The McAfee Email Gateway allows its administrator to configure compliance polices, by providing built-in dictionaries which contain a number of expressions and terms that are relevant to different areas (Personal Identifiable Information - PII, Banking and Financial sector, Acceptable Use, regional privacy, and so on).


The different terms in a dictionary can be used to detect compliance violations based on context, and that can be achieved in the following ways:


  1. A given term/expression can trigger a compliance violation on its own (outright violation);
  2. A given term/expression may trigger a compliance violation when used in context with another term/expression (contextual, proximity-based)
  3. A given term/expression adds to a running score when found; terms matched add up to a total that may or may not trigger a compliance violation (contextual, score-based)


The focus of this post is to discuss how to use score-based rules to define compliance policies.


The terms of a compliance dictionary  can be configured (or have a pre-defined value) to have a certain score value that is used when the administrator wishes to use a score-based compliance rule. Such a rule would be applied when the defined score threshold is reached.


For example, using "purplemonkey" as a test term, one can configure this in a custom dictionary as a term, and determine a score for each occurrence (for example, 10). The compliance rule itself could be configured so if the term appears on an email more than 3 times, it would then trigger the rule and the relevant action (e.g. block the message, quarantine the message and notify an administrator, and so on).


Once the dictionary and the score of each term in the term list is defined (alternatively you can make use of one or more of the pre-defined dictionaries), you can configure a rule to trigger once the compliance score goes beyond the desired threshold. For additional granularity, it is also possible to specify the maximum number of terms within a dictionary that will add up to the score (e.g. if you configure the 'Max Term Count' to 3, occurrences of "purplemonkey" in an email will only be added to the running score up to 3 times, any more occurrences will be ignored.


These options are available so the administrator is able to tweak the policies and dictionaries according to their needs.  They are meant to assist with configuring the compliance detections in a way where false positives (or false negatives) can be minimised. Such adjustment may require a number of attempts until the administrator is able to determine that the communication intercepted by the rule is in accordance with the compliance goal.