger consideration,exchange shares, capital stock, dissenting shares, capitalstructure,escrowfund,escrowaccount,escrowagent,escrowshares, escrow cash, escrow amount, stock consideration,break-up fee, goodwill

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Merger ConsiderationKeywords (KeywordMatch)

■ Match any keyword: recitals, in witness whereof, governinglaw,Indemnify,Indemnified,indemnity,signaturepage,bestefforts, gross negligence, willful misconduct,authorizedrepresentative, severability, material breach

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Legal ContractKeywords (KeywordMatch)

See “Exporting policy detection as a template” on page 97.

Price Information policy templateThe Price Information policy detects specific SKU and pricing information at riskof exposure.

137Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 138: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Price Information

This rule looks for the combination of user-specified Stock KeepingUnit (SKU) numbers and the price for that SKU number.

EDM Rule

Note: This template contains one EDM detection rule. If you do not have an EDMprofile configured, or you are using Symantec Data Loss Prevention Standard,this policy template is empty and contains no rule to configure.

See “Exporting policy detection as a template” on page 97.

Project Data policy templateThe Project Data policy detects discussions of sensitive projects.

Project Documents, Indexed

This rule looks for content from specific project data files registeredas proprietary. It returns a match if the engine detects 80% or moreof the source document.

IDM Rule

Project Activity

This rule looks for any keywords in the "Sensitive Project Code Names"dictionary, which is user-defined.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Proprietary Media Files policy templateThe Proprietary Media Files policy detects various types of video and audio filesthat can be proprietary intellectual property of your organization at risk forexposure.

Media Files, Indexed

This rule looks for content from specific media files registered asproprietary.

IDM Rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

138

Page 139: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Media Files

This rule looks for the following media file types:

■ qt

■ riff

■ macromedia_dir

■ midi

■ mp3

■ mpeg_movie

■ quickdraw

■ realaudio

■ wav

■ video_win

■ vrml

DCM Rule

Media Files Extensions

This rule looks for file name extensions from the "Media FilesExtensions" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Publishing Documents policy templateThe Publishing Documents policy detects various types of publishing documents,such as Adobe FrameMaker files, at risk of exposure.

Publishing Documents, Indexed

This rule looks for content from specific publishing documentsregistered as proprietary. It returns a match if the engine detects 80%or more of the source document.

IDM Rule

Publishing Documents

This rule looks for the specified file types:

■ qxpress

■ frame

■ aldus_pagemaker

■ publ

DCM Rule

Publishing Documents, extensions

This rule looks for specified file name extensions found in the"Publishing Document Extensions" dictionary.

DCM Rule

139Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 140: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Note:Both file types and file name extensions are required for this policy becausethe detection engine does not detect the true file type for all the requireddocuments. As such, the file name extension must be used with the file type.

See “Exporting policy detection as a template” on page 97.

Resumes policy templateThe Resumes policy detects active job searches.

Resumes, Employee

This rule is a compound rule with two conditions; both must matchto trigger an incident. This rule contains an EDM condition for firstand last names of employees provided by the user. This rule also looksfor a specific file type attachment (.doc) that is less than 50 KB andcontains at least one keyword from each of the following dictionaries:

■ Job Search Keywords, Education

■ Job Search Keywords, Work

■ Job Search Keywords, General

EDM Rule

Resumes, All

This rule looks for files of a specified type (.doc) that are less than 50KB and match at least one keyword from each of the followingdictionaries:

■ Job Search Keywords, Education

■ Job Search Keywords, Work

■ Job Search Keywords, General

DCM Rule

Job Search Websites

This rule looks for URLs of Web sites that are used in job searches.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Source Code policy templateThe Source Code policy detects various types of source code at risk of exposure.

Source Code Documents

This rule looks for specific user-provided source code using IDM. Thisrule returns a match if it detects 80% or more of the source document.

IDM Rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

140

Page 141: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Source Code Extensions

This rule looks for file name extensions from the "Source CodeExtensions" dictionary.

DCM Rule

Java Source Code

This rule looks for the Java Import Statements or Java Class Filesregular expression.

DCM Rule

C Source Code

This rule looks for the C Source Code regular expression.

DCM Rule

VB Source Code

This rule looks for the VB Source Code regular expression.

DCM Rule

PERL Source Code

This rule looks for the three different PERL-related system patternsand regular expressions.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Symantec DLP Awareness and Avoidance policy templateThe Symantec DLP Awareness & Avoidance policy detects any communicationsthat refer to Symantec Data Loss Prevention or data loss prevention systems andpossible avoidance of detection. The Symantec DLP Awareness & Avoidance policyis most useful for the deployments that are not widely known among monitoredusers.

Symantec DLP Awareness

Checks for a keyword match from the "Symantec DLP Awareness"dictionary.

DCM Rule

Symantec DLP Avoidance

This rule is a compound rule with two conditions; both must bematched to trigger an incident. This rule looks for a keyword matchfrom the "Symantec DLP Awareness" dictionary and a keyword fromthe "Symantec DLP Avoidance" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

141Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 142: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Customer and Employee Data Protection policy templatesSymantec Data Loss Prevention provides several policy templates for Customerand Employee Data Protection.

Table 7-12 Customer and Employee Data Protection policy templates

DescriptionPolicy template

This policy detects patterns indicating Canadian socialinsurance numbers.

See “Canadian Social Insurance Numbers policy template”on page 143.

Canadian Social InsuranceNumbers

This policy detects patterns indicating credit card numbers.

See “Credit Card Numbers policy template” on page 143.

Credit Card Numbers

This policy detects customer data.

See “Customer Data Protection policy template” on page 144.

Customer Data Protection

This policy detects employee data.

See “Employee Data Protection policy template” on page 146.

Employee Data Protection

This policy detects IRS-issued tax processing numbers.

See “Individual Taxpayer Identification Numbers (ITIN)policy template” on page 146.

Individual TaxpayerIdentification Numbers(ITIN)

This policy detects codes banks use to transfer money acrossinternational borders.

See “SWIFT Codes policy template” on page 147.

SWIFT Codes

This policy detects UK Drivers License Numbers.

See “UK Drivers License Numbers policy template”on page 147.

UK Drivers License Numbers

This policy detects UK Electoral Roll Numbers.

See “UK Electoral Roll Numbers policy template” on page 147.

UK Electoral Roll Numbers

This policy detects personal identification numbers thatthe UK National Health Service has issued.

See “UK National Health Service (NHS) Number policytemplate” on page 148.

UK National Health Service(NHS) Number

Supplied classification policies and policy templatesAbout the system-provided policy templates

142

Page 143: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-12 Customer and Employee Data Protection policy templates(continued)

DescriptionPolicy template

This policy detects UK National Insurance numbers.

See “UK National Insurance Numbers policy template”on page 148.

UK National InsuranceNumbers

This policy detects valid UK passports.

See “UK Passport Numbers policy template” on page 148.

UK Passport Numbers

This policy detects UK Tax ID Numbers.

See “UK Tax ID Numbers policy template” on page 149.

UK Tax ID Numbers

This policy detects patterns indicating social securitynumbers.

See “US Social Security Numbers policy template”on page 149.

US Social Security Numbers

Canadian Social Insurance Numbers policy templateThis policy detects patterns indicating Canadian social insurance numbers (SINs)at risk of exposure.

Canadian Social Insurance Numbers

This rule looks for a match to the Canadian Social Insurance Numberdata identifier and a keyword from the "Canadian Social Ins. No.Words" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Credit Card Numbers policy templateThis policy detects patterns indicating credit card numbers at risk of exposure.

Credit Card Numbers, All

This rule looks for a match to the credit card number system patternand a keyword from the "Credit Card Number Keywords" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

143Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 144: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Customer Data Protection policy templateThis policy detects customer data at risk of exposure.

Username/Password Combinations

This rule looks for usernames and passwords in combination withthree or more of the following fields:

■ SSN

■ Phone

■ Email

■ First Name

■ Last Name

■ Bank Card number

■ Account Number

■ ABA Routing Number

■ Canadian Social Insurance Number

■ UK National Insurance Number

However, the following combinations are not a violation:

■ Phone, email, and last name

■ Email, first name, and last name

■ Phone, first name, and last name

EDM Rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

144

Page 145: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Date of Birth

This rule looks for any three of the following data fields incombination:

■ SSN

■ Phone

■ Email

■ First Name

■ Last Name

■ Bank Card number

■ Account Number

■ ABA Routing Number

■ Canadian Social Insurance Number

■ UK National Insurance Number

■ Date of Birth

However, the following combinations are not a violation:

■ Phone, email, and first name

■ Phone, email, and last name

■ Email, first name, and last name

■ Phone, first name, and last name

EDM Rule

Exact SSN or CCN

This rule looks for an exact social security number or bank cardnumber.

EDM Rule

Customer Directory

This rule looks for Phone or Email.

EDM Rule

US Social Security Number Patterns

This rule looks for a match to the Social Security number dataidentifier and a keyword from the "US SSN Keywords" dictionary.

DCM Rule

Credit Card Numbers, All

This rule looks for a match to the credit card number system patternand a keyword from the "Credit Card Number Keywords" dictionary.

DCM Rule

ABA Routing Numbers

This rule looks for a match to the ABA Routing number data identifierand a keyword from the "ABA Routing Number Keywords" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

145Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 146: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Employee Data Protection policy templateThis policy detects employee data at risk of exposure.

Username/Password Combinations

This rule looks for usernames and passwords in combination with anythree of the following data fields.

■ SSN

■ Phone

■ Email

■ First Name

■ Last Name

■ Bank Card Number

■ Account Number

■ ABA Routing Number

■ Canadian Social Insurance Number

■ UK National Insurance Number

■ Date of Birth

EDM Rule

Employee Directory

This rule looks for Phone or Email.

EDM Rule

US Social Security Number Patterns

This rule looks for a match to the Social Security number dataidentifier and a keyword from the "US SSN Keywords" dictionary.

DCM Rule

Credit Card Numbers, All

This rule looks for a match to the credit card number system patternand a keyword from the "Credit Card Number Keywords" dictionary.

DCM Rule

ABA Routing Numbers

This rule looks for a match to the ABA Routing number data identifierand a keyword from the "ABA Routing Number Keywords" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Individual Taxpayer Identification Numbers (ITIN) policytemplateAn Individual Taxpayer Identification Number (ITIN) is a tax processing numberissued by the US Internal Revenue Service (IRS). The IRS issues ITINs to trackindividuals are not eligible to obtain Social Security Numbers (SSNs).

Supplied classification policies and policy templatesAbout the system-provided policy templates

146

Page 147: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

ITIN

This rule looks for a match to the US ITIN data identifier and akeyword from the "US ITIN Keywords" dictionary.

DCM Rules

See “Exporting policy detection as a template” on page 97.

SWIFT Codes policy templateThe Society for Worldwide Interbank Financial Telecommunication (SWIFT) is acooperative organization under Belgian law and is owned by its member financialinstitutions. The SWIFT code (also known as a Bank Identifier Code, BIC, or ISO9362) has a standard format to identify a bank, location, and the branch involved.These codes are used when transferring money between banks, particularly acrossinternational borders.

SWIFT Code Regular Expression

This rule looks for a match to the SWIFT code regular expression anda keyword from the "SWIFT Code Keywords" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK Drivers License Numbers policy templateThe UK Drivers License Numbers policy detects UK Drivers License Numbersusing the official specification of the UK Government Standards of the UK CabinetOffice.

UK Drivers License Numbers

This rule is a compound rule with the following conditions:

■ A single keyword from the "UK Keywords" dictionary

■ The pattern matching that of the UK drivers license data identifier

■ Different combinations of the phrase "drivers license" using a dataidentifier

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK Electoral Roll Numbers policy templateThe UK Electoral Roll Numbers policy detects UK Electoral Roll Numbers usingthe official specification of the UK Government Standards of the UK CabinetOffice.

147Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 148: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

UK Electoral Roll Numbers

This rule is a compound rule with the following conditions:

■ A single keyword from the "UK Keywords" dictionary

■ A pattern matching the UK Electoral Roll Number data identifier

■ A single keyword from the "UK Electoral Roll Number Words"dictionary

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK National Health Service (NHS) Number policy templateThe UK National Health Service (NHS) Number policy detects the personalidentification number issued by the U.K. National Health Service (NHS) foradministration of medical care.

UK NHS Numbers

This rule looks for a single compound condition with two parts: eithernew or old style National Health Service numbers and a single keywordfrom the "UK NHS Keywords" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK National Insurance Numbers policy templateThe National Insurance Number is issued to individuals by the UK Departmentfor Work and Pensions and Inland Revenue (DWP/IR) for administering thenational insurance system. The UK National Insurance Numbers policy detectsthese insurance policy numbers.

UK National Insurance Numbers

This rule looks for a match to the UK National Insurance number dataidentifier and a keyword from the dictionary "UK NIN Keywords."

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK Passport Numbers policy templateThe UK Passport Numbers policy detects valid UK passports using the officialspecification of the UK Government Standards of the UK Cabinet Office.

Supplied classification policies and policy templatesAbout the system-provided policy templates

148

Page 149: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

UK Passport Numbers (Old Type)

This rule looks for a keyword from the "UK Passport Keywords"dictionary and a pattern matching the regular expression for UKPassport Numbers (Old Type).

DCM Rule

UK Passport Numbers (New Type)

This rule looks for a keyword from the "UK Passport Keywords"dictionary and a pattern matching the regular expression for UKPassport Numbers (New Type).

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK Tax ID Numbers policy templateThe UK Tax ID Numbers policy detects UK Tax ID Numbers using the officialspecification of the UK Government Standards of the UK Cabinet Office.

UK Tax ID Numbers

This rule looks for a match to the UK Tax ID number data identifierand a keyword from the dictionary "UK Tax ID Number Keywords."

DCM Rule

See “Exporting policy detection as a template” on page 97.

US Social Security Numbers policy templateThe US Social Security Numbers policy detects patterns indicating social securitynumbers at risk of exposure.

US Social Security Number Patterns

This rule looks for a match to the social security number regularexpression and a keyword from the dictionary "US SSN Keywords."

DCM Rule

See “Exporting policy detection as a template” on page 97.

Network Security Enforcement policy templatesSymantec Data Loss Prevention provides several policy templates for NetworkSecurity Enforcement.

149Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 150: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-13 Network Security Enforcement policy templates

DescriptionPolicy template

This policy detects access to common spyware uploadwebsites.

See “Common Spyware Upload Sites policy template”on page 150.

Common Spyware UploadSites

This policy detects computer network diagrams.

See “Network Diagrams policy template” on page 150.

Network Diagrams

This policy detects evidence of hacking tools and attackplanning.

See “Network Security policy template” on page 151.

Network Security

This policy detects password file formats.

See “Password Files policy template” on page 151.

Password Files

Common Spyware Upload Sites policy templateThe Common Spyware Upload Sites policy detects access to common spywareupload Web sites.

Forbidden Websites 1

This is a compound rule that looks for either specified IP addressesor URLs in the "Forbidden Websites 1" dictionary.

DCM Rule

Forbidden Websites 2

This rule looks for a match of a specified URL in the "ForbiddenWebsites 2" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Network Diagrams policy templateThe Network Diagrams policy detects computer network diagrams at risk ofexposure.

Network Diagrams, Indexed

This rule looks for content from specific network diagrams that areregistered as confidential. This rule returns a match if 80% or moreof the source document is detected.

IDM Rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

150

Page 151: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Network Diagrams with IP Addresses

This rule looks for a Visio file type in combination with an IP addressdata identifier.

DCM Rule

Network Diagrams with IP Address Keyword

This rule looks for a Visio file type in combination with phrasevariations of "IP address" with a data identifier.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Network Security policy templateThe Network Security policy detects evidence of hacking tools and attack planning.

GoToMyPC Activity

This rule looks for a GoToMyPC command format with a dataidentifier.

DCM Rule

Hacker Keywords

This rule looks for a keyword from the "Hacker Keywords" dictionary.

DCM Rule

KeyLoggers Keywords

This rule looks for a keyword from the "Keylogger Keywords"dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Password Files policy templateThe Password Files policy detects password file formats, such as SAM, password,and shadow.

Password Filenames

This rule looks for the file names "passwd" or "shadow."

DCM Rule

/etc/passwd Format

This rule looks for a regular expression pattern with the /etc/passwdformat.

DCM Rule

/etc/shadow Format

This rule looks for a regular expression pattern with the /etc/shadowformat.

DCM Rule

151Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 152: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

SAM Passwords

This rule looks for a regular expression pattern with the SAM format.

DCM Rule

See “Exporting policy detection as a template” on page 97.

UK and International Regulatory Enforcement policy templatesSymantec Data Loss Prevention provides several policy templates for UK andInternational Regulatory Enforcement.

Table 7-14 UK and International Regulatory Enforcement policy templates

DescriptionPolicy template

This policy protects UK patient information.

See “Caldicott Report policy template” on page 152.

Caldicott Report

This policy protects personal identifiable information.

See “Data Protection Act 1998 (UK) policy template”on page 154.

Data Protection Act 1998(UK)

This policy detects personal data specific to the EUdirectives.

See “Data Protection Directives (EU) policy template”on page 156.

Data Protection Directives(EU)

This policy enforces Article 8 of the act for UK citizens.

See “Human Rights Act 1998 policy template” on page 157.

Human Rights Act 1998

This policy detects Canadian citizen customer data.

See “PIPEDA policy template” on page 157.

PIPEDA

Caldicott Report policy templateThe UK Chief Medical Officer commissioned the Caldicott Report (December,1997) to improve the way the National Health Service handles and protects patientinformation. The Caldicott Committee reviewed the confidentiality of datathroughout the NHS for purposes other than direct care, medical research, orwhere there is a statutory requirement for information. Its recommendations arenow being put into practice throughout the NHS and in the Health ProtectionAgency.

Supplied classification policies and policy templatesAbout the system-provided policy templates

152

Page 153: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Patient Data and Drug Keywords

This compound rule looks for any match of the following data incombination with a keyword from the "Prescription Drug Names"dictionary. Both conditions must be satisfied for the rule to triggeran incident.

■ UK NIN (National Insurance Number)

■ Account number

■ Last name

■ ID card number

■ Email

■ Phone

■ UK NHS (National Health Service) number

EDM Rule

Patient Data and Disease Keywords

This compound rule looks for any match of the following data incombination with a keyword from the "Disease Names" dictionary.Both conditions must be satisfied for the rule to trigger an incident.

■ UK NIN (National Insurance Number)

■ Account number

■ Last name

■ ID card number

■ Email

■ Phone

■ UK NHS (National Health Service) number

EDM Rule

Patient Data and Treatment Keywords

This compound rule looks for any match of the following data incombination with a keyword from the "Medical Treatment Keywords"dictionary. Both conditions must be satisfied for the rule to triggeran incident:

■ UK NIN (National Insurance Number)

■ Account number

■ Last name

■ ID card number

■ Email

■ Phone

■ UK NHS (National Health Service) number

EDM Rule

153Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 154: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

UK NHS Number and Drug Keywords

This rule looks for a keyword from "UK NIN Keywords" dictionary incombination with a pattern matching the UK NIN data identifier anda keyword from the "Prescription Drug Names" dictionary.

DCM Rule

UK NHS Number and Disease Keywords

This rule looks for a keyword from "UK NIN Keywords" dictionary incombination with a pattern matching the UK NIN data identifier anda keyword from the "Disease Names" dictionary.

DCM Rule

UK NHS Number and Treatment Keywords

This rule looks for a keyword from "UK NIN Keywords" dictionary incombination with a pattern matching the UK NIN data identifier anda keyword from the "Medical Treatment Keywords" dictionary.

DCM Rule

See “Exporting policy detection as a template” on page 97.

Data Protection Act 1998 (UK) policy templateThe Data Protection Act 1998 (replacement of Data Protection Act 1984) setstandards which must be satisfied when obtaining, holding, using, or disposingof personal data in the UK. The Data Protection Act 1998 covers anything withpersonal identifiable information (such as data about personal health, employment,occupational health, finance, suppliers, and contractors).

Supplied classification policies and policy templatesAbout the system-provided policy templates

154

Page 155: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-15 UK Data Protection Act, Personal Data detection rule

Description

However, the following combinationsare not an incident:

■ First name, last name, pin

■ First name, last name, password

■ First name, last name, email

■ First name, last name, phone

■ First name, last name, mother'smaiden name

This EDM rule looks for three of the followingcolumns of data:

■ NIN (National Insurance Number)

■ Account number

■ Pin

■ Bank card number

■ First name

■ Last name

■ Drivers license

■ Password

■ Tax payer ID

■ UK NHS number

■ Date of birth

■ Mother's maiden name

■ Email address

■ Phone number

Table 7-16 Additional detection rules in the Data Protection Act 1998 policytemplate

Description

The UK Electoral Roll Numbers rule implements the UK Electoral Roll Number dataidentifier.

The UKNational InsuranceNumbers rule implements the narrow breadth edition of theUK National Insurance Number data identifier.

The UK Tax ID Numbers rule implements the narrow edition of the UK Tax ID Numberdata identifier.

The UK Drivers License Numbers rule implements the narrow breadth edition of the UKDriver's License number data identifier.

The UKPassportNumbers rule implements the narrow breadth edition of the UK PassportNumber data identifier.

The UK NHS Numbers rule implements the narrow breadth edition of the UK NationalHealth Service (NHS) Number data identifier.

155Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 156: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “Exporting policy detection as a template” on page 97.

Data Protection Directives (EU) policy templateDirectives 95/46/EC of the European Parliament deal with the protection ofindividuals with regard to the processing and free movement of personal data.This policy detects personal data specific to the EU directives.

EU Data Protection Directives

This rule looks for any two of the following data columns:

■ Last Name

■ Bank Card number

■ Drivers license number

■ Account Number

■ PIN

■ Medical account number

■ Medical ID card number

■ User name

■ Password

■ ABA Routing Number

■ Email

■ Phone

■ Mother's maiden name

However, the following combinations do not create a match:

■ Last name, email

■ Last name, phone

■ Last name, account number

■ Last name, username

EDM Rule

EU Data Protection, Contact Info

This rule looks for any two of the following data columns: last name,phone, account number, username, and email.

EDM Rule

Except for email internal to the EU

This rule is an exception if the recipient is within the EU. This coversrecipients with any of the country codes from the "EU Country Codes"dictionary.

Exception

See “Exporting policy detection as a template” on page 97.

Supplied classification policies and policy templatesAbout the system-provided policy templates

156

Page 157: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Human Rights Act 1998 policy templateThe Human Rights Act 1998 allows UK citizens to assert their rights under theEuropean Convention on Human Rights in UK courts and tribunals. The Act statesthat "so far as possible to do so, legislation must be read and given effect in a waywhich is compatible with convention rights." The Human Rights Act 1998 policyenforces Article 8 by ensuring that the private lives of British citizens stay private.

UK Data Protection Act, Personal Data

This compound rule looks for two data types, last name and electoralroll number, in combination with a keyword from the "UK PersonalData Keywords" dictionary.

EDM Rule

UK Electoral Roll Numbers

This rule looks for a single compound condition with four parts:

■ A single keyword from the "UK Keywords" dictionary

■ A pattern matching that of the UK Electoral Roll Number dataidentifier

■ A single keyword from the "UK Electoral Roll Number Words"dictionary

■ A single keyword from the "UK Personal Data Keywords" dictionary

DCM Rule

See “Exporting policy detection as a template” on page 97.

PIPEDA policy templateCanada's Personal Information Protection and Electronic Documents Act (PIPEDA)protects personal information in the hands of private sector organizations. Thisact provides guidelines for the collection, use, and disclosure of personalinformation.

The PIPEDA policy detects customer data that PIPEDA regulations protect.

The PIPEDA detection rule looks for a match of two data items, with certain datacombinations excluded from matching.

157Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 158: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-17 PIPEDA detection rule

Excluded combinationsDescriptionDetectionmethodtype

However, the following combinations do notcreate a match:

■ Last name, email

■ Last name, phone

■ Last name, account number

■ Last name, user name

The PIPEDA detection rule matchesany two of the following data items:

■ Last name

■ Bank card

■ Medical account number

■ Medical record

■ Agency number

■ Account number

■ PIN

■ User name

■ Password

■ SIN

■ ABA routing number

■ Email

■ Phone

■ Mother's maiden name

EDMRule

The PIPEDA Contact Info detection rule looks for a match of two data items, withcertain data combinations excepted from matching.

Table 7-18 PIPEDA Contact Info detection rule

DescriptionDetectionmethodtype

This rule looks for any two of the following data columns:

■ Last name

■ Phone

■ Account number

■ User name

■ Email

EDM Rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

158

Page 159: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-19 Canadian Social Insurance Numbers detection rule

DescriptionDetectionmethodtype

This rule implements the narrow breadth edition of the Canadian SocialInsurance Number data identifier.

DCM Rule

Table 7-20 ABA Routing Numbers detection rule

DescriptionDetectionmethodtype

This rule implements the narrow breadth edition of the ABA Routing Numberdata identifier.

DCM Rule

Table 7-21 Credit Card Numbers, All detection rule

DescriptionDetectionmethodtype

This rule implements the narrow breadth edition of the Credit Card Numberdata identifier.

DCM Rule

See “Exporting policy detection as a template” on page 97.

US Regulatory Enforcement policy templatesSymantec Data Loss Prevention provides several policy templates supporting USRegulatory Enforcement guidelines.

Table 7-22 US Regulatory Enforcement policy templates

DescriptionPolicy template

Establishes requirements for sending commercial email.

See “CAN-SPAM Act policy template” on page 161.

CAN-SPAM Act

Detects information classified as confidential.

See “Defense Message System (DMS) GENSER Classificationpolicy template” on page 163.

Defense Message System(DMS) GENSER Classification

159Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 160: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-22 US Regulatory Enforcement policy templates (continued)

DescriptionPolicy template

Enforces the U.S. Department of Commerce ExportAdministration Regulations (EAR).

See “Export Administration Regulations (EAR) policytemplate” on page 164.

Export AdministrationRegulations (EAR)

Enforces sections 114 and 315 (or Red Flag Rules) of theFair and Accurate Credit Transactions Act (FACTA) of 2003.

See “FACTA 2003 (Red Flag Rules) policy template”on page 166.

FACTA 2003 (Red Flag Rules)

This policy limits sharing of consumer information byfinancial institutions.

See “Gramm-Leach-Bliley policy template” on page 169.

Gramm-Leach-Bliley

This policy enforces the US Health Insurance Portabilityand Accountability Act (HIPAA).

See “HIPAA and HITECH (including PHI) policy template”on page 170.

HIPAA and HITECH(including PHI)

This policy enforces the US Department of State ITARprovisions.

See “International Traffic in Arms Regulations (ITAR) policytemplate” on page 174.

International Traffic in ArmsRegulations (ITAR)

This policy protects the name(s) of any companies that areinvolved in an upcoming stock offering.

See “NASD Rule 2711 and NYSE Rules 351 and 472 policytemplate” on page 175.

NASD Rule 2711 and NYSERules 351 and 472

This policy monitors brokers-dealers communications.

See “NASD Rule 3010 and NYSE Rule 342 policy template”on page 177.

NASD Rule 3010 and NYSERule 342

This policy detects the information that is outlined in theNorth American Electric Reliability Council (NERC) securityguidelines for the electricity sector.

See “NERC Security Guidelines for Electric Utilities policytemplate” on page 178.

NERC Security Guidelines forElectric Utilities

Supplied classification policies and policy templatesAbout the system-provided policy templates

160

Page 161: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-22 US Regulatory Enforcement policy templates (continued)

DescriptionPolicy template

This template detects communications involving targetedOFAC groups.

See “Office of Foreign Assets Control (OFAC) policytemplate” on page 179.

Office of Foreign AssetsControl (OFAC)

This template detects information that is classified asconfidential.

See “OMB Memo 06-16 and FIPS 199 Regulations policytemplate” on page 181.

OMB Memo 06-16 and FIPS199 Regulations

This template detects Visa and MasterCard credit cardnumber data.

See “Payment Card Industry (PCI) Data Security Standardpolicy template” on page 183.

Payment Card Industry DataSecurity Standard

This template detects sensitive financial data.

See “Sarbanes-Oxley policy template” on page 184.

Sarbanes-Oxley

This template detects data disclosure of material financialinformation.

See “SEC Fair Disclosure Regulation policy template”on page 187.

SEC Fair DisclosureRegulation

This template detects breaches of state-mandatedconfidentiality.

See “State Data Privacy policy template” on page 189.

State Data Privacy

This template detects authorized terms to identify classifiedinformation in the US Federal Intelligence community.

See “US Intelligence Control Markings (CAPCO) and DCID1/7 policy template” on page 193.

US Intelligence ControlMarkings (CAPCO) and DCID1/7

CAN-SPAM Act policy templateThe Controlling the Assault of Non-Solicited Pornography and Marketing Act(CAN-SPAM) establishes requirements for those who send commercial email.

The CAN-SPAM Act template detects activity from an organization's bulk mailerto help ensure compliance with the CAN-SPAM Act requirements.

161Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 162: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The detection exception Exclude emails that contain the mandated keywordsallows messages to pass that have one or more keywords from the user-defined"CAN-SPAM Exception Keywords" dictionary.

Table 7-23 Detection exception: Exclude emails that contain the mandatedkeywords

ConfigurationConditionMethod

Exclude emails that contain the mandated keywords(Keyword Match):

■ Match keyword from "[physical postal address]"or "advertisement".

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Note: After you define the keywords, you canchoose to count all matches and require 2 keywordsfrom the list to be matched.

Content MatchesKeyword (DCM)

Simpleexception

The detection exception CAN-SPAM Compliant Emails excludes from detectiondocument content from the selected IDM index with at least 100% match.

Table 7-24 Detection exception: CAN-SPAM Compliant Emails

ConfigurationConditionMethod

Exception for CAN-SPAM compliant emails (IDM):

■ Exact content match (100%)

■ Look in the message body and attachments.

■ Check for existence.

ContentMatchesDocumentProfile (IDM)

Simpleexception

If an exception is not met, the detection rule Monitor Email From Bulk Mailerlooks for a sender's email address that matches one from the "Bulk Mailer EmailAddress" list, which is user-defined.

Table 7-25 Detection rule: Monitor Email From Bulk Mailer

ConfigurationConditionMethod

Monitor Email From Bulk Mailer (Sender):

■ Match sender pattern(s):[[email protected]] (user defined)

■ Severity: High.

Sender/UserMatches Pattern(DCM)

Simple rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

162

Page 163: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “Exporting policy detection as a template” on page 97.

Defense Message System (DMS) GENSER Classification policytemplateThe Defense Information Systems Agency has established guidelines for DefenseMessage System (DMS) General Services (GENSER) message classifications,categories, and markings. These standards specify how to mark classified andsensitive documents according to U.S. standards. These standards also provideinteroperability with NATO countries and other U.S. allies.

The GENSER policy template enforces GENSER guidelines by detecting informationthat is classified as confidential. The template contains four simple (singlecondition) keyword matching (DCM) detection rules. If any rule condition matches,the policy reports an incident.

The detection rule Top Secret Information (Keyword Match) looks for anykeywords in the "Top Secret Information" dictionary.

Table 7-26 Detection rule: Top Secret Information (Keyword Match)

ConfigurationConditionMethod

Top Secret Information (Keyword Match):

■ Keyword dictionary: "TOP SECRET//"

■ Severity: High

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case sensitive.

■ Match on whole or partial words.

ContentMatchesKeyword (DCM)

Simple rule

The detection rule Secret Information (Keyword Match) looks for any keywordsin the "Secret Information" dictionary.

Table 7-27 Detection rule: Secret Information (Keyword Match)

ConfigurationConditionMethod

Secret Information (Keyword Match):

■ Keyword dictionary: "SECRET//"

■ Severity: High

■ Check for existence

■ Look in envelope, subject, body, attachments

■ Case sensitive

■ Match on whole or partial words.

ContentMatchesKeyword (DCM)

Simple rule

163Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 164: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The detection rule Classified or Restricted Information (Keyword Match) looksfor any keywords in the "Classified or Restricted Information" dictionary.

Table 7-28 Detection rule: Classified or Restricted Information (Keyword Match)

ConfigurationConditionMethod

Classified or Restricted Information (Keyword Match):

■ Keyword dictionary:"CLASSIFIED//,//RESTRICTED//"

■ Severity: High

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case sensitive.

■ Match on whole or partial words.

ContentMatchesKeyword (DCM)

Simple rule

The detection rule Other Sensitive Information looks for any keywords in the"Other Sensitive Information" dictionary.

Table 7-29 Other Sensitive Information detection rule

ConfigurationConditionMethod

Other Sensitive Information (Keyword Match):

■ Keyword dictionary: FOR OFFICIAL USE ONLY,SENSITIVE BUT UNCLASSIFIED,DODUNCLASSIFIED CONTROLLED NUCLEARINFORMATION

■ Severity: High

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case sensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

Simple rule

See “Exporting policy detection as a template” on page 97.

Export Administration Regulations (EAR) policy templateThe U.S. Department of Commerce enforces the Export Administration Regulations(EAR). These regulations primarily cover technologies and technical informationwith commercial and military applicability. These technologies are also knownas dual use technologies, for example, chemicals, satellites, software, computers,and so on.

Supplied classification policies and policy templatesAbout the system-provided policy templates

164

Page 165: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

This Export Administration Regulations (EAR) template detects violations fromregulated countries and controlled technologies.

The detection rule Indexed EAR Commerce Control List Items and Recipientslooks for a country code in the recipient from the "EAR Country Codes" dictionaryand for a specific "SKU" from an Exact Data Profile index (EDM). Both conditionsmust match to trigger an incident.

Table 7-30 Detection rule: Indexed EAR Commerce Control List Items andRecipients

ConfigurationConditionMethod

Content MatchesExact Data (EDM)

Compound rule

Content MatchesKeyword (DCM)

The detection rule EARCommerceControlListandRecipients looks for a countrycode in the recipient from the "EAR Country Codes" list and a keyword from the"EAR CCL Keywords" dictionary. Both conditions must match to trigger an incident.

Table 7-31 Detection rule: EAR Commerce Control List and Recipients

ConfigurationConditionMethod

EAR Commerce Control List and Recipients(Recipient):

■ Match: Email address OR URL domain suffixes

■ Severity: High.

■ Check for existence.

■ At least 1 recipient(s) must match.

■ Matches on entire message

Recipient MatchesPattern (DCM)

Compound rule

EAR Commerce Control List and Recipients(Keyword Match):

■ Match: EAR CCL Keywords

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

165Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 166: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

FACTA 2003 (Red Flag Rules) policy templateThis policy helps to address sections 114 and 315 (or Red Flag Rules) of the Fairand Accurate Credit Transactions Act (FACTA) of 2003. These rules specify thata financial institution or creditor that offers or maintains covered accounts mustdevelop and implement an identity theft prevention program. FACTA is designedto detect, prevent, and mitigate identity theft in connection with the opening ofa covered account or any existing covered account.

The Username/Password Combinations detection rule detects the presence ofboth a user name and password from a profiled database index.

Table 7-32 Username/Password Combinations detection rule

ConfigurationConditionMethod

This condition detects exact data containing both of thefollowing data items:

■ User name

■ Password

ContentMatches ExactData (EDM)

Simple rule

The ExactSSNorCCN detection rule detects the presence of either a social securitynumber or a credit card number from a profiled database.

Table 7-33 Exact SSN or CCN detection rule

ConfigurationConditionMethod

This condition detects exact data containing either of thefollowing data columns:

■ Social security number (Taxpayer ID)

■ Bank Card Number

ContentMatches ExactData (EDM)

Simple rule

The Customer Directory detection rule detects the presence of either an emailaddress or a phone number from a profiled database.

Table 7-34 Customer Directory detection rule

ConfigurationConditionMethod

This condition detects exact data containing either of thefollowing data columns:

■ Email address

■ Phone number

ContentMatches ExactData (EDM)

Simple rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

166

Page 167: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The Three or More Data Columns detection rule detects exact data containingthree or more of data items from a profiled database index.

Table 7-35 Three or More Data Columns detection rule

ConfigurationConditionMethod

Detects exact data containing three or more of thefollowing data items:

■ ABA Routing Number

■ Account Number

■ Bank Card Number

■ Birth Date

■ Email address

■ First Name

■ Last Name

■ National Insurance Number

■ Password

■ Phone Number

■ Social Insurance Number

■ Social security number (Taxpayer ID)

■ User name

ContentMatches ExactData (EDM)

Simple rule

However, the following combinations are not a match:

■ Phone Number, Email, First Name

■ Phone Number, First Name, Last Name

The US Social Security Number Patterns detection rule implements the narrowbreadth edition of the US Social Security Number (SSN) system Data Identifier.

This data identifier detects nine-digit numbers with the pattern DDD-DD-DDDDseparated with dashes or spaces or without separators. The number must be invalid assigned number ranges. This condition eliminates common test numbers,such as 123456789 or all the same digit. It also requires the presence of a SocialSecurity keyword.

167Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 168: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-36 US Social Security Number Patterns detection rule

ConfigurationConditionMethod

■ Data Identifier: US Social Security Number (SSN)narrow breadth

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

ContentMatches DataIdentifier (DCM)

Simple rule

The Credit Card Numbers, All detection rule implements the narrow breadthedition of the Credit Card Number system Data Identifier.

This data identifier detects valid credit card numbers that are separated by spaces,dashes, periods, or without separators. This condition performs Luhn checkvalidation and includes formats for American Express, Diner's Club, Discover,Japan Credit Bureau (JCB), MasterCard, and Visa. It eliminates common testnumbers, including those reserved for testing by credit card issuers. It also requiresthe presence of a credit card keyword.

Table 7-37 Credit Card Numbers, All detection rule

ConfigurationConditionMethod

■ Data Identifier: Credit Card Number narrow breadth

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

ContentMatches DataIdentifier (DCM)

Simple rule

The ABARoutingNumbers detection rule implements the narrow breadth editionof the ABA Routing Number system Data Identifier.

This data identifier detects nine-digit numbers. It validates the number using thefinal check digit. This condition eliminates common test numbers, such as123456789, number ranges that are reserved for future use, and all the same digit.This condition also requires the presence of an ABA keyword.

Table 7-38 ABA Routing Numbers detection rule

ConfigurationConditionMethod

■ Data Identifier: ABA Routing Number narrow breadth

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

ContentMatches DataIdentifier (DCM)

Simple rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

168

Page 169: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “Exporting policy detection as a template” on page 97.

Gramm-Leach-Bliley policy templateThe Gramm-Leach-Bliley (GLB) Act gives consumers the right to limit some sharingof their information by financial institutions.

The Gramm-Leach-Bliley policy template detects transmittal of customer data.

Table 7-39 Gramm-Leach-Bliley detection methods

DescriptionTypeDetection method

This rule looks for user names and passwords incombination.

Simple rule:EDM

Username/PasswordCombinations

This rule looks for SSN or Credit Card Number.Simple rule:EDM

Exact SSN or CCN

This rule looks for Phone or Email.Simple rule:EDM

Customer Directory

This rule looks for a match among any three of thefollowing fields:

■ Account number

■ Bank card number

■ Email address

■ First name

■ Last name

■ PIN number

■ Phone number

■ Social security number

■ ABA Routing Number

■ Canadian Social Insurance Number

■ UK National Insurance Number

■ Date of Birth

However, the following combinations are not amatch:

■ Phone, email, and first name

■ Phone, email, and last name

■ Email, first name, and last name

■ Phone, first name, and last name

Simple rule:EDM

3 or more criticalcustomer fields

169Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 170: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-39 Gramm-Leach-Bliley detection methods (continued)

DescriptionTypeDetection method

This condition detects nine-digit numbers. Itvalidates the number using the final check digit.This condition eliminates common test numbers,such as 123456789, number ranges that are reservedfor future use, and all the same digit. This conditionalso requires the presence of an ABA-relatedkeyword.

Simple rule:DCM (DI)

ABA RoutingNumbers

This rule looks for social security numbers. For thisrule to match, there must be a number that fits theUS SSN regular expression pattern. There must alsobe a keyword or phrase that indicates the presenceof a US SSN with a keyword from "US SSNKeywords" dictionary. The keyword condition isincluded to reduce false positives with any numbersthat may match the SSN format.

Simple rule:DCM (DI)

US Social SecurityNumbers

This condition detects valid credit card numbersthat are separated by spaces, dashes, periods, orwithout separators. This condition performs Luhncheck validation and includes the following creditcard formats:

■ American Express

■ Diner's Club

■ Discover

■ Japan Credit Bureau (JCB)

■ MasterCard

■ Visa

This rule eliminates common test numbers,including those reserved for testing by credit cardissuers, and also requires the presence of a creditcard-related keyword.

Simple rule:DCM (DI)

Credit Card Numbers

See “Exporting policy detection as a template” on page 97.

HIPAA and HITECH (including PHI) policy templateThe HIPAA and HITECH (including PHI) policy strictly enforces the US HealthInsurance Portability and Accountability Act (HIPAA). Health Information

Supplied classification policies and policy templatesAbout the system-provided policy templates

170

Page 171: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Technology for Economic and Clinical Health Act (HITECH) is the first nationallaw that mandates breach notification for PHI.

This policy template detects data concerning prescription drugs, diseases, andtreatments in combination with Protected Health Information (PHI). Organizationsthat are not subject to HIPAA can also use this policy to control PHI data.

TPOs (Treatment, Payment, or health care Operations) are service providers tohealth care organizations and have an exception for HIPAA informationrestrictions. This policy does not trigger an incident if the protected informationis sent to one of the allowed partners.

The Table 7-40 is evaluated before any detection rules. The template requires thatyou enter the allowed email addresses.

Table 7-40 TPO detection exception

ConfigurationCondition typeMethod andcardinality

Looks for a recipient email addressmatching one from the "TPO EmailAddresses" keyword dictionary.

Content MatchesKeyword (DCM)

Simple detectionexception

The Table 7-41 looks for a match against any single column from a profiled PatientData database record.

Table 7-41 Patient Data detection rule

ConfigurationCondition typeMethod andcardinality

Patient Data (EDM):

■ Last name

■ Tax payer ID (SSN)

■ Email address

■ Account number

■ ID card number

■ Phone number

Content MatchesExact Data (EDM)

Simple detection rule

The Table 7-42 requires a Patient Data condition match and a match from the"Drug Code" data identifier.

171Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 172: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-42 Patient Data and Drug Codes detection rule

ConfigurationCondition typeMethod andcardinality

Looks for a match against any singlecolumn from a profiled Patient Datadatabase record.

Content MatchesExact Data (EDM)

Compound detectionrule

Content Matches DataIdentifier

The Table 7-43 requires a Patient Data condition match in combination with akeyword from the "Prescription Drug Names" keyword dictionary.

Table 7-43 Patient Data and Prescription Drug Names detection rule

ConfigurationCondition typeMethod andcardinality

Looks for a match against any singlecolumn from a profiled Patient Datadatabase record.

Content MatchesExact Data (EDM)

Compound detectionrule

Content MatchesKeyword (DCM)

The Table 7-44 requires a Patient Data condition match in combination with akeyword from the "Medical Treatment Keywords" keyword dictionary.

Table 7-44 Patient Data and Treatment Keywords detection rule

ConfigurationCondition typeMethod andcardinality

Looks for a match against any singlecolumn from a profiled Patient Datadatabase record.

Content MatchesExact Data (EDM)

Compound detectionrule

Content MatchesKeyword (DCM)

The Table 7-45 requires a Patient Data condition match in combination with akeyword from the "Disease Names" keyword dictionary.

Supplied classification policies and policy templatesAbout the system-provided policy templates

172

Page 173: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-45 Patient Data and Disease Keywords detection rule

ConfigurationCondition typeMethod andcardinality

Looks for a match against any singlecolumn from a profiled Patient Datadatabase record.

Content MatchesExact Data (EDM)

Compound detectionrule

Content MatchesKeyword (DCM)

The Table 7-46 looks for a social security number using the US Social SecurityNumber (SSN) system Data Identifier (narrow breadth) and for a keyword fromthe "Prescription Drug Names" keyword dictionary.

Table 7-46 SSN and Drug Keywords detection rule

ConfigurationCondition typeMethod andcardinality

US Social Security Number (SSN) systemData Identifier (narrow breadth)

Content Matches DataIdentifier

Compound detectionrule

"Prescription Drug Names" keyworddictionary

Content MatchesKeyword

The Table 7-47 rule looks for the social security number using the US SSN systemData Identifier (narrow breadth) and for a match from the "Medical TreatmentKeywords" keyword dictionary.

Table 7-47 SSN and Treatment Keywords detection rule

ConfigurationCondition typeMethod andcardinality

US Social Security Number (SSN) systemData Identifier (narrow breadth)

Content Matches DataIdentifier

Compound detectionrule

"Medical Treatment Keywords" keyworddictionary

Content MatchesKeyword

The Table 7-48 rule looks for the social security number using the US SSN systemData Identifier (narrow breadth) and for a match from the "Disease Names"keyword dictionary.

173Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 174: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-48 SSN and Disease Keywords detection rule

ConfigurationCondition typeMethod andcardinality

US Social Security Number (SSN) systemData Identifier (narrow breadth)

Content Matches DataIdentifier

Compound detectionrule

"Disease Names" keyword dictionaryContent MatchesKeyword

The Table 7-49 rule looks for the social security number using the US SSN systemData Identifier (narrow breadth) and for a drug code using the Drug Code systemData Identifier (narrow breadth).

Table 7-49 SSN and Drug Code detection rule

ConfigurationCondition typeMethod andcardinality

US SSN system Data Identifier (narrowbreadth)

Content Matches DataIdentifier

Compound detectionrule

Drug Code system Data Identifier (narrowbreadth)

Content MatchesKeyword

See “Exporting policy detection as a template” on page 97.

International Traffic inArmsRegulations (ITAR) policy templateThe International Traffic in Arms Regulations (ITAR) are enforced by the USDepartment of State. Exporters of defense services or related technical data arerequired to register with the federal government and may need export licenses.This policy detects potential violations based on countries and controlled assetsdesignated by the ITAR.

The Indexed ITAR Munition Items and Recipients detection rule looks for a countrycode in the recipient from the "ITAR Country Codes" dictionary and for a specific"SKU" from an indexed EDM file.

Supplied classification policies and policy templatesAbout the system-provided policy templates

174

Page 175: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-50 Indexed ITAR Munition Items and Recipients detection rule

ConfigurationConditions (bothmust match)

Method

Match recipient email or URL domain from ITARCountry Codes list:

■ Severity: High.

■ Check for existence.

■ At least 1 recipient(s) must match.

Recipient MatchesPattern (DCM)

Compound rule

Content MatchesExact Data (EDM)

The ITAR Munitions List and Recipients detection rule looks for both a countrycode in the recipient from the "ITAR Country Codes" dictionary and a keywordfrom the "ITAR Munition Names" dictionary.

Table 7-51 ITAR Munitions List and Recipients detection rule

ConfigurationConditions (bothmust match)

Method

Match recipient email or URL domain from ITARCountry Codes list:

■ Severity: High.

■ Check for existence.

■ At least 1 recipient pattern must match.

Recipient MatchesPattern (DCM)

Compound rule

Match any keyword from the ITAR Munitions List:

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

■ Severity: High.

Content MatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

NASD Rule 2711 and NYSE Rules 351 and 472 policy templateThis policy protects the name(s) of any companies involved in an upcoming stockoffering, internal project names for the offering, and the stock ticker symbols forthe offering companies.

175Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 176: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The NASD Rule 2711 Documents, Indexed detection rule looks for content fromspecific documents registered as sensitive and known to be subject to NASD Rule2711 or NYSE Rules 351 and 472. This rule returns a match if 80% or more of thesource document is found.

Table 7-52 NASD Rule 2711 Documents, Indexed detection rule

ConfigurationConditionMethod

NASD Rule 2711 Documents, Indexed (IDM):

■ Detect documents in selected Indexed Document Profile

■ Require at least 80% content match.

■ Severity: High.

■ Check for existence.

■ Look in body, attachments.

ContentMatchesDocumentSignature(IDM)

Simple rule

The NASD Rule 2711 and NYSE Rules 351 and 472 detection rule is a compoundrule that contains a sender condition and a keyword condition. The sendercondition is based on a user-defined list of email addresses of research analystsat the user's company ("Analysts' Email Addresses" dictionary). The keywordcondition looks for any upcoming stock offering, internal project names for theoffering, and the stock ticker symbols for the offering companies ("NASD 2711Keywords" dictionary). Like the sender condition, it requires editing by the user.

Table 7-53 NASD Rule 2711 and NYSE Rules 351 and 472 detection rule

ConfigurationConditionMethod

NASD Rule 2711 and NYSE Rules 351 and 472 (Sender):

■ Match sender pattern(s)[[email protected]] (user defined)

■ Severity: High.

■ Matches on entire message.

Sender/UserMatchesPattern (DCM)

Compoundrule

NASD Rule 2711 and NYSE Rules 351 and 472 (KeywordMatch):

■ Match "[company stock symbol]", "[name of offeringcompany]", "[offering name (internal name)]".

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword(DCM)

Supplied classification policies and policy templatesAbout the system-provided policy templates

176

Page 177: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

See “Exporting policy detection as a template” on page 97.

NASD Rule 3010 and NYSE Rule 342 policy templateNASD Rule 3010 and NYSE Rule 342 require brokers-dealers to supervise certainbrokerage employees' communications. The NASD Rule 3010 and NYSE Rule 342policy monitors the communications of registered principals who are subject tothese regulations.

The Stock Recommendation detection rule looks for a keyword from the "NASD3010 Stock Keywords" dictionary and the "NASD 3010 Buy/Sell Keywords"dictionary. In addition, this rule requires evidence of a stock recommendation incombination with a buy or sell action.

Table 7-54 Stock Recommendation detection rule

ConfigurationConditions (allmust match)

Method

Match keyword: "recommend"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

Compound rule

Match keyword: "buy" or "sell"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

Match keyword: "stock, stocks, security, securities,share, shares"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

The NASD Rule 3010 and NYSE Rule 342 Keywords detection rule looks forkeywords in the "NASD 3010 General Keywords" dictionary, which look for anygeneral stock broker activity, and stock keywords.

177Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 178: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-55 NASD Rule 3010 and NYSE Rule 342 Keywords detection rule

ConfigurationConditions (bothmust match)

Method

Match keyword: "authorize", "discretion","guarantee", "options"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

Compound rule

Match keyword: "stock, stocks, security, securities,share, shares"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

NERC Security Guidelines for Electric Utilities policy templateThe North American Electric Reliability Council (NERC) Guideline for ProtectingPotentially Sensitive Information describes how to protect and secure data aboutcritical electricity infrastructure.

This policy detects the information outlined in the NERC security guidelines forthe electricity sector.

Table 7-56 Key Response Personnel detection rule

ConfigurationMatch conditionDetectionmethod

Match any three of the following data items:

■ First name

■ Last name

■ Phone

■ Email

Content MatchesExact Data (EDM)

Simple rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

178

Page 179: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-57 Network Infrastructure Maps detection rule

ConfigurationMatch conditionDetectionmethod

This rule requires an exact binary match.Content MatchesIndexed Documents(IDM)

Simple rule

The Sensitive Keywords and Vulnerability Keywords detection rule looks for anykeyword matches from the "Sensitive Keywords" dictionary and the "VulnerabilityKeywords" dictionary.

Table 7-58 Sensitive Keywords and Vulnerability Keywords detection rule

ConfigurationMatch conditionsDetectionmethod

Match any Sensitive Keyword:

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body,attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

Compound rule

Match any Vulnerability Keyword:

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body,attachments.

■ Case insensitive.

■ Match on whole words only.

Content MatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

Office of Foreign Assets Control (OFAC) policy templateThe Office of Foreign Assets Control of the U.S. Department of the Treasuryadministers and enforces economic and trade sanctions. These sanctions are basedon US foreign policy and national security goals against certain countries,individuals, and organizations. The Office of Foreign Assets Control (OFAC) policydetects communications involving these targeted groups.

179Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 180: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The OFAC policy has two primary parts. The first deals with the SpeciallyDesignated Nationals (SDN) list, and the second deals with general OFAC policyrestrictions.

The SDN list refers to specific people or organizations that are subject to traderestrictions. The U.S. Treasury Department provides text files with specific names,last known addresses, and known aliases for these individuals and entities. TheTreasury Department stipulates that the addresses may not be correct or current,and different locations do not change the restrictions on people and organizations.

In the OFAC policy template, Symantec Data Loss Prevention has scrubbed thelist to make it more usable and practical. This includes extracting keywords andkey phrases from the list of names and aliases, since names do not always appearin the same format as the list. Also, common names have been removed to reducefalse positives. For example, one organization on the SDN list is known as "SARA."Leaving this on the list would generate a high false positive rate. "SARA Properties"is another entry on the list. It is used as a key phrase in the template because theincidence of this phrase is much lower than "SARA" alone. The list of names andorganizations is considered in combination with the commonly found countriesin the SDN address list. The top 12 countries on the list are considered, after againremoving more commonly occurring countries. The template looks for recipientswith any of the listed countries as the designated country code. This SDN listminimizes false positives while still detecting transactions or communicationswith known restricted parties.

The OFAC policy also provides guidance around the restrictions the U.S. TreasuryDepartment has placed on general trade with specific countries. This is distinctfrom the SDN list, since individuals and organizations are not specified. The listof general sanctions can be found here:http://www.treasury.gov/offices/enforcement/ofac/programs/index.shtml

The Office of Foreign Assets Control (OFAC) template looks for recipients on theOFAC- listed countries by designated country code.

The OFAC Special Designated Nationals List and Recipients detection rule looksfor a recipient with a country code matching entries in the "OFAC SDN CountryCodes" specification in combination with a match on a keyword from the "SpeciallyDesignated Nationals List" dictionary.

Supplied classification policies and policy templatesAbout the system-provided policy templates

180

Page 181: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-59 OFAC Special Designated Nationals List and Recipients detectionrule

ConfigurationConditionMethod

OFAC Special Designated Nationals List and Recipients(Recipient):

■ Match email or URL domain by OFAC SDN CountryCode.

■ Severity: High.

■ Check for existence.

■ At least 1 recipient(s) must match.

■ Matches on the entire message.

RecipientMatchesPattern (DCM)

Compoundrule

Specially Designated Nationals List (Keyword Match):

■ Match keyword from the Specially DesignatedNationals List.

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword (DCM)

The Communications to OFAC countries detection rule looks for a recipient witha country code matching entries from the "OFAC Country Codes" list.

Table 7-60 Communications to OFAC countries detection rule

ConfigurationConditionMethod

Communications to OFAC countries (Recipient):

■ Match email or URL domain by OFAC Country Code.

■ Severity: High.

■ Check for existence.

■ At least 1 recipient(s) must match.

■ Matches on the entire message.

RecipientMatchesPattern (DCM)

Simple rule

See “Exporting policy detection as a template” on page 97.

OMB Memo 06-16 and FIPS 199 Regulations policy templateThis policy detects information classified as confidential according to theguidelines established in the Federal Information Processing Standards (FIPS)Publication 199 from the National Institute of Standards and Technology (NIST).

181Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 182: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

NIST is responsible for establishing standards and guidelines for data securityunder the Federal Information Security Management Act (FISMA).

This template contains three simple detection rules. If any rule reports a match,the policy triggers an incident.

The High Confidentiality Indicators detection rule looks for any keywords in the"High Confidentiality" dictionary.

Table 7-61 High Confidentiality Indicators detection rule

ConfigurationConditionMethod

High Confidentiality Indicators (Keyword Match):

■ Match "(confidentiality, high)", "(confidentiality,high)"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword

Simple rule

The Moderate Confidentiality Indicators detection rule looks for any keywordsin the "Moderate Confidentiality" dictionary.

Table 7-62 Moderate Confidentiality Indicators detection rule

ConfigurationConditionMethod

Moderate Confidentiality Indicators (Keyword Match):

■ Match "(confidentiality, moderate)","(confidentiality,moderate)"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword

Simple rule

The Low Confidentiality Indicators detection rule looks for any keywords in the"Low Confidentiality" dictionary.

Supplied classification policies and policy templatesAbout the system-provided policy templates

182

Page 183: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-63 Low Confidentiality Indicators detection rule

ConfigurationConditionMethod

Low Confidentiality Indicators (Keyword Match):

■ Match "(confidentiality, low)", "(confidentiality,low)"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword

Simple rule

See “Exporting policy detection as a template” on page 97.

Payment Card Industry (PCI) Data Security Standard policytemplateThe Payment Card Industry (PCI) data security standards are jointly determinedby Visa and MasterCard to protect cardholders by safeguarding personallyidentifiable information. Visa's Cardholder Information Security Program (CISP)and MasterCard's Site Data Protection (SDP) program both work toward enforcingthese standards. The Payment Card Industry (PCI) Data Security Standards policydetects Visa and MasterCard credit card number data.

The Card Numbers, Exact detection rule detects exact credit card numbers profiledfrom a database or other data source.

Table 7-64 Credit Card Numbers, Exact detection rule

ConfigurationConditionMethod

This rule detects credit card numbers.ContentMatches ExactData (EDM)

Simple rule

The Credit Card Numbers, All detection rule detects credit card numbers usingthe Credit Card Number system Data Identifier.

183Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 184: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-65 Credit Card Numbers, All detection rule

ConfigurationConditionMethod

Credit Card Numbers, All (Data Identifiers):

■ Data Identifier: Credit Card Number (narrow)

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

ContentMatches DataIdentifier(DCM)

Simple rule

The Magnetic Stripe Data for Credit Cards detection rule detects raw data fromthe credit card magnetic stripe using the Credit Card Magnetic Stripe system DataIdentifier.

Table 7-66 Magnetic Stripe Data for Credit Cards detection rule

ConfigurationConditionMethod

Magnetic Stripe Data for Credit Cards (Data Identifiers):

■ Data Identifier: Credit Card Magnetic Stripe(medium)

■ Data Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

ContentMatches DataIdentifier(DCM)

Simple rule

See “Exporting policy detection as a template” on page 97.

Sarbanes-Oxley policy templateThe US Sarbanes-Oxley Act (SOX) imposes requirements on financial accounting,including the preservation of data integrity and the ability to create an audit trail.The Sarbanes-Oxley policy detects sensitive financial data.

The Sarbanes-Oxley Documents, Indexed detection rule looks for content fromspecific documents registered as being subject to Sarbanes-Oxley Act. This rulereturns a match if 80% or more of the source document is found.

Table 7-67 Sarbanes-Oxley Documents, Indexed detection rule

ConfigurationConditionMethod

Content MatchesIndexedDocumentProfile

Simple rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

184

Page 185: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The SEC Fair Disclosure Regulation compound detection rule looks for thefollowing conditions; all must be satisfied for the rule to trigger an incident:

■ The SEC Fair Disclosure keywords indicate possible disclosure of advancefinancial information ("SEC Fair Disclosure Keywords" dictionary).

■ An attachment or file type that is a commonly used document or spreadsheetformat. The detected file types are Microsoft Word, Excel Macro, Excel, WorksSpreadsheet, SYLK Spreadsheet, Corel Quattro Pro, WordPerfect, Lotus 123,Applix Spreadsheets, CSV, Multiplan Spreadsheet, and Adobe PDF.

■ The company name keyword list requires editing by the user, which can includeany name, alternate name, or abbreviation that might indicate a reference tothe company.

185Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 186: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-68 SEC Fair Disclosure Regulation detection rule

ConfigurationConditionMethod

SEC Fair Disclosure Regulation (Keyword Match):

■ Match keyword: earnings per share, forwardguidance

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

■ Match on same component.

The keyword must be in the attachment or file typedetected by that condition.

Content MatchesKeyword

Compoundrule

SEC Fair Disclosure Regulation (Attachment/File Type):

■ File type detected: excel_macro, xls, works_spread,sylk, quattro_pro, mod, csv, applix_spread, 123, doc,wordperfect, and pdf.

■ Severity: High.

■ Match on: Attachments and same component.

MessageAttachment orFile Type Match

SEC Fair Disclosure Regulation (Keyword Match):

■ Match "[company name]"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

■ Match on same component.

The keyword must be in the attachment or file typedetected by that condition.

Content MatchesKeyword

The Financial Information detection rule looks for a specific file type containinga word from the "Financial Keywords" dictionary and a word from the"Confidential/Proprietary Words" dictionary. The spreadsheet file types detectedare Microsoft Excel Macro, Microsoft Excel, Microsoft Works Spreadsheet, SYLKSpreadsheet, Corel Quattro Pro, and more.

Supplied classification policies and policy templatesAbout the system-provided policy templates

186

Page 187: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-69 Financial Information detection rule

ConfigurationConditionMethod

Financial Information (Attachment/File Type):

■ Match file type: excel_macro, xls, works_spread, sylk,quattro_pro, mod, csv, applix_spread, Lotus 1-2-3

■ Severity: High.

■ Match on attachments, same component.

Content MatchesIndexedDocumentProfile

Compoundrule

Financial Information (Keyword Match):

■ Match "accounts receivable turnover", "adjustedgross margin", "adjusted operating expenses","adjusted operating margin", "administrativeexpenses", ....

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

■ Keyword must be detected in the attachment (samecomponent).

Content MatchesKeyword

Financial Information (Keyword Match):

■ Match "confidential", "internal use only","proprietary".

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

■ Keyword must be detected in the attachment (samecomponent).

Content MatchesKeyword

See “Exporting policy detection as a template” on page 97.

SEC Fair Disclosure Regulation policy templateThe US SEC Selective Disclosure and Insider Trading Rules prohibit publiccompanies from selectively divulging material information to analysts andinstitutional investors before its general release to the public.

The SEC Fair Disclosure Regulation template detects data indicating disclosureof material financial information.

187Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 188: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The SEC Fair Disclosure Regulation Documents, Indexed (IDM) detection rulelooks for content from specific documents subject to SEC Fair Disclosureregulation. This rule returns a match if 80% or more of the source documentcontent is found.

Table 7-70 SEC Fair Disclosure Regulation Documents, Indexed (IDM) detectionrule

ConfigurationConditionMethod

SEC Fair Disclosure Regulation Documents, Indexed(IDM):

■ Detect documents from the selected IndexedDocument Profile.

■ Match documents with at least 80% content match.

■ Severity: High.

■ Check for existence.

■ Look in body, attachments.

ContentMatchesDocumentSignature(IDM)

Simple rule

The SEC Fair Disclosure Regulation detection rule looks for the a keyword matchfrom the "SEC Fair Disclosure Keywords" dictionary, an attachment or file typethat is a commonly used document or spreadsheet, and a keyword match fromthe "Company Name Keywords" dictionary.

All three conditions must be satisfied for the rule to trigger an incident:

■ The SEC Fair Disclosure keywords indicate possible disclosure of advancefinancial information.

■ The file types detected are Microsoft Word, Excel Macro, Excel, WorksSpreadsheet, SYLK Spreadsheet, Corel Quattro Pro, WordPerfect, Lotus 123,Applix Spreadsheets, CSV, Multiplan Spreadsheet, and Adobe PDF.

■ The company name keyword list requires editing by the user, which can includeany name, alternate name, or abbreviation that might indicate a reference tothe company.

Supplied classification policies and policy templatesAbout the system-provided policy templates

188

Page 189: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-71 SEC Fair Disclosure Regulation detection rule

ConfigurationConditionMethod

SEC Fair Disclosure Regulation (Keyword Match):

■ Match "earnings per share", "forward guidance".

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword (DCM)

Compoundrule

SEC Fair Disclosure Regulation (Attachment/File Type):

■ Match file type: excel_macro, xls, works_spread, sylk,quattro_pro, mod, csv, applix_spread, 123, doc,wordperfect, pdf

■ Severity: High.

■ Match on attachments.

■ Require content match to be in the same component(attachment).

MessageAttachment orFile Type Match(DCM)

SEC Fair Disclosure Regulation (Keyword Match):

■ Match "[company name]" (user defined)

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments, samecomponent.

■ Case insensitive.

■ Match on whole words only.

ContentMatchesKeyword (DCM)

See “Exporting policy detection as a template” on page 97.

State Data Privacy policy templateMany states in the US have adopted statutes mandating data protection and publicdisclosure of information security breaches in which confidential data ofindividuals is compromised. The State Data Privacy policy detects these breachesof confidentiality.

The Email to Affiliates detection exception is evaluated first and applies to emailmessages sent to affiliates who are legitimately allowed to receive informationcovered under the State Data Privacy regulations.

189Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 190: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-72 Email to Affiliates detection exception

ConfigurationCondition(s)Method

Email to Affiliates (Recipient):

■ Match email: [affiliate1],[affiliate2].

The "Affiliate Domains" requires editing by theuser.

■ At least 1 recipient(s) must match.

■ Matches on the entire message.

Recipient MatchesPattern (DCM)

Simpleexception

The State Data Privacy, Consumer Data detection rule looks for an exact matchon any three data items, except certain combinations.

Table 7-73 State Data Privacy, Consumer Data detection rule

ConfigurationConditionMethod

This rule looks for a match on any three data items:

■ First name

■ Last name

■ Tax payer ID

■ Bank card

■ Account

■ PIN

■ State ID

■ Drivers license

■ Password

■ ABA number

■ Date of birth

Content matchesExact Data (EDM)

Simple rule

However, the following combinations do not match:

■ First name, last name, pin

■ First name, last name, password

The US Social Security Number Patterns detection rule implements the US SSNnarrow breadth system Data Identifier to detect social security numbers.

Supplied classification policies and policy templatesAbout the system-provided policy templates

190

Page 191: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-74 US Social Security Number Patterns detection rule

ConfigurationCondition typeDetectionmethod

US Social Security Number Patterns:

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

Content MatchesData Identifier(DCM)

Simple rule

The ABA Routing Numbers detection rule implements the ABA Routing Numberdata identifier.

Table 7-75 ABA Routing Numbers detection rule

ConfigurationConditionMethod

ABA Routing Numbers:

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments.

Content MatchesData Identifier(DCM)

Simple rule

The Credit Card Numbers, All detection rule looks for a word from the "CreditCard Number Keywords" dictionary and the credit card number system pattern.

Table 7-76 Credit Card Numbers, All detection rule

ConfigurationConditionMethod

Credit Card Numbers, All (Data Identifiers):

■ Credit Card Number

■ Severity: High.

■ Count all matches.

■ Look in envelope, subject, body, attachments

Content MatchesData Identifier(DCM)

Simple rule

The CA Drivers License Numbers detection rule looks for a match for the CAdrivers license number pattern, a match for a data identifier for terms relatingto "drivers license," and a keyword from the "California Keywords" dictionary.

191Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 192: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-77 CA Drivers License Numbers detection rule

ConfigurationCondition typeDetectionmethod

Content MatchesData Identifier(DCM)

Simple rule

The NY Drivers License Numbers detection rule looks for a match for the NYdrivers license number pattern, a match for a regular expression for terms relatingto "drivers license," and a keyword from the "New York Keywords" dictionary.

Table 7-78 NY Drivers License Numbers detection rule

ConfigurationCondition typeDetectionmethod

Content MatchesData Identifier(DCM)

Simple rule

The FL, MI, and MN Drivers License Numbers detection rule looks for a match forthe stated drivers license number pattern, a match for a regular expression forterms relating to "drivers license," and a keyword from the "Letter/12 Num. DLNState Words" dictionary (namely, Florida, Minnesota, and Michigan).

Table 7-79 FL, MI, and MN Drivers License Numbers detection rule

ConfigurationConditionMethod

Content MatchesData Identifier(DCM)

Simple rule

The IL Drivers License Numbers detection rule looks for a match for the IL driverslicense number pattern, a match for a regular expression for terms relating to"drivers license," and a keyword from the "Illinois Keywords" dictionary.

Table 7-80 IL Drivers License Numbers detection rule

ConfigurationCondition typeDetectionmethod

Content MatchesData Identifier(DCM)

Simple rule

Supplied classification policies and policy templatesAbout the system-provided policy templates

192

Page 193: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

The NJ Drivers License Numbers detection rule looks for a match for the NJ driverslicense number pattern, a match for a regular expression for terms relating to"drivers license," and a keyword from the "New Jersey Keywords" dictionary.

Table 7-81 NJ Drivers License Numbers detection rule

ConfigurationCondition typeDetectionmethod

This condition implements the Driver's LicenseNumber- NJ State medium breadth system DataIdentifier.

Content MatchesData Identifier(DCM)

Simple rule

See “Exporting policy detection as a template” on page 97.

US Intelligence ControlMarkings (CAPCO) and DCID 1/7 policytemplateThe US Intelligence Control Markings (CAPCO) & DCID 1/7 policy detectsauthorized terms to identify classified information in the US Federal Intelligencecommunity as defined in the Control Markings Register, which is maintained bythe Controlled Access Program Coordination Office (CAPCO) of the CommunityManagement Staff (CMS). The register was created in response to the Director ofCentral Intelligence Directive (DCID) 1/7.

This rule looks for a keyword match on the phrase "TOP SECRET."

Table 7-82 Top Secret Information detection rule

ConfigurationConditionMethod

Match "TOP SECRET//"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case sensitive.

■ Match on whole or partial words.

Content MatchesKeyword (DCM)

Simple rule

This rule looks for a keyword match on the phrase "SECRET."

193Supplied classification policies and policy templatesAbout the system-provided policy templates

Page 194: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 7-83 Secret Information detection rule

ConfigurationConditionMethod

Match "SECRET//"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case sensitive.

■ Match on whole or partial words.

Content MatchesKeyword (DCM)

Simple rule

This rule looks for a keyword match on the phrases "CLASSIFIED" or"RESTRICTED."

Table 7-84 Classified or Restricted Information (Keyword Match) detection rule

ConfigurationConditionMethod

Match "CLASSIFIED//,//RESTRICTED//"

■ Severity: High.

■ Check for existence.

■ Look in envelope, subject, body, attachments.

■ Case sensitive.

■ Match on whole or partial words.

Content MatchesKeyword (DCM)

Simple rule

See “Exporting policy detection as a template” on page 97.

Supplied classification policies and policy templatesAbout the system-provided policy templates

194

Page 195: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Upgrading DataClassification Services

This chapter includes the following topics:

■ Upgrading Symantec Data Loss Prevention for Data Classification Services

■ Downloading and extracting the upgrade software

■ Launching the Upgrade Wizard on the Enforce Server

■ Performing an upgrade with the Upgrade Wizard

Upgrading Symantec Data Loss Prevention for DataClassification Services

The following table describes the high-level steps that are involved in upgradingSymantec Data Loss Prevention. Each step is described in more detail elsewherein this chapter, as indicated.

Table 8-1 Upgrading Symantec Data Loss Prevention

DescriptionActionStep

See the Symantec Data LossPrevention Oracle 11g Installationand Upgrade Guide for moreinformation.

Backup your Oracle 11g database.Step 1

See “Downloading and extracting theupgrade software” on page 196.

Download and extract the upgradesoftware.

Step 2

8Chapter

Page 196: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Table 8-1 Upgrading Symantec Data Loss Prevention (continued)

DescriptionActionStep

See “Launching the Upgrade Wizardon the Enforce Server” on page 196.

Launch the Upgrade Wizard on theEnforce Server.

Step 4

See “Performing an upgrade with theUpgrade Wizard” on page 198.

Complete the Upgrade Wizard steps.Step 5

Downloading and extracting the upgrade softwareTo download the upgrade software

1 Download the ZIP file namedSymantec_DLP_<version>_Upgrader_Win-IN.zip, where <version> is theappropriate version of Data Loss Prevention available at the FileConnect site.

See “About downloading Data Classification Services components” on page 25.

2 Copy the ZIP file onto the computer from which you intend to perform theupgrade. That computer must have a reliable network connection to theEnforce Server.

The files within this ZIP file must be extracted into a directory on a systemthat is accessible to you. The root directory into which the ZIP files areextracted is referred to as the DLPDownloadHome directory.

License files have names in the format name.slf.

To extract the ZIP file

1 If you have not already downloaded theSymantec_DLP_<version>_Upgrader_Win-IN.zip file from the SymantecFileConnect site, download it now.

2 Extract the contents of the ZIP file you downloaded. Among other items, theZIP file contains an upgrade JAR (Java archive) file, which is required laterwhen you run the Upgrade Wizard.

3 Make note of the directory where the upgrade JAR file is located for later use.

Launching the UpgradeWizard on the Enforce ServerBefore launching the Upgrade Wizard, review the following prerequisites andrestrictions:

Upgrading Data Classification ServicesDownloading and extracting the upgrade software

196

Page 197: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Make sure that the JAR file you extracted earlier when you performed theupgrade prerequisite steps is available.See “Downloading and extracting the upgrade software” on page 196.

■ If your installation uses FIPS encryption, your browser will not be able toredirect from the Enforce Server administration console to the Upgrade Wizarduser interface. In this case, you must manually browse tohttps://Enforce_server:8300. (If you have changed the Upgrade Wizard portnumber, use that port number in the URL.)

To launch the Upgrade Wizard on the Enforce Server

1 Ensure that all Classification Servers are running and are connected to theEnforce Server.

2 On the Enforce Server host computer, open the following files in a text editor:

\SymantecDLP\Protect\tomcat\webapps\ProtectManager\WEB-INF\struts-config.xml

\SymantecDLP\Protect\tomcat\webapps\ProtectManager\WEB-INF\struts-config-admin.xml

\SymantecDLP\Protect\tomcat\webapps\ProtectManager\WEB-INF\struts-config-async.xml

3 Locate the following line in each file:

<controller nocache="true" maxFileSize="500m"/>

4 In each file, change the value of the maxFileSize attribute to 1000m. Forexample:

<controller nocache="true" maxFileSize="1000m"/>

5 Save the files and exit the text editor.

6 Restart the Vontu Manager service on the Enforce Server host.

7 Log on to your Enforce Server administration console.

8 Go to System > Servers > Overview.

9 Click Upgrade.

The Upgrade System pop-up window appears.

197Upgrading Data Classification ServicesLaunching the Upgrade Wizard on the Enforce Server

Page 198: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

10 From the directory in which you extracted the upgrade JAR file, select thefile and click Open.

The name of the file is <version>_Upgrader_Windows.jar where <version>is the applicable version number.

11 Click Launch Upgrade.

It may take several minutes for the SymantecDataLossPreventionUpgraderLogin panel to appear.

If the Enforce Server returns an error or times out, you must correct theproblem before continuing.

If no error occurs, the SymantecDataLossPreventionUpgraderLogin panelappears and you are ready to continue the upgrade. See “Performing anupgrade with the Upgrade Wizard” on page 198.

See the Symantec Data Loss Prevention Upgrade Guide for more informationon troubleshooting errors.

Performing an upgrade with the Upgrade WizardShould you encounter an error at any point during the upgrade, examine the logfiles.

To resolve errors

1 On the page where you encountered the error, click the Log Files link.

2 Try to resolve the error, and then launch the Upgrade Wizard again.

These procedures assume that you have already launched the Upgrade Wizard.

See “Launching the Upgrade Wizard on the Enforce Server” on page 196.

To upgrade the Enforce Server

1 On the Symantec Data Loss Prevention Upgrader Login panel, enter theAdministrator user name and password, and then click logon.

The License Agreement panel appears.

2 Click Accept.

The SystemCheck panel appears. When you click Next, the Upgrade Wizardverifies that you have the minimum software version level required to upgradeto the current release version.

3 Click Next.

One of the following two outcomes results:

Upgrading Data Classification ServicesPerforming an upgrade with the Upgrade Wizard

198

Page 199: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ If the check was successful, the System Check Succeeded panel appears.

■ If at any point you see a message box stating that the upgrade has failed,click Cancel. Fix the reported problem that is shown in the panel. Afterfixing the problem, log onto Enforce, and launch the upgrade again.

4 From the System Check Succeeded panel, click Next.

The Welcome to Symantec Data Loss Prevention Upgrader panel appears.

A prompt warns you that any language packs you have installed from aprevious version of Symantec Data Loss Prevention will be deleted. You mustinstall new language packs for the current version of Symantec Data LossPrevention later in the upgrade process.

5 Click Next.

The Pre-check panel appears and the Upgrade Wizard begins performingpre-upgrade tasks. The tasks include extracting necessary upgrade files andstopping Symantec Data Loss Prevention services.

6 Click Next after the pre-check tasks complete.

7 From the Upgrade Enforce Server panel, click Next.

The wizard creates a backup ZIP file, called VontuEnforceBackup.zip, thatcontains all the files in your file system. It puts the file in a new updatedirectory (c:\DLP_home\Protect\updates\). Then it installs new ones.

This step also upgrades the Symantec Data Loss Prevention schema on theOracle database.

When the process has finished successfully, the following message appears:

Done upgrading Enforce software.

If an error occurs, a message to that effect appears. Consult the logs forinformation, correct the problem, and launch the upgrade again.

Note: If you launch the Upgrade Wizard again to upgrade the remainingClassification Servers, the utility does not repeat the Enforce Server upgrade.

8 Click Next after the Enforce upgrade completes.

The Upgrade Detection Servers panel appears.

9 If your Symantec Data Loss Prevention deployment uses FIPS encryption,perform the following steps on each detection server:

■ Stop the Vontu Monitor and Vontu Update services.

199Upgrading Data Classification ServicesPerforming an upgrade with the Upgrade Wizard

Page 200: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

■ Delete the following file: DLP_home\jre\lib\ext\cryptojFIPS.jar

■ Copy theDLP_home\jre\lib\ext\jsafeJCEFIPS.jar file from the EnforceServer host to the DLP_home\jre\lib\ext\ directory on each detectionserver.

■ Restart the Vontu Monitor and Vontu Update services.

Note: If you choose to upgrade any detection servers locally, no special stepsare required for deployments that use FIPS encryption.

10 Select the Classification Server(s) you want to upgrade, then click Upgrade.

The wizard creates a backup ZIP file, called VontuDetectionBackup.zip. ThisZIP file contains all of the files in your file system. it puts the ZIP file in a newupdate directory (\DLP_home\Protect\updates\). Then it installs new ones.

After the wizard upgrades the Classification Servers you selected, greencheckmarks appear next to those servers listed in the UpgradeStatuscolumnof the panel. Enforce and the Classification Servers are operational.

Note: When you run the Upgrade Wizard again, it does not upgrade theEnforce Server again.

You must upgrade the Enforce Server before trying to upgrade yourClassification Servers. Otherwise, you receive an error message in the systemevents report and the upgrade does not proceed.

Any Classification Servers that you do not upgrade to the same version asthe newly upgraded Enforce Server will be incompatible with it.

11 Click Next.

12 Click Finish.

The SymantecDataLossPreventionLogin panel for Enforce Server appears.

13 If your Symantec Data Loss Prevention deployment uses the Veritas ClusterServer (VCS) high-availablity solution, run the following script on each EnforceServer node:

vcs_upgrade.bat <DLP_home> <system user name>

Where <DLP_home> is the directory where Symantec Data Loss Prevention isinstalled on the Enforce Server node and <system user name> is the DLPsystem user.

Upgrading Data Classification ServicesPerforming an upgrade with the Upgrade Wizard

200

Page 201: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

14 Log on to the Enforce Server.

The Enforce Server administration console appears.

15 To verify that all of your Symantec Data Loss Prevention products are licensedfor the current release, navigate to System > Settings > General.

If necessary, you can enter additional license files by clicking Configure onthis page.

For more information, see the SymantecDataLossPreventionAdministrationGuide.

To verify the upgrade, review that your server version numbers are correct.Go to System>Servers>Overview and click Enforce Server or a ClassificationServer.

Note: The new version numbers for the upgraded Classification Servers donot show up in the Enforce Server administration console until the VontuMonitor Controller service has been restarted. The service does not start untilthe upgrade is complete. Therefore, you cannot check the versions of theupgraded Classification Servers in the Enforce Server administration consoleuntil the Vontu Monitor Controller service has been restarted.

Alternatively, on the Enforce Server, go to \DLP_home\Protect and checkManager.ver. To check on the Classification Server, go to the same directoryand check Monitor.ver.

201Upgrading Data Classification ServicesPerforming an upgrade with the Upgrade Wizard

Page 202: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Upgrading Data Classification ServicesPerforming an upgrade with the Upgrade Wizard

202

Page 203: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Migrating from AutomaticClassification Engine toData Classification Services

This appendix includes the following topics:

■ About migrating to Data Classification Services

About migrating to Data Classification ServicesThe capabilities that Data Classification Services provides supersede those thatAutomatic Classification Engine (ACE) provided in earlier versions of EnterpriseVault. You cannot configure Enterprise Vault to work simultaneously with bothACE and Data Classification Services. If you previously used ACE, you can migrateto Data Classification Services by following these steps.

To migrate to Data Classification Services

1 On each Enterprise Vault server, do the following:

■ Install Enterprise Vault 10.0 or later, if you have not already done so.

■ Delete the registry entries that you added for Enterprise Vault ACE.The ACE Implementation Guide provides details of these entries.

■ Verify that journal archiving and mailbox archiving is runningsuccessfully.

■ Add the registry entries for Data Classification Services.See “Configuring the Data Classification Filter” on page 89.

AAppendix

Page 204: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Note: If you have enabled multiple filters on the Enterprise Vault server,their numeric values in the registry determine the order in whichEnterprise Vault processes them. Take care to assign an appropriate valueto the registry entry for the Data Classification Filter. If possible, use thesame number that you previously assigned to the ACE Smart Taggingagent.

2 Install and configure Data Classification Services, as described earlier in thisguide.

3 On the Enforce Server computer, create some classification policies that arebroadly equivalent to the ACE policies that you previously used.

The Data Classification Services policies differ from the ACE policies, so youmay be unable to create new policies that exactly match the old ones. However,you may find it helpful to match the ACE policy names, rules, and responsetags as much as possible. Note that the names of ACE policies can contain upto 65 characters, but those of Data Classification Services policies can containup to 60 characters.

4 Run the classification policies in test mode and verify that they achieve theexpected results.

See “Enabling classification test mode” on page 110.

5 When you are confident that the classification policies work as intended,disable test mode.

Data Classification Services starts actively to classify or delete messages, asdefined in the policies.

6 Conduct searches of the Enterprise Vault archives and verify that the resultsinclude some items that both ACE and Enterprise Vault have classified.

7 Decommission the ACE server.

Migrating from Automatic Classification Engine to Data Classification ServicesAbout migrating to Data Classification Services

204

Page 205: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Aadditional documents 22Additional Locale panel 55Administrator Credentials panel 59AL32UTF8 character set 54antivirus software

scan exclusions, DLP 78scan exclusions, Oracle 78

Bbrowser certificates 74

creating 74browser requirements 51

Ccertificates

browser 74browser, creating 74self-signed, creating 75SSL/TLS 73

classification events 110classification policies

about 95Classification Server

configuring 71configuring retention categories for 106minimum requirements 49solution pack 61

Classifying Enterprise Vault contentEnabling test mode when 110

Custom filteringconfiguring 89events 89registry settings 89

DData Classification Services

components 25Data Loss Prevention

download directory 27

Data Loss Prevention (continued)downloading and extracting files 28

database 37See also protect databasecreating 37verifying 44

database templates 35Database Utilities

three-tier requirement for 32DBPasswordChanger utility 32DBSNMP account 40

locking 46default port 41detection server installation 66

permissions 66preparations 66ProtectInstaller64_11.6.exe 67ProtectInstaller_11.6.exe 67registering 70Select Components panel 67Select Destination Directory panel 68System Account panel 68Transport Configuration panel 68verifying 69

DLPDownloadHome directory 196downloading

components 27DCS components 25

Eeditions 35Enforce Server

accessing oracle from 32minimum requirements 49

Enforce Server installationSystem Account panel 60

Enforce server installation 51Additional Locale panel 55Administrator Credentials panel 59Initialize DLP Database panel 55Initialize Enforce Data 55

Index

Page 206: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Enforce server installation (continued)installation steps 52Oracle Database User Configuration panel 54Oracle Listener Port 54Select Components panel 52System Account panel 54verifying 60

Enterprise Vaultinstallation 28

Enterprise Vault Data Classification Servicesabout 11

Ffileconnect.symantec.com 35FIPS encryption 51Firefox 51firewall configuration 79

GGlobal Database Name 39

IInitialize DLP Database panel 55Initialize Enforce Data 55installation 21

See also detection server installationSee also Enforce server installationSee also single-tier installationSee also three-tier installationSee also two-tier installationlogs 61

Internet Explorer 51

Kkeystore 77keytool command 75

options 75

LLinux 31

See also Oracle 11g for Linuxlogs 61

MMicrosoft Internet Explorer 51Microsoft Windows

stopping services in 36

Microsoft Windows (continued)user account requirements for 32, 36

Mozilla Firefox 51

OOracle 10g for Windows

configuring TNS listener with 43Oracle 11g. SeeOracle 11g for Linux. SeeOracle 11g

for WindowsOracle 11g for Linux

installing 31Oracle 11g for Windows

changing password of 32database template required for 35downloading 35editions of 35installing 31, 34–35thin driver requirement for 36verifying database with 44

Oracle Client 36three-tier requirement for 32

Oracle databaseAL32UTF8 character set 54OracleOraDb10g_home1TNSListener service 60OracleServicePROTECT service 60required character set 54

Oracle database requirements 32Oracle Database User Configuration panel 54Oracle Listener Port 54oracle_create_user.sql script 45OracleOraDb10g_home1TNSListener service 60OracleServicePROTECT service 60

Ppasswords

requirements for 39policies

add 101configuration 102

policy detection template, configurationYahoo Message Board 127

policy detection templates, configurationCaldicott Report 152CAN-SPAM Act 161Canadian Social Insurance Numbers 143Common Spyware Upload Sites 150Competitor Communications 122Credit Card Numbers 143

Index206

Page 207: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

policy detection templates, configuration (continued)Customer Data Protection 144Defense Message System (DMS) GENSER

Classification 163Design Documents 134Employee Data Protection 146Encrypted Data 134EU Data Protection Directives 156Export Administration Regulations (EAR) 164FACTA 2003 (Red Flag Rules) 166Financial Information 135Forbidden Websites 122Gambling 123Gramm-Leach-Bliley 169HIPAA and HITECH (including PHI) 170Human Rights Act 1998 157Illegal Drugs 123Individual Taxpayer Identification Numbers

(ITIN) 146International Traffic in Arms Regulations

(ITAR) 174Media Files 124Merger and Acquisition Agreements 136NASD Rule 2711 and NYSE Rules 351 and

472 175NASD Rule 3010 and NYSE Rule 342 177NERC Security Guidelines for Electric

Utilities 178Network Diagrams 150Network Security 151Offensive Language 124Office of Foreign Assets Control (OFAC) 179OMB Memo 06-16 and FIPS 199 Regulations 181Password Files 151Payment Card Industry (PCI) Data Security

Standards 183PIPEDA 157Price Information 137Project Data 138Proprietary Media Files 138Publishing Documents 139Racist Language 125Restricted Files 125Restricted Recipients 125Resumes 140Sarbanes-Oxley 184SEC Fair Disclosure Regulation 187Sexually Explicit Language 126Source Code 140

policy detection templates, configuration (continued)State Data Privacy 189SWIFT Codes 147Symantec DLP Awareness and Avoidance 141UK Data Protection Act 1998 154UK Drivers License Numbers 147UK Electoral Roll Numbers 147UK National Health Service (NHS) Number 148UK National Insurance Numbers 148UK Passport Numbers 148UK Tax ID Numbers 149US Intelligence Control Markings (CAPCO) and

DCID 1/7 193US Social Security Numbers 149Violence and Weapons 126Webmail 126

policy detection, aboutEnterprise Vault Data Classification Services 11

policy detection, classificationEnabling test mode when 110Message/Email Properties and Attributes 108

policy detection, conditionsMessage/Email Properties and Attributes 108

policy templatesadd 101Confidential Documents 133create policy from 98Customer and Employee Data Protection 142export 97import 97Network Security Enforcement 149UK and International Regulatory

Enforcement 152US Regulatory Enforcement 159

policy templates, typeConfidential or Classified Data Protection 132Yahoo and MSN Messengers on Port 80 129

policy templates, typesAcceptable Use Enforcement 121

port 1521 41ports

3389 (Windows Remote Desktop Client ) 798100 (Enforce - detection) 69–70Enforce - detection connection range 69–70Oracle Listener 54

post-installation taskssecurity configuration 72

preparationssoftware download 196

207Index

Page 208: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

protect database 39protect user account

creating 45ProtectInstaller64_11.6.exe 52ProtectInstaller_11.6.exe 52, 67

Rregistering a detection server 70response rules, actions

Classify Enterprise Vault Content 103Retention categories 106

Ssecurity configuration 72

antivirus software 77auditing 83browser certificates 74browser certificates, creating 74certificate, self-signed 75firewall configuration 79self-signed certificate 75SSL/TLS certificates 73virus scan exclusions 78virus scan exclusions, Oracle 78Windows hardening 80Windows password policies 82Windows policies 82Windows security options 88Windows settings 81Windows users 85

Select Components panel 52, 67Select Destination Directory panel 68serial numbers 35services 36SID 39single-tier installation 21single-tier installations 32software download 196solution pack

about 61importing 64

solution packsSolutionPackInstaller 65SolutionPackInstaller.exe 65

SolutionPackInstaller 65SolutionPackInstaller.exe 65SQL scripts 35, 45

SQL*Plusthree-tier requirement for 32

sqlnet.ora file 41SSL/TLS certificates 73Standard Edition 35SYS account 40SYSMAN account 40SYSTEM account 40System Account panel 54, 68

default 60system requirements

browser requirements 51Oracle database requirements 32

TTest mode 110thin driver 36three-tier installation 21three-tier installations 32tiers, installation 21TNS listener

configuring 43creating 40

Transport Configuration panel 68two-tier installation 21two-tier installations 32

Uupgrade

software download 196Upgrade Wizard

starting 196user accounts 36, 45

three-tier requirement for 32

Vverification

detection server installation 69Enforce Server installation 60

WWindows. See Microsoft Windows

auditing 83password policies 82policy settings 82security hardening 80security options 88security settings 81

Index208

Page 209: Symantec Enterprise Vault : Data Classification Services ... · Symantec Enterprise Vault™ Data Classification Services Implementation Guide EnterpriseVault10.0 DataLossPrevention11.6

Windows (continued)users 85

Windows platformsbrowsers, supported 51operating system requirements 50

209Index


Recommended