Create an information protection policy
- In the management console, on the menu bar, clickPolicies > User Policy.
- Click theInformation Protectiontab.
- ClickAdd Policy.
- In theGeneral Informationsection, fill in the following:
- In thePolicy namefield, type in a name for your policy.
- In theDescriptionfield, type in a description for your policy.
- In thePolicy typedrop-down menu, select the type of policy you are creating. Possible values for policy type are regulatory or organizational.
- A regulatory policy type refers to the finite set of sensitive data defined by a regulation that does not necessarily change over time (for example, PCI, HIPAA, etc.).
- An organizational policy type refers to company proprietary data where the audience for who can access the data can be constantly changing. As a result, organizational data should be classified data elements (for example, the file type, keywords, the file creator, the file creator's role, etc.).
- In theConditionssection, configure the conditions that will trigger a policy violation by using one of the following:ConditionDescriptionAdd conditions using a template
Add conditions using the conditions builderThe conditions builder is comprised ofAndandOrstatement groups. You need to use a combination of these statement groups to determine when a policy will be triggered.
- ClickAdd From Template.
- Click the checkbox for the templates that you want to add to your policy.You can filter the list of templates using the search bar.
- In theAndconditions section, select the conditions from the drop-down list, then specify the minimum number of occurrences required to trigger the condition from the numeric drop-down menu.
- If you would like to add another item to your current statement group, clickAdd Item.
- If you would like to add another statement group, clickAdd Group.
- If you would like to delete a statement group, clickDelete Group.
- In theOrconditions section, select the conditions from the drop-down list, then specify the minimum number of occurrences required to trigger the condition from the numeric drop-down menu.
- In theAllowed Domainssection, click then select the browser domain you want to allow for you policy from the list.
- In theAllowed Email Domainssection, select which email recipients specified in the information protection settings should be allowed for your policy.
- In theActionssection, from the drop-down lists, select the action to take for Web browser, USB, and email exfiltration events. Select from the following actions:
- Report: This option reports the data exfiltration or policy violation to theCylance Endpoint Securityconsole that can be viewed on the Avert Events (Avert > Events) page, creates an alert in the Alerts view, and sends the events to the SIEM solution or syslog server, if configured. In addition, an email is sent to the email recipients that are specified in the Notifications (Settings > Information protection) screen.
- Report and notify: This option reports the data exfiltration or policy violation to theCylance Endpoint Securityconsole and displays the data exfiltration or policy violation badge and notification in the taskbar of the endpoint for the user.
- Report, notify and warn: This option reports the data exfiltration or policy violation to theCylance Endpoint Securityconsole, displays a badge and notification in the taskbar, and adds aWindowsnotification in the endpoint and a popup warning to the user before the data exfiltration or policy violation occurs. For example, if a user usesMicrosoft Outlook, theCylanceAVERTagent will intercept the email and display an alert in the email editor as well as a warning to the user before the sensitive data is sent.
- ClickAdd.If a user has policies assigned to them, and then has all of those policies removed, the user will be deleted fromCylanceAVERT.
Do any of the following:
- You can assign a policy to users and user groups. See View CylanceAVERT user details for more information.
- To delete an information protection policy, select the checkbox beside the policy in the list, then clickDelete.
- To edit an information protection policy, click on the policy in the list, make a change to the policy, then clickSave.