New Data Loss Prevention (DLP) Policies

With data loss prevention (DLP) policies in MangoApps, you can identify, monitor, alert and protect sensitive information in your MangoApps community

  • Data Loss Prevention (DLP) Overview

With DLP policies, MangoApps allows organizations to:

    • Identify sensitive information across any content type
    • Help employees learn how to stay compliant without interrupting their workflow
    • Alert domain & compliance admins when any policy is violated on their dashboard
    • Get a full domain-wide view showing content that matches your organization’s DLP policies.
    • Get started easy with pre-shipped patterns for PII & Financial related sensitive data
    • Have the power to create your own custom patterns for sensitive information and make them go live in minutes with no code & no IT support
Info: This feature is available as part of 'Compliance AddOn' to the 
enterprise edition of MangoApps Essentials & Mango Suite. 
Talk to your CSM/TAM to enable this feature if you don’t see it in 
the Admin portal "under Compliance”

 

  • Identify Sensitive Information

    • DLP policy rules for ‘US – PII Data Patterns’, ‘US – Financial patterns’ etc help identify sensitive information shared in any content in your MangoApps domain
    • Policy rule when activated will check for sensitive information in all the different MangoApps content types. These include updates, posts, messages, pages, files, chat, wikis, polls, tasks notes, ideas, surveys, comments, replies & more. So for example, you can identify any document, post, message etc containing say a credit card number
    • Policy rule will identify the sensitive information in content that is created/shared/uploaded in MangoApps after the policy was activated
    • MangoApps ships with patterns to identify the following sensitive information
      • US Social Security Number (SSN)
      • US Passport Number
      • US Driver’s License Number
      • US Taxpayer Identification Number (ITIN)
      • US Bank Account Number
      • Credit Card Number
    • Domain admins / Compliance admins can create custom policy rules to identify sensitive information in addition to the above listed ones
    • If there are multiple occurrences of sensitive info  (that’s setup in the policy rule) in the user posted content , then MangoApps will identify all of the occurrences.
    • All types of content & files that are posted/updated if edited/new version of file upload will be re-checked again for sensitive information as per the activated policy rules
    • Domain admins & compliance admins can take the following on the policy rules (Note: These actions is available starting release 15.0.3)
      • Do a team run on the policy rule and see the sensitive information caught in the ‘Matches Log’
      • Edit the policy rule details
      • View the matches of sensitive information found by this policy rule
      • Delete the policy which will delete the rule & the matched log entries found by it
    • Domain admins & compliance admins can create new policies with custom patterns also to identify sensitive information not included in the pre-defined patterns

 

  • Monitor Sensitive Information

    • DLP policies that are activated monitor the content that is shared and add it to the ‘matches log’
    • The ‘matches log’ gives a list of all types of content that contains the sensitive information matched as per the policy rules
    • Domain admins & compliance admins can get to know the following information from the matches log
      • Posted by user: User who posted the content / uploaded the file
      • Posted on date: Date & time when the content / file was added in mango
      • Item type: This includes post, message, chat, file, page, wiki, update etc
      • Item title: Title/subject/content preview is seen here.
      • Policy matched: Name of the policy rule that detected the sensitive information in the content
      • Pattern matched: The sensitive information found. For example, US social security numbers (SSN), US passport number, US driver‘s license number, Credit card number etc
      • Pattern occurrence count: No. of times the sensitive information was found
      • Status: Active or closed
      • Action Taken:
        • Logged only
        • Notification sent to N admins (Note: This value is available starting release 15.0.3)
        • Notification sent to N admins & sender (Note: This value is available starting release 15.0.3)
    • Domain admins & compliance admins can take the following actions on the content that has sensitive information
      • View the content/item details (Note: Permissions on the specific item can even disallow admins from see it)
      • Message the sender with the link to the item to remove the sensitive information (Note: This action is available starting release 15.0.3)
      • Close the alert when the sensitive information has been removed or by providing an explanation for the identified sensitive info. e.g., false positive, business need etc

 

  • Policy Alerts Daily Digest Email

    • Domain & compliance admin can receive a daily digest email that lists all sensitive information shared in your domain in the last 24 hours
    • Domain & compliance admins can use this information to message the user to remove the sensitive information or they themselves remove the info (if they have edit permission on the content)
    • By default this digest email is ON but individual domain admins / compliance admins can turn it OFF (Note: Ability to turn OFF is available starting release 15.0.3)

 

  • Policy Alert Life Cycle Management

    • DLP policy match alerts are generated when users post content that have sensitive information that match the pattern configured in a policy rule
    • These alerts are listed in the ‘DLP Active Alerts’ dashboard widget for domain & compliance admins to act upon (Note: This widget is available starting release 15.0.3)
    • Domain & compliance admins can take the following actions on the policy match alert
      • Close Alert
        • Ability to move the policy alert from active to closed state
        • They need to provide an explanation when closing the policy alert
        • Only domain & compliance admins can close an alert
      • Reopen Alert
        • Domain & compliance admins can re-open an alert for any reason
    • Domain & compliance admins can also configure to be notified in real time when the content any user shares has sensitive information.

 

  • Help Users Learn How to Stay Compliant

    • Domain & compliance admins can educate users about DLP policies and help them remain compliant by message them the link to the content with sensitive information .
    • Domain & compliance admins can also configure an action to notify the user when the content they share has sensitive information. For example, if a user tries to share a document containing sensitive information, a DLP policy can both send them a notification (over email or mobile) and include the link of the document indicating the sensitive information found. (Note: This option is available starting release 15.0.3)

  • Audit Log

    • Audit log will capture the following DLP policy rule activities
    • Policy rule was activated
    • Policy rule was deactivated
    • Policy rule  was changed
    • Policy rule and all the associated matches log entries were deleted

 

  • Rollout Suggestions for DLP policies

    • When you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before fully enforcing them. For example, you don’t want a new DLP policy to unintentionally generate false positives that hinder people to get their work done.
    • If you’re creating a DLP policy using a ‘Custom Pattern’, we recommend following this sequence:
      1. Start by doing a test run on the DLP policy and then use the DLP Matches Log to access the correctness. You can use the matches log to check the pattern matched, occurrences and notifications. Based on the results, you can fine tune the policy rule pattern as needed. In test run mode, DLP policies will not impact the productivity of people working in your organization.
      2. Move to an admin notification only production mode so that you can check the matches on every day basis with a digest email and then begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can check on false positives so that you can further refine the policy rule pattern.
      3. Move to a full production mode on the policies  with the action of notifying the sender in the rules applied, the sender notified and content protected. Continue to monitor the DLP matches log and the digest email, the matches log to make sure that the results are what you intend.