The system allows same settings for Rules and Exceptions
search cancel

The system allows same settings for Rules and Exceptions

book

Article ID: 160160

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

The system allows same settings for Rules and Exceptions.
As DLP checks the data against exceptions first and as the data matches exception conditions, it ignores that policy's rules and allows the data to be transferred without causing a match

Environment

DLP 15.8 and later

Resolution

Relevant versions:  ALL

STEPS TO REPRODUCE
1) Log-on to Enroce and select Policies under the Manage menu.
2) Click on any of the existing policies from the policy list to edit
3) Click on Add Rule under Detection Tab to add a rule
4) Select content matches Data Identifier Radio button and select data identifier; for example SSN number
5) Click "Next" to navigate to the next screen. Specify Rule name and Severity. Click "Ok" to save the Rule
6) Click on Add Exceptions under Detection Tab to add a rule
7) Select content matches Data Identifier Radio button and select same data identifier; for example SSN number
8) Click "Next" to navigate to the next screen. Specify Exception name and Click "Ok" to save the Exception

RESULTS
The system is not throwing an error message or warn the user that Scan Rules and Exceptions cannot be the same. 
 

ANSWER
The sytem accepts the same data for scan rules and exceptions without any error message or warning the user. You could say this is by design in the sense that DLP does not explicitly crosscheck the set conditions for the exceptions and whether or not this will ultimately result in voiding each other out. Keep in mind that some of the policies rely on EDMs or IDMs which can be updated and could result in different "overlapping" policies. It would be very difficult to determine "on the fly" if the rules and exceptions indeed void each other out.