Actions define how a DLP policy responds to policy violations. These actions can range from passive monitoring to full enforcement:
- Allow: The action is allowed but logged for auditing purposes. This is only available for device-scoped policies.
- Audit only: The action is allowed, but the event logged. This lets you collect data without disrupting workflows and can include alerts and notifications to help train users.
- Block with override: The user’s action is blocked, but they can override it by providing a justification. This can help you identify false positives during policy refinement.
- Block: The action is fully blocked, and users can’t proceed. Alerts and notifications are generated to inform administrators of the violation.
By starting with actions like Audit only and gradually moving toward more restrictive actions like Block with override or Block, you can tune policies without disrupting daily operations.
Understand simulation mode
Simulation mode allows you to see how a DLP policy would behave in your environment without fully enforcing it. This mode runs as if the policy were fully deployed, but no actions are taken, so there’s no effect on user activity or business processes. Unlike previous Test modes, all simulated results are reported in a dedicated dashboard, giving you full visibility into the policy’s potential effect.
Why use simulation mode?
- Test the effect of the policy: Simulation mode shows which items would be flagged if the policy were enforced, helping you evaluate the scope and effectiveness of the policy.
- Tune policies: Using the simulation results, you can adjust the conditions, actions, or scope of the policy to minimize false positives and ensure the policy aligns with business needs.
- Educate users: In simulation mode with policy tips, users are informed about risky behaviors without being blocked, raising awareness of compliance requirements.
Leave a Reply