Keith,

keithsauer507 · ‎02-28-2017

We have IronPort encryption auto enabled for certain smart dictionaries like SS#, ABA Numbers, etc... and for the most part this works, however there are some false positives we need to work through.

This is request is coming from an EVP of Marketing so I will open a case with TAC, but while I wait for that response I figured I would also post here because maybe someone has gone through this before and has a solution.

So the head of marketing emails a simple calendar invite to a few individuals and it goes out encrypted through CRES. It's flagged on the ABA number rule and although it was a simple calendar invite with no text but his Exchange applied corporate signature, it was encrypted because of this in the header:

X-MICROSOFT-CDO-OWNERAPPTID:299575265

How can this be prevented?

Libin Varghese · ‎02-28-2017

Hi Keith,

Social Security numbers can be almost any string of 9 digits.

To minimize false positives, it is helpful to use the *ssn smart identifier along with the "only-body-contains" filter condition.

This should only catch messages where the SSN is present in all of the message body mime parts, and ignore matches both in the headers and within the HTML tags of multipart/alternative messages with text and HTML parts.

Thank You!

Libin Varghese

keithsauer507 · ‎02-28-2017

Ok, we originally had it setup to look at Body and Attachment for the fear if someone were to say attach an Excel Spreadsheet or Word document of credit card numbers, SS numbers, checking accounts and aba's, etc... and email it out.

We are going to be rolling out Digital Guardian DLP solution that might help identify some of that so maybe we will scale this back to just checking the body.

Libin Varghese · ‎02-28-2017

Keith,

Yes, that would make sense. With the current setup it the filter does happen to trigger on headers and html tags as well.

- Libin V

How can I disable smart identifiers from triggering on headers / metadata?