This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data control problem

I have been playing around with the data control policy again, assigned my own machine to a test group.

I have been trying to get Sophos to detect, allow and log bank account details that are attached to the Outlook client.

The following is a test word document named 'Bank details' I have been using:

Bob Smith

Bank account details – 31926819
Sort Code – 521051

Mastercard card – 5487 5489 5225 6554

Expires End – 11/12/12

CCV - 875

I have a rule set that checks for the following:

For any file

where the file contains:

1 or more matches of Bank account details near personally identifiable information [UK],

and 1 or more matches of Bank routing numbers with qualifying terms [UK],

and 2 or more matches of Combination of personally identifiable information [UK],

and 1 or more matches of Confidential document markers [UK],

and 1 or more matches of Credit or debit card numbers near personally identifiable information [UK],

and 1 or more matches of National insurance numbers near personally identifiable information [UK],

and 1 or more matches of National insurance numbers [UK],and 1 or more matches of National insurance numbers with qualifying terms [UK],

and where the destination is Outlook,

Allow file transfer.


Sophos does not log any email attachment that I attach containing those bank details. However, when I apply the following policy and add the header 'confidential' to the bank details word document it triggers the control and logs the event:

For any file

where the file contains:1 or more matches of Confidential document markers [Global],

and 1 or more matches of Credit or debit card numbers [Global],

and where the destination is Outlook,

Allow file transfer.  

Not sure why I can't get this working. I just need a policy that checks for bank details, credit card numbers etc that actually works.  

:16055


This thread was automatically locked due to age.
Parents
  • Brilliant. Thanks John.

    I have now created the following data control checks under the umbrella of 'Data control policy':

    1. USB control - log all data transfered to removable media.

    2. Email control - Confidential marker check

    3. Email control - Sort code marker check

    4. Email control - Bank account check

    5. Email control - National insurance number check

    6. Email control - UK credit or debit card check

    7. Email control - Global credit or debit card check with qualifing terms

    I have changed the quanity required to trigger the rule down to 1 on each check. I hope this will be better than the default 10 or so. 

    Now I need to sit down with my boss and decide what the action should be if the criteria of each one is met. Most likely start with just logging the Email control events, maybe look at blocking confidential markers. I don't want to roll out the policy to everyone and find it disrupts work if I start giving them prompts and blocks in place at first.

    I already have the USB control check in place and is working very well. We block USB ports and only allow use with certain members of staff. They are only allowed to use a specific type of encrypted USB stick. But I am finding it very useful monitoring what files are leaving in the company in that way. In reality email control is a much bigger issue, which I hope these rules will help me monitor and control. 

    :16087
Reply
  • Brilliant. Thanks John.

    I have now created the following data control checks under the umbrella of 'Data control policy':

    1. USB control - log all data transfered to removable media.

    2. Email control - Confidential marker check

    3. Email control - Sort code marker check

    4. Email control - Bank account check

    5. Email control - National insurance number check

    6. Email control - UK credit or debit card check

    7. Email control - Global credit or debit card check with qualifing terms

    I have changed the quanity required to trigger the rule down to 1 on each check. I hope this will be better than the default 10 or so. 

    Now I need to sit down with my boss and decide what the action should be if the criteria of each one is met. Most likely start with just logging the Email control events, maybe look at blocking confidential markers. I don't want to roll out the policy to everyone and find it disrupts work if I start giving them prompts and blocks in place at first.

    I already have the USB control check in place and is working very well. We block USB ports and only allow use with certain members of staff. They are only allowed to use a specific type of encrypted USB stick. But I am finding it very useful monitoring what files are leaving in the company in that way. In reality email control is a much bigger issue, which I hope these rules will help me monitor and control. 

    :16087
Children
No Data