Policy Templates for Compliance and DLP
NOTE: From the SSE 6.6.2 release, the Policy Templates that contain Data Identifiers (legacy DLP features) are available to users who have already defined DLP policies using these templates. It will not be available to other users. Skyhigh recommends using classifications to define rules in your DLP policies. For details, see About Classifications.
This table lists the policy templates provided for Compliance and DLP.
| Policy Name | Benchmark | Description |
|---|---|---|
| ABA Routing Numbers and Banking Keywords | This API policy looks for valid ABA Routing Numbers in conjunction with banking related keywords. It quarantines medium severity violations and deletes high severity violations. | |
| Password Files |
This policy detects and quarantines password files and formats such as SAM, /etc/password, and /etc/shadow. |
|
| Document Classification | This policy searches data for Confidential, Personal Information or Highly Restricted tags. Confidential data creates an incident, Personal Information is quarantined and Highly Restricted data is deleted per corporate policy. | |
| Design Documents | This policy detects various types of design documents at risk of exposure. | |
| Confidential Documents | This policy quarantines documents with confidential keywords in metadata/header for specific set of file types if they were shared. | |
| Encrypted Data | This policy detects the use of encryption by a variety of methods including S/MIME, PGP, GPG, and file password protection. | |
| Financial information | This policy detects financial data and information, and quarantines high severity incidents if specified keywords are found in header/metadata. | |
| M&A Activity | This policy detects contracts and official documentation about Merger & Acquisition activity against defined keywords. The response for the incident is to quarantine the file. | |
| PCI DSS | The Payment Card Industry (PCI) Data Security Standard (DSS) is jointly determined by the major payment card companies (such as Visa, MasterCard, American Express, and Discover). This policy detects credit card data that, if exposed, could represent a violation of this standard. | |
| PST Files | This API policy is designed to delete the PST files that, according to enterprise policy, are not to be stored on cloud storage CSPs. | |
| Sarbanes-Oxley | The US Sarbanes-Oxley Act (SOX) imposes requirements on financial accounting including the preservation of data integrity and the ability to create an audit trail. This policy detects and quarantines sensitive financial data. | |
| SSH Private Keys | This policy detects and quarantines SSH Private Key files. | |
| US Social Security Numbers | This policy looks for valid US SSN numbers. It quarantines data with medium severity and deletes with high severity violations. | |
| Source Code | This policy detects various types of source code at risk of exposure including Java source, C source, VB source and PERL as well as matching source code file extensions from Assembly to Visual Basic. An incident is created if a file extension match occurs and if source code is discovered it is quarantined. | |
| Resume Policy | The policy is designed to prevent Resume related data being sent to cloud providers. This looks for Resume Keywords in conjunction with a file type. | |
| HIPAA and HITECH including PHI | This policy strictly enforces the US HIPAA by searching for data concerning prescription drugs, diseases, and treatments in conjunction with PHI. This policy may also be used for organizations which are not subject to HIPAA but want to control PHI data. Any incidents are quarantined. | |
| Contact Lists | The policy flags Contact List related data being sent to cloud providers. | |
| AIP Confidential | Finds all documents that were marked "Confidential" by Microsoft Advanced Information Protection. | |
| Boldon James Confidential | Detect files with Boldon James Tag "Confidential" (id_classification_confidential) | |
| Caldicott Report | The Caldicott Report (December 1997) was a review commissioned by the UK Chief Medical Officer to make recommendations to improve the way the National Health Service handles and protects patient information. The Caldicott Committee was set up to review the confidentiality and flows of data throughout the NHS for purposes other than direct care, medical research or where there is a statutory requirement for information. Its recommendations are now being put into practice throughout the NHS and in the Health Protection Agency. | |
| Canadian Social Insurance Numbers | This policy detects patterns indicating Canadian social insurance numbers (SINs) at risk of exposure. | |
| Credit Card Numbers | This policy detects patterns indicating credit card numbers at risk of exposure. | |
| Customer Data Protection | This policy detects customer data at risk of exposure. | |
| Data Protection Act 1998 | The Data Protection Act 1998 (replacement of Data Protection Act 1984) set standards which must be satisfied when obtaining, holding, using or disposing of personal data in the UK. The Data Protection Act 1998 covers anything with personal identifiable information (e.g. data about personal health, employment, occupational health, finance, suppliers, and contractors). | |
| Defense Message System (DMS) GENSER Classification | This policy detects information classified as confidential according to the guidelines established by the Defense Information Systems Agency for the Defense Message System (DMS) General Services (GENSER) message classifications, categories and markings. These standards outline how to mark classified and sensitive documents according to US standards, as well as providing interoperability with NATO countries and other US allies. | |
| Employee Data Protection | This policy detects employee data at risk of exposure. | |
| Export Administration Regulations (EAR) | The Export Administration Regulations (EAR) are enforced by the US Department of Commerce. These regulations primarily cover technologies and technical information with both commercial and military applications, also known as dual use technologies (e.g., chemicals, satellites, software, computers, etc.). This policy detects violations based on countries and controlled technologies designated by the EAR. | |
| FACTA 2003 (Red Flag Rules) | This policy helps to address sections 114 and 315 (or Red Flag Rules) of the Fair and Accurate Credit Transactions Act of 2003. These rules specify that a financial institution or creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. | |
| General Data Protection Regulations (Banking and Finance) | This template focuses on GDPR banking and finance related keywords, Data Identifiers and an EDM profile with related columns. The GDPR is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU. It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. | |
| General Data Protection Regulations (Government Identification) | This template focuses on government identification related keywords, Data Identifiers and an EDM profile with related columns. The GDPR is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU. It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. | |
| General Data Protection Regulations (Healthcare and Insurance) | This template focuses on healthcare and insurance related keywords, Data Identifiers and an EDM profile with related columns. The GDPR is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the EU. It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. | |
| Gramm-Leach-Bliley | The Gramm-Leach-Bliley (GLB) Act gives consumers the right to limit some sharing of their information by financial institutions. This policy detects transmittal of customer data. | |
| Human Rights Act 1998 | The Data Protection Act 1998 (replacement of Data Protection Act 1984) set standards which must be satisfied when obtaining, holding, using or disposing of personal data in the UK. The Data Protection Act 1998 covers anything with personal identifiable information (e.g. data about personal health, employment, occupational health, finance, suppliers, and contractors). | |
| Gramm-Leach-Bliley | The Gramm-Leach-Bliley (GLB) Act gives consumers the right to limit some sharing of their information by financial institutions. This policy detects transmittal of customer data. | |
| Individual Taxpayer Identification Numbers (ITIN) | An Individual Taxpayer Identification Number (ITIN) is a tax processing number issued by the US Internal Revenue Service (IRS). The IRS issues ITINs to track individuals are not eligible to obtain a Social Security Numbers (SSNs). | |
| Individual Taxpayer Identification Numbers (ITIN) | An Individual Taxpayer Identification Number (ITIN) is a tax processing number issued by the US Internal Revenue Service (IRS). The IRS issues ITINs to track individuals are not eligible to obtain a Social Security Numbers (SSNs). | |
| International Traffic in Arms Regulations (ITAR) | The International Traffic in Arms Regulations (ITAR) are enforced by the US Department of State. Exporters of defense services or related technical data are required to register with the federal government and may need export licenses. This policy detects potential violations based on countries and controlled assets designated by the ITAR. | |
| NASD Rule 2711 and NYSE Rules 351 and 472 | NASD Rule 2711 and NYSE Rules 351 and 472 stipulate separation of investment banking from research and trading to ensure trust in the public markets. This template allows monitoring of the communications of research analysts when they are subject to these regulations. | |
| NASD Rule 3010 and NYSE Rule 342 | NASD Rule 3010 and NYSE Rule 342 require broker-dealers to supervise certain brokerage employees' communications. This policy allows monitoring the communications of registered principals when they are subject to these regulations. | |
| Network Diagrams | This policy detects computer network diagrams at risk of exposure. | |
| Network Security | This policy detects evidence of hacking tools and attack planning. | |
| Office of Foreign Assets | The Office of Foreign Assets Control of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against certain countries, individuals, and organizations. This policy detects communications involving these targeted groups. | |
| OMB Memo 06-16 and FIPS 199 Regulations | This policy detects information classified as confidential according to the guidelines established in the Federal Information Processing Standards (FIPS) Publication 199 from the National Institute of Standards and Technology (NIST). These security classifications were reinforced as the basis for compliance with memorandum 06-16 from the Office of Management and Budget (OMB). | |
| Payment Card Industry Data Security Standard | The Payment Card Industry (PCI) Data Security Standard (DSS) is jointly determined by the major payment card companies (such as Visa, MasterCard, American Express, and Discover). This comprehensive standard is intended to help organizations proactively protect customer account data. This policy detects credit card data that, if exposed, could represent a violation of this standard. | |
| PIPEDA | Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information in the hands of private sector organizations and provides guidelines for the collection, use and disclosure of that information. This policy detects customer data protected by PIPEDA regulations. | |
| Project Data | This policy helps find discussions of sensitive projects. | |
| Proprietary Media Files | This policy detects various types of video and audio files that could be proprietary and intellectual property of your organization and at risk for exposure. | |
| Publishing Documents | This policy detects various types of publishing documents such as FrameMaker files at risk of exposure. | |
| SEC Fair Disclosure Regulation | The US SEC Selective Disclosure and Insider Trading Rules prohibit public companies from selectively divulging material information to analysts and institutional investors prior to its release generally to the public. This policy detects data indicating disclosure of material financial information. | |
| State Data Privacy | Many states in the US have adopted statutes mandating data protection and public disclosure of information security breaches in which confidential data of individuals is compromised. This policy detects these breaches of confidentiality. | |
| SWIFT Codes | The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a cooperative organization under Belgian law and is owned by its member financial institutions. The SWIFT code (also known as a Bank Identifier Code, BIC, or ISO 9362) has a standard format to identify a bank, location, and the branch involved. These codes are used when transferring money between banks, particularly across international borders. | |
| Titus Internal-Only | Detect files with Titus Labs Tag "Internal Only". | |
| UK Drivers Licence Numbers | This policy detects UK Drivers Licence Numbers using the official specification of the UK Government Standards of the UK Cabinet Office. | |
| UK Electoral Roll Numbers | This policy detects UK Electoral Roll Numbers using the official specification of the UK Government Standards of the UK Cabinet Office. | |
| Defense Message System (DMS) GENSER Classification | This policy detects information classified as confidential according to the guidelines established by the Defense Information Systems Agency for the Defense Message System (DMS) General Services (GENSER) message classifications, categories and markings. These standards outline how to mark classified and sensitive documents according to US standards, as well as providing interoperability with NATO countries and other US allies. |