Enterprise Recon 2.6.1

Classification Policy

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following:

Overview

The Automatic Classification feature in ER2 enables Microsoft Information Protection (MIP) sensitivity labels to be applied automatically to sensitive data locations upon completion of a scan. Each Classification Policy in ER2 is

  • associated with a single MIP sensitivity label, and
  • is defined by one or more criteria.

    Criteria Description
    Data Types Define the data type combination and rules that must be fulfilled for the sensitive data location to match to the classification policy. See Data Types Criteria for more information.
    Location

    Select the Group(s) or Target(s) that the classification policy applies to.

    If the All Groups option is selected, the classification policy will only be applicable to Target Groups that were available when the classification policy was created.

    Classification policies are applicable to new Targets that are added to Target Groups that were selected when the classification policy was created.

    Metadata Define the metadata information that must exist for the match location. See Metadata Criteria for more information.
    Access Map the location to the classification policy if any of the specified groups or users have any form of access permissions to the location. Use the following format to add domain groups or user: <domain>\<group or username>. See Data Access Management for more information.
    Operation Select the operation status(es) associated with the match location. E.g. No Status, Confirmed Match, Unable to modify permissions.

After a successfully completed scan, ER2 analyzes each sensitive data location (from the completed scan) and automatically applies the corresponding MIP sensitivity label if the location matches the criteria defined in a given classification policy. If the sensitive data location matches the criteria for multiple classification policies, ER2 applies the MIP sensitivity label for the classification policy with the highest priority.

The MIP sensitivity label and status will be reflected in the Investigate page accordingly.

See Data Classification with MIP for more information.

Data Types Criteria

The Data Types criteria lets you specify data type rules in terms of:

  • combination of data types, and / or
  • volume of sensitive data matches

that must be found in a location for it to be mapped to a classification policy.

Data type rules that are configured will be displayed as an expression within the Data Types section in the Settings > Analysis > Classification page.

Match Count Rule

Field Description
Select a Data Type Check the match volume of the selected data type in the match location.
[Comparison Operator] Use comparison operators to determine if the match count for the data type meets a specific criteria.
  • is equal to
  • is greater or equal to
  • is greater than
  • is lesser or equal to
  • is less than
  • is not equal to
[Value] Positive integer value to be evaluated against the comparison operator.

Examples:

Select a Data Type Comparison Operator Value Description
American Express is equal to 2 Map the location to the classification policy if there are exactly 2 American Express data type matches.
United States National Provider Identifier (robust) is greater or equal to 1 Map the location to the classification policy if there is at least 1 United States National Provider Identifier (robust) data type match.
SWIFT Code is less than 10 Map the location to the classification policy if there are less than 10 SWIFT Code data type matches.

Contains or Does Not Contain Rule

Field Description
[Comparison Operator] Check if the location has at least one, or no matches for the selected data type.
  • Contains
  • Does not contain
[Select a Data Type] Data type to be evaluated against the comparison operator.

Examples:

Comparison Operator Select a Data Type Description
Contains American Express Map the location to the classification policy if there is at least one American Express data type match.
Does not contain SWIFT Code Map the location to the classification policy if there are no SWIFT Code data type matches.

Contains Any Rule

Field Description
Operator Contains any operator checks the presence of n number of unique data types from the selected data types, where the number of selected data types must be equal to or larger than n.
Select a Data Type Check the presence of the selected data types in the match location.
[Value] n number of unique data types, where n is any positive integer, e.g. 0, 1, 2, ..., n.

Examples:

Operator Select a Data Type Value Description
Contains any American Express, Visa, Mastercard, Discover 2 Map the location to the classification policy if there is at least one match for at least two of the four selected data types. For example:
  • Location contains at least one American Express and at least one Visa match.
  • Location contains at least one match for American Express, Visa, Mastercard and Discover.

Logical and Grouping Operators

You can combine multiple data type rules with logical and grouping operators to create complex data type criteria for the Classification Policy.

Operator precedence and order of evaluation for these operators is similar to operator precedence in most other programming languages. When there are several operators of equal precedence on the same level, the expression is then evaluated based on operator associativity.

Logical Operators

The following logical comparators can be applied to standalone data type rules, or a group of data type rules:

Operator Precedence Syntax Description
NOT 1 NOT a Negates the result of any term it is applied to.
AND 2 a AND b Evaluates to TRUE if both rule a and rule b are true.
OR 3 a OR b Evaluates to TRUE if either rule a and rule b are true.
AND NOT - a AND NOT b Evaluates to TRUE if rule a is true, and rule b is false.
OR NOT - a OR NOT b Evaluates to TRUE if either rule a is true, and rule b is false.

Grouping Operators

Grouping operators can be used to combine a number of statements into a single logical statement, or to alter the precedence of operations.

You create a new group each time you create a new data type rule. You can manage the data type rules by clicking on the:

  • Group icon to group a data type rule with the rule or group preceding it, or
  • Ungroup icon to ungroup a data type rule from the rule or group preceding it, or
  • Delete icon to delete a specific data type rule.

Data Types Criteria Example

A Classification Admin creates four distinct data type rules for the "HIPAA" classification policy that is associated with the "Confidential" MIP sensitivity label:

# Data Type Rule Description
1 Contains United States Social Security Number (robust) Check if the location contains at least one United States Social Security Number (robust) data type match.
2 Contains any 3 data types from United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English) Check if the location contains at least one match from at least three of the selected personal identifiable (PI) data types.
3 Contains any 1 data types from American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa Check if the location contains at least one match from any one of the selected cardholder data types.
4 Contains any 1 data types from Generic Bank Account Number, International Bank Account Number (IBAN) Check if the location contains at least one match from any one of the selected bank account number data types.

For every data type rule created, the Classification Admin can define the logical operation and grouping relationship between the rules.

Example 1

Enterprise Recon Classification Policy Data Types Criteria Example 1

In this example, all four data type rules are kept as separate groups. The AND operator is selected for rule #2 and rule #3, while the OR operator is set for rule #4.

In this configuration, a sensitive data match location will be mapped to the "HIPAA" classification policy and the "Confidential" MIP sensitivity label will be applied if either condition 1 or condition 2 is fulfilled, where:

  1. The match location contains:
    • At least one United States Social Security Number (robust) data type match, and
    • At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
    • At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa).
  2. The match contains at least one Generic Bank Account Number or International Bank Account Number (IBAN) data type match.

Example 2

Enterprise Recon Classification Policy Data Types Criteria Example 2

In this example, rule #4 is grouped with the preceding rule #3 with the OR operator. Rule #1 and rule #2 remain as separate rules with the AND operator selected for the relationship between the groups.

In this configuration, a sensitive data match location will be mapped to the "HIPAA" classification policy and the "Confidential" MIP sensitivity label will be applied if all the following conditions are fulfilled, where the match location contains:

  1. At least one United States Social Security Number (robust) data type match, and
  2. At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
  3. At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa), or at least one match from the selected bank account number data types (Generic Bank Account Number, International Bank Account Number (IBAN)).

Metadata Criteria

The Metadata criteria lets you specify the metadata information that must be present in a sensitive data location for it to be mapped to a classification policy.

Metadata Description
Document Map the location to the classification policy if the stored document metadata matches the criteria or values defined for the (i) document owner, (ii) document creation date, and / or (iii) document modified date.
Email Map the email location to the classification policy if the stored email metadata matches the criteria or values defined for the (i) email sender, and / or (ii) date range for the email delivery.
Filesystem Map the location to the classification policy if the stored filesystem metadata matches the criteria or values defined for the (i) filesystem owner, (ii) filesystem creation date, and / or (iii) filesystem modified date.

Classification Policy Criteria Example

A Classification Admin creates a classification policy with the following configuration:

Field / Criteria Value
Policy Name HIPAA
MIP Sensitivity Label Confidential
Data Types

Classification Policy data types criteria example

Operation No Status, Confirmed Match, Unable to mask, Unable to quarantine, Unable to encrypt, Unable to delete, Unable to modify permissions

In this configuration, a sensitive data match location will be mapped to the "HIPAA" classification policy and the "Confidential" MIP sensitivity label will be applied if all the following criteria are fulfilled:

  1. Data Types criteria
    • The match location contains at least one United States Social Security Number (robust) data type match, and
    • At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
    • At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa), or
      At least one match from the selected bank account number data types (Generic Bank Account Number, International Bank Account Number (IBAN)).
  2. Operation criteria
    • The match location has any of the selected Operation statuses (No Status, Confirmed Match, Unable to mask, Unable to quarantine, Unable to encrypt, Unable to delete, Unable to modify permissions).

The "HIPAA" classification policy may be mapped to all locations regardless of the metadata or access permissions information reported by the location since no Location, Metadata and Access criteria was configured for the classification policy.