We have DLP rolled out to our enterprise with a Monitor Only rule in place. We just recently started to enforce a Read Only policy to a particular group of users. We would like to propose to our group leaders that we enforce Read Only on the entire company but we're being asked to provide some evidence of how the devices are being used. So if UserA plugs in a Fat32 device, I need to provide some evidence that he's actually transfering data to the device. We don't have any scanning turned on in the policy. Just a Removable Storage policy with Monitor Only action and the Read Only action for the other group.
Is there any "hidden" data in the DLP Monitor events that may show this where I can actually build a report on?
Ok, it looks like without collecting evidence i'm never going to know for sure if people are in fact attempting to transfer data to the devices.
Maybe this is a future function McAfee could provide? My particular case, I don't necessarily care if they are successful, since the Read Only policy is in effect, but I would like to know if they are at least trying and getting denied.