Creating Discovery Policies

Discovery is the act of determining where sensitive content is located in an organization. A discovery policy might, for example:

  • Scan all the computers in the network looking for financial documents containing the keyword “Confidential” every Sunday.
  • Log what is discovered and send a notification to the Finance manager.

Discovery finds data at rest in the network and identifies the endpoint machines that represent the greatest risk.

To monitor what is done with records found by a discovery policy, or stop them from leaving the building, create a network or endpoint policy.

Performing discovery is comprised of 2 basic steps:

  1. Creating a discovery policy
  2. Scheduling Discovery Tasks

Discovery policies are structurally the same as data loss prevention policies. Both are made up of rules, exceptions, content classifiers, and resources. Rather than specifying destination channels to scan such as FTP, SMTP, and printers, however, discovery tasks describe where and when to perform the discovery, including specific network and endpoint computers to scan.

On networks, you can perform file system, database, or email discovery. File Discovery includes the ability to scan:

  • Network file systems to identify data in breach of policies.
  • SharePoint directories and identify data in breach of policies.
  • Documents in a data management system or IBM Domino server.

Database Discovery scans the organization’s database servers and detects confidential information that is defined as policy breaches in tables.

Email Discovery includes the ability to scan:

  • The Microsoft Exchange server and identify data in breach of policies.
  • Outlook folders to detect confidential information defined as policy breaches in Outlook PST data files.

Endpoint Discovery includes the exact devices to scan.

Discovery policies are different from data loss prevention policies in other subtle ways, as well. For example:

  • Content tends to be classified differently in database discovery than on web channels.
  • False positives or false negatives in discovery are typically less troubling, because the information is not being sent out of the organization.