Enterprise Recon 2.4

Risk Mapping Criteria

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following:

Overview

ER2 risk profiles are defined as a combination of risk level with one or more criteria. Risk profiles are mapped to a location if the sensitive data location matches at least one rule for every defined criteria.

Criteria Description
Data Types Define the data type combination and rules that must be fulfilled for the sensitive data location to match to the risk profile. See Data Types Criteria for more information.
Location

Select the Group(s) or Target(s) that the risk profile applies to.

If the All Groups option is selected, the risk profile will only be applicable to Target Groups that were available when the risk profile was created.

Risk profiles are applicable to new Targets that are added to Target Groups that were selected when the risk profile was created.

Metadata Define the metadata information that must exist for the match location. See Metadata Criteria for more information.
Access Map the location to the risk profile if any of the specified groups or users have any form of access permissions to the location. Use the following format to add domain groups or user: <domain>\<group or username>. See Data Access Management for more information.
Operation Select the operation status(es) associated with the match location. E.g. No Status, Confirmed Match, Unable to modify permissions.

See Risk Mapping for more information.

Data Types Criteria

The Data Types criteria lets you specify data type rules in terms of:

  • combination of data types, and / or
  • volume of sensitive data matches

that must be found in a location for it to be mapped to a risk profile.

Data type rules that are configured will be displayed as an expression within the Data Types section in the Settings > Analysis > Risk Profile page.

Match Count Rule

Field Description
Select a Data Type Check the match volume of the selected data type in the match location.
[Comparison Operator] Use comparison operators to determine if the match count for the data type meets a specific criteria.
  • is equal to
  • is greater or equal to
  • is greater than
  • is lesser or equal to
  • is less than
  • is not equal to
[Value] Positive integer value to be evaluated against the comparison operator.

Examples:

Select a Data Type Comparison Operator Value Description
American Express is equal to 2 Map the location to the risk profile if there are exactly 2 American Express data type matches.
United States National Provider Identifier (robust) is greater or equal to 1 Map the location to the risk profile if there is at least 1 United States National Provider Identifier (robust) data type match.
SWIFT Code is less than 10 Map the location to the risk profile if there are less than 10 SWIFT Code data type matches.

Contains or Does Not Contain Rule

Field Description
[Comparison Operator] Check if the location has at least one, or no matches for the selected data type.
  • Contains
  • Does not contain
[Select a Data Type] Data type to be evaluated against the comparison operator.

Examples:

Comparison Operator Select a Data Type Description
Contains American Express Map the location to the risk profile if there is at least one American Express data type match.
Does not contain SWIFT Code Map the location to the risk profile if there are no SWIFT Code data type matches.

Contains Any Rule

Field Description
Operator Contains any operator checks the presence of n number of unique data types from the selected data types, where the number of selected data types must be equal to or larger than n.
Select a Data Type Check the presence of the selected data types in the match location.
[Value] n number of unique data types, where n is any positive integer, e.g. 0, 1, 2, ..., n.

Examples:

Operator Select a Data Type Value Description
Contains any American Express, Visa, Mastercard, Discover 2 Map the location to the risk profile if there is at least one match for at least two of the four selected data types. For example\:
  • Location contains at least one American Express and at least one Visa match.
  • Location contains at least one match for American Express, Visa, Mastercard and Discover.

Logical and Grouping Operators

You can combine multiple data type rules with logical and grouping operators to create complex data type criteria for the Risk Profile.

Operator precedence and order of evaluation for these operators is similar to operator precedence in most other programming languages. When there are several operators of equal precedence on the same level, the expression is then evaluated based on operator associativity.

Logical Operators

The following logical comparators can be applied to standalone data type rules, or a group of data type rules:

Operator Precedence Syntax Description
NOT 1 NOT a Negates the result of any term it is applied to.
AND 2 a AND b Evaluates to TRUE if both rule a and rule b are true.
OR 3 a OR b Evaluates to TRUE if either rule a and rule b are true.
AND NOT - a AND NOT b Evaluates to TRUE if rule a is true, and rule b is false.
OR NOT - a OR NOT b Evaluates to TRUE if either rule a is true, and rule b is false.

Grouping Operators

Grouping operators can be used to combine a number of statements into a single logical statement, or to alter the precedence of operations.

You create a new group each time you create a new data type rule. You can manage the data type rules by clicking on the:

  • Group icon to group a data type rule with the rule or group preceding it, or
  • Ungroup icon to ungroup a data type rule from the rule or group preceding it, or
  • Delete icon to delete a specific data type rule.

Data Types Criteria Example

A Risk Admin creates four distinct data type rules for the "HIPAA Compliance" risk profile:

# Data Type Rule Description
1 Contains United States Social Security Number (robust) Check if the location contains at least one United States Social Security Number (robust) data type match.
2 Contains any 3 data types from United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English) Check if the location contains at least one match from at least three of the selected personal identifiable (PI) data types.
3 Contains any 1 data types from American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa Check if the location contains at least one match from any one of the selected cardholder data types.
4 Contains any 1 data types from Generic Bank Account Number, International Bank Account Number (IBAN) Check if the location contains at least one match from any one of the selected bank account number data types.

For every data type rule created, the Risk Admin can define the logical operation and grouping relationship between the rules.

Example 1

Enterprise Recon Risk Profile Data Types Criteria Example 1

In this example, all four data type rules are kept as separate groups. The AND operator is selected for rule #2 and rule #3, while the OR operator is set for rule #4.

In this configuration, a sensitive data match location will be mapped to the "HIPAA Compliance" risk profile if either condition 1 or condition 2 is fulfilled, where:

  1. The match location contains:
    • At least one United States Social Security Number (robust) data type match, and
    • At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
    • At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa).
  2. The match contains at least one Generic Bank Account Number or International Bank Account Number (IBAN) data type match.

Example 2

Enterprise Recon Risk Profile Data Types Criteria Example 2

In this example, rule #4 is grouped with the preceding rule #3 with the OR operator. Rule #1 and rule #2 remain as separate rules with the AND operator selected for the relationship between the groups.

In this configuration, a sensitive data match location will be mapped to the "HIPAA Compliance" risk profile if all the following conditions are fulfilled, where the match location contains:

  1. At least one United States Social Security Number (robust) data type match, and
  2. At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
  3. At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa), or at least one match from the selected bank account number data types (Generic Bank Account Number, International Bank Account Number (IBAN)).

Metadata Criteria

The Metadata criteria lets you specify the metadata information that must be present in a sensitive data location for it to be mapped to a risk profile.

Metadata Description
Document Map the location to the risk profile if the stored document metadata matches the criteria or values defined for the (i) document owner, (ii) document creation date, and / or (iii) document modified date.
Email Map the email location to the risk profile if the stored email metadata matches the criteria or values defined for the (i) email sender, and / or (ii) date range for the email delivery.
Filesystem Map the location to the risk profile if the stored filesystem metadata matches the criteria or values defined for the (i) filesystem owner, (ii) filesystem creation date, and / or (iii) filesystem modified date.

Risk Mapping Criteria Example

A Risk Admin creates a Risk Profile with the following configuration:

Field / Criteria Value
Risk Label HIPAA Compliance (Strict)
Risk Level
High
Data Types

Risk Profile data types criteria example

Operation No Status, Confirmed Match, Unable to mask, Unable to quarantine, Unable to encrypt, Unable to delete, Unable to modify permissions

In this configuration, a sensitive data match location will be mapped to the "HIPAA Compliance (Strict)" risk profile with a risk level if all the following criteria are fulfilled:

  1. Data Types criteria
    • The match location contains at least one United States Social Security Number (robust) data type match, and
    • At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
    • At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa), or
      At least one match from the selected bank account number data types (Generic Bank Account Number, International Bank Account Number (IBAN)).
  2. Operation criteria
    • The match location has any of the selected Operation statuses (No Status, Confirmed Match, Unable to mask, Unable to quarantine, Unable to encrypt, Unable to delete, Unable to modify permissions).

The "HIPAA Compliance (Strict)" risk profile may be mapped to all locations regardless of the metadata or access permissions information reported by the location since no Location, Metadata and Access criteria was configured for the risk profile.