Maxim_Kazmin - Fotolia

Incident reports are crucial when DLP rules are broken

The best DLP policies are useless without a way to communicate when violations occur, so learn how to create incident reporting.

It's one thing to define a violation of email policy, but violations must be reported so that the business is aware of them and can take appropriate action. In the final part of our Exchange Server 2013 data loss prevention checklist series we discuss the importance of incident reporting and what should be included as part of email policy development.

The best DLP rules, policies, fingerprinting and tips are useless without some way to communicate details of the violation to an authority to investigate. Exchange Server 2013 DLP supports the creation of detailed incident reports that bring immediate attention when violations are detected. Incident reports are actions that can be stipulated in the transport rules of data loss prevention (DLP) policies. To trigger a report when a DLP violation is detected within a message, add the "Generate Incident Report" action and the report will arrive at the incident management mailbox configured for that purpose.

You can configure incident reports to include a number of details. Header details can include the message ID, sender, recipients and subject. More interestingly, administrators can see the severity of violations, the specific DLP rules that were violated, the type or classification of data that may have been compromised and, most interesting, if the end user applied an intentional override to send the message, which could be construed as deliberate malfeasance.

IT administrators, human resource managers, corporate compliance officers or other authorized individuals may access the incident management mailbox, depending on the needs of your business. Once a manager reviews and assesses the report, it may lead to further action.

Perhaps the most important attribute of data loss prevention is its dynamic nature. Policies, rules, fingerprints and reporting are intended to be flexible. They must be to accommodate rapidly-changing security needs and emerging regulatory requirements. Simply implementing DLP is not enough. Exchange administrators must work with compliance officers and business leaders to continuously re-evaluate the current DLP posture and make changes and updates in response to new threats and changing needs.

And don't forget about end users. Periodic policy reminders and occasional security retraining can avoid many careless data breaches before they ever occur.

Next Steps

This is part five in a series about data loss prevention features in Exchange Server 2013. Visit the previous parts of the series by clicking on the links below.
Part one takes a closer look at DLP templates.
Part two covered transport rules.
Part three examined the importance of document fingerprinting.
Part four broke down how policy tips work.

Discover new SharePoint 2016 e-discovery capabilities

Dig Deeper on Exchange Server setup and troubleshooting