I was able to successfully deploy Symantec DLP/DCS in our existing environment with Enterprise Vault 10.0.4 and have been able to successfully test a rule with Enable Classification Test Mode.
The rule is actually really simple. I'm using the Enterprise Vault Data Classification Services Solution Pack and made a copy of the "Attorney-Client Privilege" policy and saved it so I can preserve the original - the policy compares the email addresses contained within the SMTP header for types IPM.Appointment and IPM.Note and classifies the email as an incident with high severity.
My goal is to then prevent these messages from being journaled in the same journal mailbox as all our other emails. I figured if I could simply use a response rule to mark them as "do not archive" and move them to a different journal mailbox, I would be able to journal them into their own separate vault store. The idea behind this is to prevent all privileged emails from being searchable when normal reviews are done but, if we needed to restore items or in-house counsel needed to review privileged emails, they would be searchable as long as the correct archive is selected - or, if possible, I would create a separate CA/DA customer altogether than contained only the vault store for the privileged emails - then there is no way they could be accidentally searched or be returned as hits against a seach.
I'm still reading the DCS implementation guide but while looking through the DLP admin console, a way to accomplish this doesn't seem readily apparent. Does anyone have any suggestions or guidance?
the way i see this typically handled is that you would tag these messages as "Privileged" and when you do your search you can exclude the entire tag set from the results with a couple clicks of the mouse. just because they're privileged it doesn't mean that they wouldn't be relevant to an investigation so archiving them and having them available shouldn't be overlooked.
Thanks for your input. There is still some confusion though as I compare the two relevant sections from the DCS & CA guides about tags/policies.
It sounds like I want to configure a response rule to tag items that match the policy I created with "Exclude from review", so that when searches are run, tagged items won't show up. But when I look at DA search options, as an example, and create a new search - the options under policy are not clearly explained (the attached image shows the Policies option in a new search). Does ignore exclusions, the default selection, mean search results will INCLUDE items that are tagged as "prioritized" in DLP/DCS or that it will EXCLUDE them? The varying language between guides is not very helpful...
If it makes any difference to my explanation, I think we would want the default option to be where tagged items are automatically excluded from the review set during searches in CA/DA unless we specifically wanted to include them or conducted a separate search for items tagged as excluded.
I would sure appreciate clarification or guidance on this. I think I'm getting the picture but I gotta get this right. Thanks!
From the DCS Implementation Guide:
If you configure the response rule to archive the message, you can also select Prioritize messages for compliance review to prioritize the message for review. The Discovery Accelerator and Compliance Accelerator products can use this classification tag to filter messages during searches or audits. When you select this option, two additional choices are presented:
■ Include in review—Includes the message in subsequent searches and
■ Excludefromreview—Excludes the message from subsequent searches
See the Discovery Accelerator and Compliance Accelerator documentation
for more information about searching and auditing messages in Enterprise Vault.
From the CA Administrators Guide:
The Policies section lets you search for items according to the tags with which
any additional policy management software has classified them.
Lets you search for the items that match certain
classification policies. There are several types of policies:
■ Inclusion. Any item that your policy management
software has classified for inclusion in the review set
may be guilty of the most serious offenses, such as
swearing, racism, or insider trading.
■ Exclusion. Spam items and newsletters are typical
examples of the items that your policy management
software may classify for exclusion from the review set.
■ Category. Your policy management software may
categorize the items that exhibit certain characteristics,
such as containing Spanish text. This type of policy
provides no information on whether an item should be
included in or excluded from the review set.
These policy types are not mutually exclusive. Your policy
management software may apply multiple policies of
different types to the same item.
Select the required policy type and then check the names
of the policies for which you want to search. Alternatively,
you can select Custom as the policy type and then type the
names of one or more policies. Separate multiple policy
names with commas, like this:
If you choose to search for multiple policies, the search
results will contain items that match any one of the policies.