Configure Data Security (DLP Lite) policy settings

Data Loss Prevention | Forcepoint Web Security Cloud

To configure options for detecting and preventing data loss over web channels:

In the portal, navigate to Account > Data Protection Settings.

In the Web Defaults section, select Use DLP Lite. Save you changes.

When Use DLP Lite is selected, a Data Security tab is available for new policies.

Navigate to the Web > Policy Management > Policies, page, then open the policy you want to configure.

Click the Data Security tab in the policy.

Complete the fields as described in the following sections:

Data security regulations

Data theft detection

Custom data security classifiers

Trusted domains

When you are finished, click Save.

The system will search for sensitive data that is being posted to HTTP and HTTPS sites, and report on it in an incident report available from the Reporting > Report Catalog > Standard Reports > Data Security page.

This report includes intellectual property, data that is protected by national legislation or industry regulation, and data suspected to be stolen by malware or malicious activities.

To search for data over HTTPS, be sure SSL decryption is enabled by following the instructions provided on the SSL Decryption tab.

Data security regulations

Most countries and certain industries have laws and regulations that protect customers, patients, or staff from the loss of personal information such as credit card numbers, social security numbers, and health information.

To set up rules for the regulations that pertain to you:

Click No region selected.

Select the regions in which you operate.

Select the regulations of interest:


Field	Description
Personally Identifiable Information (PII)	Detects Personally Identifiable Information. For example, names, birth dates, driver license numbers, and identification numbers. This option is tailored to specific countries.
Protected Health Information (PHI)	Detects Protected Health Information. For example, terms related to medical conditions and drugs, together with identifiable information.
Payment Card Industry (PCI DSS)	Conforms to the Payment Card Industry (PCI) Data Security Standard, a common industry standard that is accepted internationally by all major credit card issuers. The standard is enforced on companies that accept credit card payments, as well as other companies and organization that process, store, or transmit cardholder data.

Select an action to take when matching data is detected. Select Block to prevent the data from being sent through the web channel. Select Monitor to allow it. (Incidents are created either way.) You can filter by action in the Data Security Incident Manager.

Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result and performance may be affected. Select Narrow for tighter detection criteria. This can result in false negatives or undetected matches. Default is a balance between the two.

Severity is automatically calculated for these regulations.

Data theft detection

Use this section to detect when data is being exposed due to malware or malicious transactions. When you select these options, Forcepoint Web Security Cloud searches for and reports on outbound passwords, encrypted files, network data, and other types of information that could be indicative of a malicious act.

To see if your organization is at risk for data theft:

Select the types of data to look for.


Information Type	Description
Common password information	Searches for outbound passwords in plain text
Encrypted file - known format	Searches for outbound transactions comprising common encrypted file formats
Encrypted file - unknown format	Searches for outbound files that were encrypted using unknown encryption formats
IT asset information	Searches for suspicious outbound transactions, such as those containing information about the network, software license keys, and database files.
Malware communication	Identifies traffic that is thought to be malware "phoning home" or attempting to steal information. Detection is based on the analysis of traffic patterns from known infected machines.
Password files	Searches for outbound password files, such as a SAM database and UNIX/Linux passwords files

Select a sensitivity to indicate how narrowly or widely to conduct the search.

Severity is automatically calculated for these types.

Custom data security classifiers

Use this section if you want to detect intellectual property or sensitive data using custom phrases, dictionaries, or regular expressions containing business-specific terms or data.

Select the classifiers that you want to enable for the policy. If you skipped the section Create content classifiers go there now to populate the list.

Select a severity for each classifier to indicate how severe a breach would be. Select High for the most severe breaches. Severity is used for reporting purposes. It allows you to easily locate High, Medium, or Low severity breaches when viewing reports.

Configure a threshold for each classifier.

Click the link in the Threshold column.

Indicate how many times this classifier should be matched to trigger an incident. You can indicate a range if desired, such as between 3 and 10. By default, the threshold is 1.

Indicate whether you want the system to count each match, even if it is a duplicate, against the threshold, or whether you'd prefer to only count unique matches.

Click OK.

Trusted domains

Select Enable trusted domains if you do not want certain domains to be monitored, then enter URLs for the trusted domains separated by commas.

The system does not analyze content passed between trusted domains. This means users can send them any type of sensitive information via HTTP, HTTPS, or other web channels from your network.

The domains you enter apply only to data security and only to the current web policy.

Duplicate URLs are not permitted. Wildcards and '?' are supported.