Creating Data Loss Prevention and Data Access Control Policies

edited February 2023 in XQ Dashboard
Data Loss Prevention (DLP) and Data Access Control (DAC) Policies are custom rules that trigger specific actions when emails are sent or opened. These policies help to protect sensitive data and control access to resources.

This article provides guidance on creating policies and examples of best practices.
Note: The examples in this article are best practices. We recommend discussing your DLP and DAC Policies with your CMMC assessor to ensure compliance with NIST 800-171 requirements.


Access the Policy Manager

Using XQ's Policy Manager, you can configure DLP and DAC Policies right from your team's XQ Dashboard. Use the following steps to access the Policy Manager in your dashboard:

Step 1: In the XQ Dashboard, click Policy Manager in the left-hand navigation bar.
XQ Dashboard

Step 2: Click Create Policy to launch the New Policy page.
New Policy page

Step 3: On the New Policy page, use the Type drop-down menu to choose your policy type. The available types are Data Loss and Data Access.
Choose a policy type drop-down

Use the following sections in this article to create your Data Loss and Data Access policies.

Creating Data Loss Prevention Policies

Creating Data Loss Prevention (DLP) Policies in XQ ensures the protection of controlled unclassified information (CUI) using automated encryption. With XQ, you can secure your data anywhere it travels.

DLP Policies play a crucial role in meeting CMMC compliance requirements, as they:
  • Help companies fulfill multiple NIST 800-171 requirements.
  • Enable companies to identify the types of data that require encryption.
  • Allow companies to create custom profiles and rules for different types of data.

Create a new policy

Use the following steps to create a Data Loss Prevention (DLP) Policy:

Step 1: Launch the Policy Manager in your XQ Dashboard and click Create Policy If you have already created a policy previously, click the ADD NEW button at the top of the page.

Step 2: On the New Policy page, name your policy for future reference and select Data Loss from the Type drop-down.

Step 3: Choose your policy's Conditions. Conditions control which criteria must be met to activate your policy. You can choose between these options:
  • Data: What body of data is being referenced? For now, you can only choose Email.
  • Field: What field is being referenced in your email? You can choose whether to reference a recipient or the contents within the message itself.
  • Operator: Select the available operator from the drop-down. The operator works by triggering your policy if the Data Type includes your chosen Value. Operator options change depending on the field you choose.
  • Data Type: Choose whether to allow or restrict email access based on your chosen Field. The options will change depending on the field you choose. For example, if your field is To/Recipient, you can choose between Domain and Email Address. If your field is Body, you can choose between Keywords and Pattern.
  • Value: Depending on your chosen Data Type, enter a value or select from the dropdown list.
You can add more conditions by clicking Add Condition in the top-right corner. If you have more than one condition, you can choose whether All or Any conditions are met to then trigger your action. You can also add more than one condition if necessary.
Add conditions step

Step 4: Choose whether to Send or Block the message. For example, if you want to prevent team members from sending messages containing specific keywords, select Block.
Send or block setting

Step 5: Then, choose to execute any of the following actions:
  • Notify User: Notifies the user who created the message. You can customize the message that is sent.
  • Log: Log this event in the event log. You can customize the message included in this log.
  • Auto-Encrypt: Automatically encrypts the message.
You can add more actions by clicking the Add Action button in the top-right corner.

Step 6: Click Add Policy at the top-right corner of the page to save your Data Loss Prevention Policy.

Best practice recommendation: Auto-encryption

To achieve CMMC compliance with Data Loss Prevention (DLP) Policies, we recommend creating auto-encryption policies in XQ. Auto-encryption policies allow you to create criteria using keywords or specific conditions. This eliminates the chance of human error and ensures that all sensitive information is properly encrypted before being sent.

For CMMC compliance, we recommend using the following keywords for your auto-encryption policy:
  • CUI
  • Confidential
  • Controlled
  • Classified
  • FAO
  • Invoice
  • JADC2
  • NDA
You can use additional keywords to ensure your auto-encryption policies are thorough and effective. The more keywords and conditions you add, the stronger your auto-encryption policies are. We recommend discussing your auto-encryption keywords with your CMMC assessor to ensure compliance with NIST 800-171 requirements.

The following example provides an example of an auto-encryption policy that uses keywords:



As an additional measure to ensure the security of sensitive information, we suggest automating the encryption of all email attachments. This guarantees that all attachments are always protected by encryption, regardless of their contents.

Creating Data Access Control Policies

Data Access Control (DAC) policies empower the system administrator to set rules for accessing a resource. These rules are established by assigning permissions to designated users. With DAC policies, the administrator can determine who can access the resource and the level of access they are permitted.

DAC Policies play a crucial role in meeting CMMC compliance requirements, as they:
  • Help companies fulfill multiple NIST 800-171 requirements.
  • These policies provide administrators the ability to establish who is authorized to access a resource and the actions they are allowed to perform with it.

Create a new policy

Step 1: Launch the Policy Manager in your XQ Dashboard and click Create Policy If you have already created a policy previously, click the ADD NEW button at the top of the page.

Step 2: On the New Policy page, name your policy for future reference and select Data Access from the Type drop-down.

Step 3: Choose your policy's Conditions. Conditions control which criteria must be met to activate your policy. You can choose between these options:
  • Data: What body of data is being referenced? For now, you can only choose Email.
  • Event: What event is happening to your email? For now, you can only choose Access.
  • Operator: Choose to trigger your policy if the Data Type is From or Not From a country or IP address.
  • Data Type: Choose whether you're allowing or restricting email access based on countries or IPs.
  • Value: Depending on your chosen Data Type, select a country or input an IP address.
Step 4: Choose whether to Send or Block if your conditions are met.
Send or block setting

Step 5: Choose an Action. The available options include:
  • Alert Admin: This action sends a customized email to a specific admin. Optionally, you can include '$User' in your message to display the email address of any user attempting to send a message affected by your policy (eg. $USER tried sending a message with the word 'password' included).
  • Notify User: This action notifies the user who created the message. You can customize the message that is sent.
  • Log: This action logs this event in the event log. You can customize the message included in this log.
You can add more actions by clicking the Add Action button in the top-right corner.

Step 6: Click Add Policy at the top-right corner of the page to save your Data Access Control Policy.

Best practice recommendation: Location-based restriction

Location-based restriction policies enable you to limit access to resources based on geographical location. These policies prevent unauthorized individuals located outside the designated geographical location from accessing the resource.

This example shows a location-based restriction policy that restricts data access from outside the United States:


Best practice recommendation: IP address restriction

Further limiting access through IP address restrictions provides a more secure way of controlling user access. When implementing this type of policy, specific IP addresses are designated as authorized for accessing a resource. Attempts to access data from an unapproved IP address will be blocked.

This example shows an IP address-based restriction policy that restricts data access to one authorized IP address:
Tagged:
Sign In or Register to comment.