I've tried searching this forum but have not been successful finding exactly what I'm after...
I work for a healthcare provider and we have a need to force encryption (Secure Mail pull) of emails based on content such as SSN, driver's license, etc. We have utilized some of the canned compliance dictionaries but found we had to create our own for SSN. There seems to be times, or maybe it's paranoia at the top management levels, where someone may include an SSN in an outbound email that is just the numbers; no prepended text like SSN, social security, and no dashes in the number string. So we copied just the number string regex from the canned SSN dictionary and created our own. Problem now is that it's catching webex numbers, purchase order numbers with certain vendors, etc and forcing encryption on those messages. So now management has decided we should put a threshold on that rule so that only emails containing three or more number matches will trigger the rule and thereby force encryption.
So, now I ask, how exactly do I do that? Is it ONLY through scoring and threshold numbers that can be accomplished? I thought would be simple like somewhere in the rule but I'm not finding it simple at all. If it is scoring can someone please provide a better overview than what I've found here and via McAfee's own help? Not only will I need help with the scoring concepts but with what I do with the rule(s) as well.
I also work for a healthcare organization and am going to have to cross a similar bridge in the next few days or weeks. If you figured this out, I'd love to hear the answer. If not, I'll be sure to share my findings when I finish setting up our compliance dictionaries (assuming I can figure it out).
I opened a support ticket right after posting this and have not received ANY feedback from McAfee support. So at this time we have not figured this out either. I will share here as well if/when support responds.
When you are creating you dictionary, make the entries score-based. For example, give each dictionary term a score of 10 points. When defining the compliance rule, you can then require that a multiple of that be reached, say 30 points. You can use this to combine other terms as well, and change term point values so that some are more important than others.