VOX

Hello, BigAnvil;

The information WV_Ajay provided is correct to a point.  Some things that we need to know to provide a better set of answers to you are

1. Are you performing journal mailbox archiving?
2. If you are performing journal mailbox archiving, then

• Do you have your legal users configured to be journal archived?
• Do you have the Journal Connector installed on the EV server running the Journal Task?

The some of the reasons we need to know this information are:

1. If you are archiving your journal mailbox (which is recommended for Compliance Accelerator and best results from DA searches), then the journal archive would very likely be selected to be searched in CA and DA.  Having this archived searched allows for finding ANY e-mails sent to or from journaled users.
2. If the legal users are configured to be journaled, a copy of every e-mail they receive or send will be sent to the journal mailbox and archived to the journal archive, making them accessible to any CA or DA search that does not exclude those users.
3. If the Journal Connector is installed, then CA searches will default to using the Department ID tag that is applied to each journal archived item.  The Department ID tags are determined by the Monitored Employees in each Department.  If the legal users are members of one or more Departments, their e-mail messages will be tagged based on their Department memberships.
4. Random Sampling may be in use if the Journal Connector is installed, so any e-mails to or from the legal users that are configured to be journaled will be subject for inclusion in the Random Sampling review set of the Department or Departments in which they are Monitored Employees.

EV_Ajay's suggestion of unchecking the archives of the legal users is valid if you only search user mailbox archives with CA or DA.  However, if you do journaling AND the legal users are configured to be journaled, their e-mails WILL be searchable via CA and DA as journal archives are the primary source for e-mails.  Their selection as the primary source of e-mails is due to the fact that messages cannot be deleted from the Journal mailbox by any user who does not want his e-mails archived.  With user mailbox archiving, the user has time to delete items from the mailbox prior to the items being archived.

Your DA search criteria specification of user addresses is good, but can still return hits for any message sent between any legal user and the user whose address you've specified in the search criteria.  To exclude the legal users, you'd have to also exclude their addresses in the search criteria (place a minus sign immediately in front of the address to be excluded).  You could also implement Custodian Manager and create a legal users Custodian Group to use to specify in the exclusion, so you only have to exclude the CM Group and not the individual legal users.  Even with this, you would need to test some searches by capturing the search criteria and reviewing it to see if the individual legal users are listed to be excluded.

CA is trickier to configure to exclude users.  There is a known issue that is currently slated to be fixed in CA 10.0.4 CHF2 (subject to change) where exclusions of SMTP addresses in the Freeform address field do not work as expected.  Using the Freeform address field to list all of the legal users to be excluded is the only way to prevent e-mails to or from these users from being returned in searches.  That exclusion is not always working, so you can't currently rely on using the Freeform address field either at this time.

Please understand that CA is designed to not have ways to exclude e-mails as all need to be eligible for capture to ensure everyone is compliant to company policies.  Even if you make each legal user an Exception Employee, e-mails between them and other, non-legal users can still be captured in the non-legal users' Departments' review sets.

Thanks for all the information EV_Ajay and Kenneth!  I received further clarification since my last post - the Legal department only needs to be excluded from random sample searches, not targeted searches.

So, it sounds like I just need to make sure they are not being sampled within CA.  DA is obviously a different animal and is essentially for just targeted searches (though I know they can be scheduled, they are still targeted searches).

Hi,

Very Good information provided by Ken.

I think if you want to stop sampling of the Legal Department then you need to remove those users from the Monitored Employee Section. After that the email which has those employee will never tag by CA aatributes and will never capture in Random sampling.

Thank you both for the excellent information!

I removed the Legal group completely from from EV-CA but since some of the legal team are also members of a Department that includes everyone, I realize I need to remove them from there as well (that is the CA group that synchronizes with the AD group "Everyone").  My trouble is, when I click on that Department on the left, I see the department again on the right  - selectable so that it can be removed, obviously.

When I click on "Show Effective Monitoring Policy", I show all the employees who are members of that "Department", with no option to remove individual employees.  I take it the only way I can remove them would be to delete the "Department" and create new departments that do not Synchronize with the AD group "Everyone"?

This is such a complicated product to configure while still having employees added to monitoring automatically...The last thing we want to have to do is manually add new employees to monitoring groups after creating their AD account.  It's not at all uncommon here for employees to change AD memberships somewhat often...

I forgot to mention - not that it changes the suggestions provided - but, we're only interested in preventing sampling or searching of messages that are to or from legal department employees to protect priviledge, if they are simply in the CC or BCC field, priviledge is not assumed and the emails should be OK to sample or search.

You should just deactive your legal users in CA.  That way, they won't be sampled, but we'll still tag e-mails with the appropriate Department ID tags for any Department in which they are membrers.  Their e-mails would still be found in CA searches regardless of them being recipients in the To, Cc or Bcc fields.  We can't really restrict searching recipients to just the To field in CA.

In DA, you can use a Custom Attribute instead of the 'To' or 'To or From' selections to find e-mails only in the To field.  The Custom Attribute name you would need to use is reto.  Use recc to search for only recipients in the Cc field, or rbcc for only recipients in the Bcc field.

EV-DCS may be able to help you by tagging messages with legal team members in the To field to apply an exclusion tag.  That would allow you to automatically exclude messages directly to your legal team members from random sampling, but let messages sent to them as Cc or Bcc recipients still be included.  I've not tested this with EV-DCS, so I can't say for sure it would work, but it may be worth looking into.

Again, I apologize for this post sounding like a sales pitch. I just want to provide you with options that may be a good fit in your environment to solve this issue.

Hi,

As per mentioned by Ken it's not possible to restrict searching recipients to just TO field.

Hi,

If you have any query please write back us. We will help you.

I can start a new post if needed but figured I would try asking here first since it's relevant to the thread...

Is it just me, or is finding the actual DCS install more difficult than it should be?  When I search for EV DCS I typically come up with DLP.  So, does that mean the DCS product install is actually DLP or part of the DLP package?  I don't see a DCS installation or admin guide, just those same guides for DLP but when I read them, they are quite unclear.

Basically, I'm looking to find the install files for DCS and any related documentation.  Would someone mind offering a but of guidance?  Thanks!!!

Hope everyone had a happy Thanksgiving.