Data is prone to leaks and theft, especially when it involves external parties. With Zoho Cliq's DLP, you can implement organizational strategies to help reduce data leaks and theft across your organization. Getting started is easy—simply create a DLP policy within Zoho Cliq to safeguard your data and enhance security throughout the organization.
Where do I find this in the admin panel?
Navigate to the Admin Panel -> Data Administration -> Data Loss Prevention.
The DLP module is divided into three sub-sections, such as:
Policies
Policies are defined to ensure how sensitive data should be handled, monitored, and protected in an organization. They protect a wide range of sensitive information types and set rules tailored to your requirements.
Active and inactive policies
By default, you can view the list of active policies that are currently enforced in the organization and also convert active policies to inactive policies, or vice versa.
Create a policy
Select the create policy button under Policies to create a policy and follow the below steps.
Step 1: Select Category
Select a category from the below options:
Existing template
When selecting templates, you'll see three predefined categories: Privacy, Finance, and Healthcare. Each category includes policies for five regions: India, the US, Australia, Canada, and the UK. You can choose a template from these categories or create a custom policy.
Create from scratch
You can create a custom policy by selecting the Create from scratch option.
Step 2: Policy details
The next step would be to add policy details such as policy name and description.
Sensitive information types are categories or classifications of data that are valuable, critical, and confidential and need measures to protect them.
Default and custom
Zoho Cliq has some predefined sensitive information types that you can select from. You can also create your own sensitive information type.
To create a sensitive information type:
Select Add New Sensitive Information Type.
Add a name and description, then choose a primary method.
You can either enter a regular expression or provide a set of keywords, separated by commas.
Note:
- If any keyword from the set matches, the DLP action will be triggered.
- Alternatively, you can upload a file as a dictionary as the primary method.
- The file you import should be only of the '.txt' format.
Step 3: Update sensitive information types and rules
Add sensitive information type
If you've selected a template, the associated information types will be automatically added.
You can also add additional information types to the template.
To protect specific data relevant to your organization, you have the option to create custom information types as needed.
If you have selected existing templates, the list will be updated. Otherwise, you can add a sensitive information type here. You can create your own sensitive information types depending on the kind of organization data you want to protect.
If you are creating a policy from scratch, you ll have to select at least one sensitive information type and click Add.
Create DLP rules
Rules are sets of criteria and conditions that are used to define how sensitive data should be protected in an organization. You can create up to five rules for a policy. To create a rule, you'll need to define the following:
Rule name: Add a name to the rule.
Select users: You can select all users or apply the rule to specific users/roles/departments.
Select chats: You can select all chats or apply the rule to specific chat types from the options.
Select actions: You can select the following actions that can be performed on a message when the rule is met: Block, Block & allow only after approval, Block & allow override, and Allow and audit.
How rules work?
In a DLP policy, you can apply rules to all users or select specific users, departments, or roles. Multiple rules can also be added to a single DLP policy.
When a DLP policy includes multiple rules with different user selections and actions, the rule with the most restrictive DLP action will be enforced.
If there are multiple policies with single rules, the policy with the most restrictive action will apply.
Example:
In a DLP policy:
How it works: If a user belongs to both the Engineering Department and has the HR Admin role, they will still be blocked from sending sensitive information because the most restrictive action (Block) is applied.
Once the sensitive information types are added and the rules are set, you can select Next.
Step 4: Alerts
The organization admin can choose whether they or other admins should be notified when a rule violation occurs in chat. The admins selected in the 'Notify admin' field will receive a policy violation alert message. Here, you can specify the alert severity and add a policy tip to be displayed to the user who violates the policy.
Note:
Alert severity works as a reference to help organization admins categorise the importance of each DLP policies in better way.
Admins can select "Low, Medium, or High" in the severity option. This will create visual distinction in the Alert module's listing, helping to filter out alerts with "high" priority.
When a user sends a message that violates a policy, the selected organization admins will receive an alert message.
Step 5: Preview
Once all the details are defined, you can preview the policy before creating one.
Types of actions for handling sensitive data:
Block
This is the recommended action for managing sensitive data. When a rule is set to "Block," users are prevented from sending messages containing sensitive information as defined by the policy.
User experience: If a user attempts to send a message that violates the policy, the message will be sent but it will be masked, and a policy tip will be displayed explaining the restriction.
Web
Android
iOS
Block and allow only after approval
Android
iOS
User experience: In the chat location, users will see an info that their message is blocked and is pending approval.
Upon admin approval, the message sent will be visible and an info will be displayed that 'This message, ideally blocked by DLP policy restrictions, has bypassed the policy and has been sent' in the message.
Upon admin decline, the message will be blocked permanently, and an info will be displayed that 'The request for approval to send this message blocked by DLP policy restrictions, has been rejected' in the message.
Block and allow override
Web
Android
iOS
User experience: Users will see a notification that their message is blocked due to the DLP policy. They can choose to override the block, provide a reason, and send the message. A notification will be displayed that 'This message, ideally blocked by DLP policy restrictions, has bypassed the policy and has been sent.
Allow and audit
This action allows users to send messages that violate the policy but logs these messages for audit purposes.
User experience: Users can send their messages without interruption. However, each message is logged in the alerts log for auditing and review by admin.
Alerts
In the alerts section, you'll find a list of all instances where users have violated a policy. You can filter this list based on various criteria, including policies, sensitive information, users, alert severity, and status. If an entry in the list is highlighted, it means the user has sent a message for your approval.
You can view all the pending alerts left when users send a message and request for your approval. You can either approve or decline the request.
Note:
We'll be syncing the status of DLP policies of chats/users every 15 minutes. When a new DLP policy is added or when updating an existing policy & a sensitive message is sent within the 15 minute time-frame, the DLP action may not be implemented completely.