A data policy combines Sensitive Data Classification rules, managed endpoint groups, and defined actions to take when sensitive data movement is detected.
Before you begin, make sure the Data Security Sensor security module is enabled in the Endpoint security policy applied to the endpoint
groups you want to monitor. For more information, see Enable Data Security sensors on managed endpoints.
When creating a data policy, you specify protection actions for each channel through
which data may be moved. Available protection actions include:
-
Block action: Prevents users from uploading sensitive data to cloud storage apps or transferring it to external devices by deleting the file after transfer.
-
Notify: Sends alerts to designated recipients.
-
Windows message: Displays a pop-up alert in the Windows system tray.
Step 1: Define the scope of a data policy
Define the managed endpoint groups to include in a data policy. Include all managed
endpoint groups, or choose specific groups or endpoints to exclude from the policy.
Procedure
- In the Trend Vision One console, go to .
- Click Create Policy.
- Provide a name and description for the policy.
- Specify which managed endpoint groups to include:
-
To include all endpoint groups, select Include.
-
To exclude specific endpoint groups select All, but exclude and then click the edit icon and clear the checkbox beside each endpoint group you want to exclude. Click Select.
-
- Click Next.
Step 2: Select the sensitive data classification rules to apply
Choose which Sensitive Data Classification rules to apply to the policy. You can only
apply rules that are active: rules that are deactivated will not appear in the list.
Procedure
- Choose whether you want to apply all sensitive data classification rules to the policy,
or only specific rules:
- To apply all active sensitive data classification rules, select Apply all active rules.
- To apply specific sensitive data classification rules, select Select specific rules.
If you chose to apply all active rules, skip to step 3. - Clear the checkbox beside each rule you do not want used in the data policy:
-
To filter by data category, select one of the options in the Category area.
-
To search for a rule by name or description, enter the search term in the Rule name, Description field.
-
To filter by sensitivity level, select a level from the Sensitive level tags list.
-
- Click Next.
Step 3: Define protection actions
Specify the response actions to execute when users attempt to upload sensitive data to cloud storage applications, external drives, and web services.
To specify protection actions, first ensure that the following security modules are
enabled on an Endpoint Security policy:
-
Data Security Sensor: Sends activity data to trace and analyze the movement of sensitive data defined by data policies.
Note
This requires credits. For more information, see Credit requirements for Trend Vision One solutions, capabilities, and features. -
Browser Extension: Allows Trend Vision One to collect additional file upload telemetry from the system browser. This setting is required when creating a data policy to configure protection actions when a user attempts to upload a sensitive file through a web browser.
Procedure
- In the Channels Supported by Endpoint Data Sensor area, select any of the following actions for each channel:
-
Block action: Prevents unauthorized file transfers to external devices or web services by deleting the file after it has been transferred to the external device.
-
Notify: Sends notification alerts to designated recipients through email, webhook, or mobile app.
-
Windows message: Displays an alert pop-up in the Windows system tray.
-
- In the Channels Supported by Browser Extension area, select any of the following actions for each channel:
-
Notify: Sends notification alerts to designated recipients through email, webhook, or mobile app.
-
Windows message: Displays an alert pop-up in the Windows system tray.
-
- Click Save.
The policy is listed in the Data Policy screen.