Introduction

Time requirements for the course completion: 50 minutes

After defining sensitive data in a company, the next step is to impose

restrictions on them. The following units explain how to choose a correct
approach to do that. They go through all available features and settings
and show you how to investigate DLP incidents.

Introdução

Requisitos de tempo para a conclusão do curso: 50 minutos

Após definir os dados sensíveis em uma empresa, o próximo passo é

impor restrições a eles. As unidades a seguir explicam como escolher
uma abordagem correta para fazer isso. Eles percorrem todos os
recursos e configurações disponíveis e mostram como investigar
incidentes de DLP.

DLP policy types

DLP policies in Safetica can be set up to impose restrictions on

applications and data leak channels. You can create a new DLP policy in
the Protection section of Safetica Management Console. There are three
types of DLP policies to choose from.

General policy

A general policy applies to entire communication channels regardless of what

data is involved. You can, for example, restrict all file uploads to the internet,
copying to external devices, etc. General policies are great for imposing general
restrictions in a company.

Data policy
Data policies can be applied to files classified with a data category or files that
meet criteria of multiple data categories. The easiest use case is applying a
DLP policy to files that belong to a single data category (Context, Content,
Third-party, or File properties). 

In addition, each data DLP policy can be associated with one context data
category and multiple content, third-party, and file properties data categories.
This way, you can create combinations of data categories that define sensitive
data accurately. For example, you can apply restrictions specifically to
documents saved in a certain folder (tagged with context data category) that
contain sensitive content (defined in a sensitive data category). Another use
case is imposing restrictions on files exported from an application (tagged with
context data category) that have a specific file extension (defined in file
properties data category).

Application policy

An application DLP policy can be applied directly to a selected application

category regardless of what data you work with in the application. This feature
is available under Safetica Enterprise license only.

Please note that the set of rules available in each DLP policy type is slightly
different. The sets of rules within individual data DLP policies differ also based
on what type of data category the policy is associated with.

Tipos de política de DLP

As políticas de DLP no Safetica podem ser configuradas para impor

restrições a aplicativos e canais de vazamento de dados. Você pode criar
uma nova política DLP na seção Proteção do Safetica Management
Console. Existem três tipos de políticas de DLP para escolher.
Política geral

Uma política geral se aplica a canais de comunicação inteiros,

independentemente dos dados envolvidos. Você pode, por exemplo, restringir
todos os uploads de arquivos para a internet, copiar para dispositivos externos,
etc. As políticas gerais são ótimas para impor restrições gerais em uma
empresa.

Política de dados

As políticas de dados podem ser aplicadas a arquivos classificados com uma

categoria de dados ou arquivos que atendem a critérios de várias categorias de
dados. O caso de uso mais fácil é aplicar uma política DLP a arquivos que
pertencem a uma única categoria de dados (Contexto, Conteúdo, Terceiros ou
Propriedades de arquivo). 

Além disso, cada política de DLP de dados pode ser associada a uma
categoria de dados de contexto e a várias categorias de dados de conteúdo, de
terceiros e de propriedades de arquivo. Dessa forma, você pode criar
combinações de categorias de dados que definem dados confidenciais com
precisão. Por exemplo, você pode aplicar restrições especificamente a
documentos salvos em uma determinada pasta (marcada com categoria de
dados de contexto) que contenham conteúdo confidencial (definido em uma
categoria de dados confidenciais). Outro caso de uso é impor restrições a
arquivos exportados de um aplicativo (marcado com categoria de dados de
contexto) que possuem uma extensão de arquivo específica (definida na
categoria de dados de propriedades do arquivo).

Política de aplicativos

Uma política de DLP de aplicativo pode ser aplicada diretamente a uma

categoria de aplicativo selecionada, independentemente dos dados com os
quais você trabalha no aplicativo. Este recurso está disponível apenas sob a
licença Safetica Enterprise.

Observe que o conjunto de regras disponíveis em cada tipo de política de DLP

é um pouco diferente. Os conjuntos de regras nas políticas de DLP de dados
individuais também diferem com base no tipo de categoria de dados à qual a
política está associada.

DLP policy settings

After you choose the DLP policy, you can proceed with further
settings. This chapter explains available policy modes and DLP
channels that can be controlled.

The DLP policy mode determines what restriction is applied when a

certain user action violates the DLP policy. There are four types of DLP
policy modes to choose from:

 Disabled – in this mode, the policy is disabled. You can use this
mode to temporarily turn off the restrictions.
 Log only – the action is logged, however, the user is not notified,
nor are any other restrictions applied.
 Log and notify – the action is logged and the user is notified
about violating the DLP policy via a pop-up window shown on
their computer. The user can decide whether they want to
continue with the action, or cancel it.
 Log and block – the action is logged and subsequently blocked.
The user is informed about that in a pop-up window that
appears in the lower right corner of their screen. For blocking
policies, you can also enable the Override feature – which will
be explained in the next chapter.

For any policy in the Log only, Log and notify, and Log and block modes,
you can enable the Shadow copy feature – which will be described in a
forthcoming chapter too.

After choosing the DLP policy mode, you can set up restrictions for each
supported channel. Settings of previously created DLP policies will be
available as templates that you can easily load. The video below explains
all available channels and the behavior on endpoints:

Additional resources

DLP policies in Safetica

Policy rule overview

Assignment
Task
Create a general DLP policy that logs and notify users when
performing exactly the following operations:

 Copying files to all external devices

 Sending emails in Outlook to all addresses except for email
domains added to a safe zone
 Synchronizing files with OneDrive and SharePoint cloud
services
 Sending files via IM applications and respective websites
 Transferring files via remote desktop connections (Windows
RDP and TeamViewer)
 Uploading files to mail boxes opened in a web browser

Upload screenshots of the settings.

Hint:

After uploading your answer you can carry on to the following unit.
Use the drop-down menu or arrow on the top of this page.
Configurações de política de DLP

Depois de escolher a política DLP, você pode prosseguir com outras

configurações. Este capítulo explica os modos de política
disponíveis e os canais DLP que podem ser controlados.

O modo de política DLP determina qual restrição é aplicada quando uma

determinada ação do usuário viola a política DLP. Há quatro tipos de
modos de política DLP para escolher:

 Disabled – neste modo, a política está desabilitada. Você pode

usar este modo para desativar temporariamente as restrições.
 Somente log – a ação é registrada, no entanto, o usuário não é
notificado, nem são aplicadas outras restrições.
 Registrar e notificar – a ação é registrada e o usuário é
notificado sobre a violação da política DLP por meio de uma
 janela pop-up exibida em seu computador. O usuário pode
decidir se deseja continuar com a ação ou cancelá-la.
 Registrar e bloquear – a ação é registrada e posteriormente
bloqueada. O usuário é informado sobre isso em uma janela
pop-up que aparece no canto inferior direito da tela. Para
políticas de bloqueio, você também pode habilitar o
recurso Override – que será explicado no próximo capítulo.

Para qualquer política nos modos Log only , Log and notify e Log and

block , você pode habilitar o recurso de cópia de sombra - que também
será descrito em um próximo capítulo.

Depois de escolher o modo de política DLP, você pode configurar

restrições para cada canal suportado. As configurações de políticas de
DLP criadas anteriormente estarão disponíveis como modelos que você
pode carregar facilmente. O vídeo abaixo explica todos os canais
disponíveis e o comportamento nos endpoints:

Recursos adicionais

Políticas de DLP no Safetica

Visão geral da regra de política

Tarefa
Tarefa
Crie uma política geral de DLP que registre e notifique os usuários ao
realizar exatamente as seguintes operações:

 Copiando arquivos para todos os dispositivos externos

 Enviando emails no Outlook para todos os endereços, exceto
para domínios de email adicionados a uma zona segura
  Sincronizando arquivos com os serviços de nuvem OneDrive e
SharePoint
 Envio de arquivos por meio de aplicativos de mensagens
instantâneas e respectivos sites
 Transferindo arquivos por meio de conexões de área de
trabalho remota (Windows RDP e TeamViewer)
 Carregar arquivos para caixas de correio abertas em um
navegador da web

Carregue capturas de tela das configurações.

Dica:

Depois de enviar sua resposta, você pode prosseguir para a

unidade a seguir. Use o menu suspenso ou a seta na parte superior
desta página.

DLP policies in Safetica ONE

This article explains how DLP policies and related rules work in
Safetica ONE for controlling various communication channels.

Safetica ONE uses DLP policies for data protection on endpoints and for
controlling application behavior.

Every DLP policy consists of a policy type, policy mode, and policy rules.

DLP policies can be set in Safetica Management
Console in Protection > DLP policies.
In this article, you will learn more about:

 How are policies evaluated

 Policy types
 Policy modes
 Policy rule overview

To learn how to create a DLP policy, click here.

How are policies evaluated

DLP policies in Safetica ONE are prioritized and evaluated from the top to

the bottom of the DLP policy list. By changing the order of policies, you also
change their priority during evaluation.

How DLP policies are evaluated:

 Every policy contains one or more rules (e.g. for upload, email, external
devices, etc.).
 Each rule is evaluated and applied separately.
 First match always applies.
 Actions which are not specified in a policy will be managed by other policies
placed lower in the DLP policy list.

Example: When a policy is found with a first-match rule for upload, the assigned action
will be performed, and upload will not be evaluated any further. Evaluation will
continue, however, for other operations (e.g. for email or external devices). These will
be evaluated by policies placed lower in the list until a first match is found.

User-specific exceptions to policies can be set up by creating a new DLP policy,

assigning it to the user, and placing it above the more general policies.

 
Policy types
There are three types of DLP policies in Safetica ONE:

1. General policies – manage selected communication channels as a whole,

e.g. all data sent via email, all uploaded data, all data copied to external
devices, etc. General policies are great for setting general limitations of what
is allowed and what is not.
2. Data policies – manage and protect specific data categories and their
combinations, e.g. credit card numbers, regular expressions, CRM exports,
etc.
3. Application policies – manage applications and their behavior. They are
applied to application categories. To manage a single application, create a
new application category for it and apply your policy to this
category. Application policies are available in Safetica ONE Enterprise
only. Shadow copies are not supported for Application policies.

We recommend placing general and other less strict DLP policies into the lower
part of the list. More specific and strict policies can be placed into the upper
part.

 
Policy modes

Every DLP policy can be set to 4 different modes which affect how policy rules
are applied:

 Disabled – the policy is defined but does not affect anything. This mode is
useful when you prepare a policy which will only be applied later.
 Log only – the policy audits and logs both restricted and allowed actions.
 Log and notify – user is notified about performing restricted actions, which are
also logged if performed. Allowed actions are only logged. Safetica ONE
does not log: Delete, Create, Rename, Copy/Move within one physical
storage (exceptions: destination is a cloud folder; DLP rule is applied to the
operation).
 Log and block – restricted actions are blocked altogether and
logged. Allowed actions are only logged.
 
Policy rule overview

Policy rule Description Limitations

File transfer from local
computers to cloud drives via sync
clients or web interface.

Can be set either for cloud drives in

Cloud drives  
general, or only for specified cloud
drives (e.g. Dropbox, Google Drive,
OneDrive, etc.).

Available for all policies.

File uploads via web browser to all

websites irrespective of their category.

You can also choose more specific

rules Upload to file share and Upload
to web mail which are applied only to
websites categorized as File
Upload hosting and Web mails respectively.  

Upload also affects sending files via

instant messaging websites and
uploading files to cloud drives in web
browser.

Available for general and data policies.

Sending emails from desktop email

clients. Does not apply to
Email
web mail.
Available for general and data policies.
Policy rule Description Limitations

Sending files via IM applications or

websites categorized as Instant Applies only to
Instant
Messaging Web Applications. sent files, not to
messaging
messages.
Available for general and data policies.

Applies only to
File transfer to external devices. devices
External devices connected as
Available for all policies. USB mass
storage.

File transfer to network file shares.

Network file
 
share
Available for general and data policies.

Remote file transfer and clipboard

operations using these Does not block
applications: Microsoft Remote remote desktop
Remote transfer
Desktop and Team Viewer. connections in
general.
Available for general and data policies.

Performing git push (i.e. data upload

Shadow
from local directories into remote Git
copies are not
Git repositories).
created for Git
control.
Available for general policies.
Other network This is an expert
connection All network traffic except for network file setting, which
shares. might negatively
affect
Warning: By choosing the Log and connectivity.
block mode, it is possible to completely
cut off an endpoint from the network. Shadow
Extreme care should be taken not to set copies are not
this rule incorrectly. created for Other
network
Policy rule Description Limitations

connections.

User override is
not available for
Other network
Available for application policies and
connection.
data policies of the context type.
These operations
will be blocked,
even when
override is
enabled.
Shadow
copies are not
created for Print
Printing in general, including virtual and Virtual print
print. yet.

You can also choose the more specific User override is

Print
rule Virtual print which applies only to not available for
virtual printing into files. Print and Virtual
print. These
Available for all policies.   operations will be
blocked, even
when override is
enabled.
Shadow
copies are not
created for
Clipboard
operations.
Copying text and images from restricted
User override is
applications via clipboard. In the Log
not available for
and block mode, clipboard operations
Clipboard. These
are allowed within the application that
Clipboard operations will be
owns the data, but transfers to other
blocked, even
applications are blocked.
when override is
enabled.
Available for data and application
policies.
These operations
are not logged. If
you create a Log
only policy, it will
not perform any
action.
Policy rule Description Limitations

Shadow
copies are not
created for
Screen capture
operations.

User override is
not available for
Taking screenshots, screen sharing and Screen capture.
screen recording. These operations
Screen capture will be blocked,
Available for data and application even when
policies. override is
enabled.

These operations
are not logged. If
you create a Log
only policy, it will
not perform any
action.

Access to specified paths on local

drives.
This is an expert
Warning: By choosing the Log and setting, which
block mode, it is possible to completely might negatively
cut off a destination from all access. affect user
Extreme care should be taken not to set workflow.
Local paths
this rule incorrectly.
Shadow
Available for application policies and copies are not
data policies of the context type. created for Local
paths.
This rule is available in Safetica
Enterprise only.
Policy rule Description Limitations

This is an expert
setting, which
Application whitelisting or blacklisting
might negatively
for accessing sensitive data. Allows you
affect user
to determine which applications can or
workflow.
cannot work with sensitive data.
Shadow
Warning: By choosing the Log and
copies are not
block mode, it is possible to completely
created for
cut off certain applications from the data
Exclusive access.
they might need to work correctly.
Extreme care should be taken not to set
User override is
Exclusive access this rule incorrectly.
not available for
Exclusive access.
To enable exclusive access for one
These operations
specific application, create a new
will be blocked,
application category for it.
even when
override is
Available for data policies of the context
enabled.
type.
Can only be set
This rule is available in Safetica
for whole
Enterprise only.
application
categories.

DLP policies in Safetica ONE

This article explains how DLP policies and related rules work in
Safetica ONE for controlling various communication channels.

Safetica ONE uses DLP policies for data protection on endpoints and for
controlling application behavior.

Every DLP policy consists of a policy type, policy mode, and policy rules.

DLP policies can be set in Safetica Management
Console in Protection > DLP policies.

In this article, you will learn more about:

 How are policies evaluated

 Policy types
 Policy modes
 Policy rule overview
To learn how to create a DLP policy, click here.

How are policies evaluated

DLP policies in Safetica ONE are prioritized and evaluated from the top to

the bottom of the DLP policy list. By changing the order of policies, you also
change their priority during evaluation.

How DLP policies are evaluated:

 Every policy contains one or more rules (e.g. for upload, email, external
devices, etc.).
 Each rule is evaluated and applied separately.
 First match always applies.
 Actions which are not specified in a policy will be managed by other policies
placed lower in the DLP policy list.

Example: When a policy is found with a first-match rule for upload, the assigned action
will be performed, and upload will not be evaluated any further. Evaluation will
continue, however, for other operations (e.g. for email or external devices). These will
be evaluated by policies placed lower in the list until a first match is found.

User-specific exceptions to policies can be set up by creating a new DLP policy,

assigning it to the user, and placing it above the more general policies.

Policy types
There are three types of DLP policies in Safetica ONE:

1. General policies – manage selected communication channels as a whole,

e.g. all data sent via email, all uploaded data, all data copied to external
 devices, etc. General policies are great for setting general limitations of what
is allowed and what is not.
2. Data policies – manage and protect specific data categories and their
combinations, e.g. credit card numbers, regular expressions, CRM exports,
etc.
3. Application policies – manage applications and their behavior. They are
applied to application categories. To manage a single application, create a
new application category for it and apply your policy to this
category. Application policies are available in Safetica ONE Enterprise
only. Shadow copies are not supported for Application policies.

We recommend placing general and other less strict DLP policies into the lower
part of the list. More specific and strict policies can be placed into the upper
part.

 
Policy modes

Every DLP policy can be set to 4 different modes which affect how policy rules
are applied:

 Disabled – the policy is defined but does not affect anything. This mode is
useful when you prepare a policy which will only be applied later.
 Log only – the policy audits and logs both restricted and allowed actions.
 Log and notify – user is notified about performing restricted actions, which are
also logged if performed. Allowed actions are only logged. Safetica ONE
does not log: Delete, Create, Rename, Copy/Move within one physical
storage (exceptions: destination is a cloud folder; DLP rule is applied to the
operation).
 Log and block – restricted actions are blocked altogether and
logged. Allowed actions are only logged.

 
Policy rule overview

Policy rule Description Limitations

File transfer from local
computers to cloud drives via sync
clients or web interface.

Can be set either for cloud drives in

Cloud drives  
general, or only for specified cloud
drives (e.g. Dropbox, Google Drive,
OneDrive, etc.).

Available for all policies.

Policy rule Description Limitations

File uploads via web browser to all

websites irrespective of their category.

You can also choose more specific

rules Upload to file share and Upload
to web mail which are applied only to
websites categorized as File
Upload hosting and Web mails respectively.  

Upload also affects sending files via

instant messaging websites and
uploading files to cloud drives in web
browser.

Available for general and data policies.

Sending emails from desktop email

clients. Does not apply to
Email
web mail.
Available for general and data policies.

Sending files via IM applications or

websites categorized as Instant Applies only to
Instant
Messaging Web Applications. sent files, not to
messaging
messages.
Available for general and data policies.

Applies only to
File transfer to external devices. devices
External devices connected as
Available for all policies. USB mass
storage.
Policy rule Description Limitations

File transfer to network file shares.

Network file
 
share
Available for general and data policies.

Remote file transfer and clipboard

operations using these Does not block
applications: Microsoft Remote remote desktop
Remote transfer
Desktop and Team Viewer. connections in
general.
Available for general and data policies.

Performing git push (i.e. data upload

Shadow
from local directories into remote Git
copies are not
Git repositories).
created for Git
control.
Available for general policies.
This is an expert
setting, which
might negatively
affect
connectivity.
All network traffic except for network file
shares. Shadow
copies are not
Warning: By choosing the Log and created for Other
block mode, it is possible to completely network
Other network
cut off an endpoint from the network. connections.
connection
Extreme care should be taken not to set
this rule incorrectly. User override is
not available for
Available for application policies and Other network
data policies of the context type. connection.
These operations
will be blocked,
even when
override is
enabled.

Printing in general, including virtual Shadow

print. copies are not
Print
created for Print
You can also choose the more specific and Virtual print
Policy rule Description Limitations

yet.

User override is
not available for
rule Virtual print which applies only to
Print and Virtual
virtual printing into files.
print. These
operations will be
Available for all policies.  
blocked, even
when override is
enabled.
Shadow
copies are not
created for
Clipboard
operations.
Copying text and images from restricted
User override is
applications via clipboard. In the Log
not available for
and block mode, clipboard operations
Clipboard. These
are allowed within the application that
Clipboard operations will be
owns the data, but transfers to other
blocked, even
applications are blocked.
when override is
enabled.
Available for data and application
policies.
These operations
are not logged. If
you create a Log
only policy, it will
not perform any
action.
Screen capture Taking screenshots, screen sharing and Shadow
screen recording. copies are not
created for
Available for data and application Screen capture
policies. operations.

User override is
not available for
Screen capture.
These operations
will be blocked,
even when
override is
enabled.

These operations
Policy rule Description Limitations

are not logged. If

you create a Log
only policy, it will
not perform any
action.

Access to specified paths on local

drives.
This is an expert
Warning: By choosing the Log and setting, which
block mode, it is possible to completely might negatively
cut off a destination from all access. affect user
Extreme care should be taken not to set workflow.
Local paths
this rule incorrectly.
Shadow
Available for application policies and copies are not
data policies of the context type. created for Local
paths.
This rule is available in Safetica
Enterprise only.

This is an expert
setting, which
Application whitelisting or blacklisting
might negatively
for accessing sensitive data. Allows you
affect user
to determine which applications can or
workflow.
cannot work with sensitive data.
Shadow
Warning: By choosing the Log and
copies are not
block mode, it is possible to completely
created for
cut off certain applications from the data
Exclusive access.
they might need to work correctly.
Extreme care should be taken not to set
User override is
Exclusive access this rule incorrectly.
not available for
Exclusive access.
To enable exclusive access for one
These operations
specific application, create a new
will be blocked,
application category for it.
even when
override is
Available for data policies of the context
enabled.
type.
Can only be set
This rule is available in Safetica
for whole
Enterprise only.
application
categories.
DLP policies in Safetica ONE
This article explains how DLP policies and related rules work in
Safetica ONE for controlling various communication channels.

Safetica ONE uses DLP policies for data protection on endpoints and for
controlling application behavior.

Every DLP policy consists of a policy type, policy mode, and policy rules.

DLP policies can be set in Safetica Management
Console in Protection > DLP policies.

In this article, you will learn more about:

 How are policies evaluated

 Policy types
 Policy modes
 Policy rule overview

To learn how to create a DLP policy, click here.

How are policies evaluated

DLP policies in Safetica ONE are prioritized and evaluated from the top to

the bottom of the DLP policy list. By changing the order of policies, you also
change their priority during evaluation.

How DLP policies are evaluated:

 Every policy contains one or more rules (e.g. for upload, email, external
devices, etc.).
 Each rule is evaluated and applied separately.
 First match always applies.
  Actions which are not specified in a policy will be managed by other policies
placed lower in the DLP policy list.

Example: When a policy is found with a first-match rule for upload, the assigned action
will be performed, and upload will not be evaluated any further. Evaluation will
continue, however, for other operations (e.g. for email or external devices). These will
be evaluated by policies placed lower in the list until a first match is found.

User-specific exceptions to policies can be set up by creating a new DLP policy,

assigning it to the user, and placing it above the more general policies.

Policy types
There are three types of DLP policies in Safetica ONE:

1. General policies – manage selected communication channels as a whole,

e.g. all data sent via email, all uploaded data, all data copied to external
devices, etc. General policies are great for setting general limitations of what
is allowed and what is not.
2. Data policies – manage and protect specific data categories and their
combinations, e.g. credit card numbers, regular expressions, CRM exports,
etc.
3. Application policies – manage applications and their behavior. They are
applied to application categories. To manage a single application, create a
new application category for it and apply your policy to this
category. Application policies are available in Safetica ONE Enterprise
only. Shadow copies are not supported for Application policies.

We recommend placing general and other less strict DLP policies into the lower
part of the list. More specific and strict policies can be placed into the upper
part.

 
Policy modes

Every DLP policy can be set to 4 different modes which affect how policy rules
are applied:

 Disabled – the policy is defined but does not affect anything. This mode is
useful when you prepare a policy which will only be applied later.
 Log only – the policy audits and logs both restricted and allowed actions.
 Log and notify – user is notified about performing restricted actions, which are
also logged if performed. Allowed actions are only logged. Safetica ONE
does not log: Delete, Create, Rename, Copy/Move within one physical
storage (exceptions: destination is a cloud folder; DLP rule is applied to the
operation).
 Log and block – restricted actions are blocked altogether and
logged. Allowed actions are only logged.
 
Policy rule overview

Policy rule Description Limitations

File transfer from local
computers to cloud drives via sync
clients or web interface.

Can be set either for cloud drives in

Cloud drives  
general, or only for specified cloud
drives (e.g. Dropbox, Google Drive,
OneDrive, etc.).

Available for all policies.

File uploads via web browser to all

websites irrespective of their category.

You can also choose more specific

rules Upload to file share and Upload
to web mail which are applied only to
websites categorized as File
Upload hosting and Web mails respectively.  

Upload also affects sending files via

instant messaging websites and
uploading files to cloud drives in web
browser.

Available for general and data policies.

Sending emails from desktop email

clients. Does not apply to
Email
web mail.
Available for general and data policies.
Policy rule Description Limitations

Sending files via IM applications or

websites categorized as Instant Applies only to
Instant
Messaging Web Applications. sent files, not to
messaging
messages.
Available for general and data policies.

Applies only to
File transfer to external devices.
devices connected
External devices
as USB mass
Available for all policies.
storage.

File transfer to network file shares.

Network file
 
share
Available for general and data policies.

Remote file transfer and clipboard

operations using these Does not block
applications: Microsoft Remote remote desktop
Remote transfer
Desktop and Team Viewer. connections in
general.
Available for general and data policies.

Performing git push (i.e. data upload

Shadow
from local directories into remote Git
copies are not
Git repositories).
created for Git
control.
Available for general policies.
Other network This is an expert
connection All network traffic except for network setting, which
file shares. might negatively
affect connectivity.
Warning: By choosing the Log and
block mode, it is possible to Shadow
completely cut off an endpoint from the copies are not
network. Extreme care should be taken created for Other
not to set this rule incorrectly. network
connections.
Policy rule Description Limitations

User override is
not available for
Other network
Available for application policies and connection. These
data policies of the context type. operations will be
blocked, even
when override is
enabled.
Shadow
copies are not
created for Print
Printing in general, including virtual and Virtual print
print. yet.

You can also choose the more specific User override is

Print
rule Virtual print which applies only to not available for
virtual printing into files. Print and Virtual
print. These
Available for all policies.   operations will be
blocked, even
when override is
enabled.
Shadow
copies are not
created for
Clipboard
operations.
Copying text and images from
restricted applications via clipboard. In User override is
the Log and block mode, clipboard not available for
operations are allowed within the Clipboard. These
Clipboard application that owns the data, but operations will be
transfers to other applications are blocked, even
blocked. when override is
enabled.
Available for data and application
policies. These operations
are not logged. If
you create a Log
only policy, it will
not perform any
action.
Screen capture Taking screenshots, screen sharing Shadow
and screen recording. copies are not
created for Screen
Policy rule Description Limitations

capture operations.

User override is
not available for
Screen capture.
These operations
will be blocked,
even when
Available for data and application override is
policies. enabled.

These operations
are not logged. If
you create a Log
only policy, it will
not perform any
action.
Access to specified paths on local
drives.
Esta é uma
Atenção: Ao escolher o modo Log e configuração de
bloqueio , é possível cortar especialista, que
completamente um destino de todos pode afetar
os acessos. Extremo cuidado deve ser negativamente o
tomado para não definir esta regra fluxo de trabalho
Local paths
incorretamente. do usuário.

Disponível para políticas de aplicativo As cópias de

e políticas de dados do tipo de sombra não são
contexto. criadas para
caminhos locais.
Esta regra está disponível apenas no
Safetica Enterprise.
Acesso exclusivo Lista de permissões ou lista negra de Esta é uma
aplicativos para acessar dados configuração de
confidenciais. Permite determinar especialista, que
quais aplicativos podem ou não pode afetar
funcionar com dados confidenciais. negativamente o
fluxo de trabalho
Aviso: Ao escolher o modo Log and do usuário.
block , é possível cortar
completamente certos aplicativos dos As cópias de
dados que eles podem precisar para sombra não são
funcionar corretamente. Extremo criadas para
cuidado deve ser tomado para não acesso exclusivo.
definir esta regra incorretamente.
Policy rule Description Limitations

A substituição do
usuário não está
disponível para
Para habilitar o acesso exclusivo a um acesso
aplicativo específico, crie uma nova exclusivo. Essas
categoria de aplicativo para ele. operações serão
bloqueadas,
Disponível para políticas de dados do mesmo quando a
tipo de contexto. substituição estiver
habilitada.
Esta regra está disponível apenas no
Safetica Enterprise. Só pode ser
definido para
categorias inteiras
de aplicativos.

Policy rule overview

Data
 
policies

Genera
Existing
Available l Sensitiv Contex Applicatio
Policy rule classificatio
settings policies e data t rules n policy
n

Upload to file Restricted |

x x x x  
share Allowed

Upload to web Restricted |

x x x x  
mail Allowed

Restricted
| Safe zones
Upload x x x x  
allowed/Custo
m | Allowed

Restricted
| Safe zones
E-mail x x x x  
allowed/Custo
m | Allowed

Instant messaging Restricted | x x x x  

 Allowed

Restricted
| Safe zones
External devices x x x x x
allowed/Custo
m | Allowed

Cloud drives

 Box Sync
 Dropbox
 Google
Restricted |
Drive
Custom |
 OneDrive x x x x x
Allowed
Busines
s
 OneDrive
 
Persona
l
 SharePoint

Restricted |
Virtual print x x x x x
Allowed

Restricted |
Safe zones
Print x x x x x
allowed/Custo
m | Allowed

Clipboard (no Restricted |

  x x x x
logging) Allowed

Screen capture (no Restricted |

  x x x x
logging) Allowed

Restricted |
Remote transfer       x  
Allowed

Restricted |
Burning       x  
Allowed

Restricted
| Safe zones
Network (expert)       x x
allowed/Custo
m | Allowed

Local paths (needs custom       x x

(expert) configuration)

Exclusive access (needs custom

      x  
(expert) configuration)

Polític
  as de
dados
Políti
Regra Política
cas Dados Classific
Regra de Configurações s de de
gerai sensív ação
política disponíveis conte aplicati
s eis existente
xto vos

Carregar para
compartilham Restrito
x x x x  
ento de | Permitido
arquivos
Carregar para Restrito
x x x x  
o webmail | Permitido
Restrito | Zonas
seguras
Carregar permitidas/Person x x x x  
alizadas
| Permitido
Restrito | Zonas
seguras
E-mail permitidas/Person x x x x  
alizadas
| Permitido
Mensagem Restrito
x x x x  
instantânea | Permitido
Restrito | Zonas
seguras
Dispositivos
permitidas/Person x x x x x
externos
alizadas
| Permitido
Unidades de Restrito x x x x x
nuvem | Personalizado
| Permitido
 Sincron
izaçã  
o de
 caixa
 Dropbo
x
 Google
Drive
 Negóci
os
do
One
Drive
 OneDri
ve
Pess
oal
 ShareP
oint

Impressão Restrito
x x x x x
virtual | Permitido
Restrito | Zonas
seguras
Imprimir permitidas/Person x x x x x
alizadas
| Permitido
Área de
Restrito
transferência   x x x x
| Permitido
(sem registro)
Captura de
Restrito
tela (sem   x x x x
| Permitido
registro)
Transferência Restrito
      x  
remota | Permitido
Restrito
Queimando       x  
| Permitido
Restrito | Zonas
seguras
Rede
permitidas/Person       x x
(especialista)
alizadas
| Permitido
Caminhos (precisa de
locais configuração       x x
(especialista) personalizada)
Acesso (precisa de       x  
exclusivo configuração
(especialista) personalizada)

Assignment
Task
Create a general DLP policy that logs and notify users when
performing exactly the following operations:

 Copying files to all external devices

 Sending emails in Outlook to all addresses except for email
domains added to a safe zone
 Synchronizing files with OneDrive and SharePoint cloud
services
 Sending files via IM applications and respective websites
 Transferring files via remote desktop connections (Windows
RDP and TeamViewer)
 Uploading files to mail boxes opened in a web browser

Upload screenshots of the settings.

Hint:

After uploading your answer you can carry on to the following unit.
Use the drop-down menu or arrow on the top of this page.
Tarefa
Crie uma política geral de DLP que registre e notifique os usuários ao
realizar exatamente as seguintes operações:

 Copiando arquivos para todos os dispositivos externos

 Enviando emails no Outlook para todos os endereços, exceto
para domínios de email adicionados a uma zona segura
 Sincronizando arquivos com os serviços de nuvem OneDrive e
SharePoint
 Envio de arquivos por meio de aplicativos de mensagens
instantâneas e respectivos sites
 Transferindo arquivos por meio de conexões de área de
trabalho remota (Windows RDP e TeamViewer)
 Carregar arquivos para caixas de correio abertas em um
navegador da web

Carregue capturas de tela das configurações.

Dica:

Depois de enviar sua resposta, você pode prosseguir para a

unidade a seguir. Use o menu suspenso ou a seta na parte superior
desta página.