Policy Guide › Whose Policy Is Applied? › File Monitoring and Scanning

File Monitoring and Scanning

It is often difficult to reliably match a captured file or scanned item to the actual author or creator of the file. In this situation, CA DLP typically applies the policy for a ‘system’ user account (such as the Default Policy For Files) rather than the policy for an actual user. However, the actual method used to associate files with a CA DLP user account depends on the capture source:

• Event Import: You can configure import jobs to associate imported files with specific CA DLP users. In particular, the ImpFile.PolicyParticipant import parameter determines whose policy gets applied to imported files. In fact, this parameter specifies an email addresses. Linked tables in the CMS database enable CA DLP to map this address onto an existing CA DLP user accounts.

  If no matching CA DLP user can be found, then CA DLP applies the ‘Default Policy For Files’. This is a CA DLP user account set up specifically for this purpose; it is defined in the policy engine's machine policy. It defaults to the DefaultFileUser; this is a CA DLP user account created automatically when you install a CMS.

• File Scanning Agent (FSA): When the FSA runs a scanning job, the job definition determines which user’s policy is applied to scanned files. You can either specify the Default Policy For Files (see above) or an email address.

  If you specify an email address, CA DLP maps this address onto an existing CA DLP user account. As for imported files, if this mapping files then CA DLP applies the Default Policy For Files.

• Network Appliance (formerly NBA): The Network Appliance can capture files being sent across the Internet boundary. These include downloads, uploads, FTP transfers, and email attachments. The mechanism for associating these files with CA DLP users depends on which mode the Network Appliance is running in. When it runs in:
  • Socket output mode: The Network Appliance passes captured files to policy engines for processing. The policy engine always applies the Default Policy For Files (see above).
  • Disk output mode: The Network Appliance saves captured files to the local disk. These files are subsequently imported onto the CMS using Event Import. You then configure the import job using the ImpFile.PolicyParticipant parameter (see above) to determine whose policy gets applied to imported files.
• Client File System Agent (CFSA): When the CFSA detects a user copying a file to a removable device or network location, it associates the user’s Windows logon credentials with a matching CA DLP user account and applies that user’s policy. The synchronization between Windows accounts and CA DLP accounts is the same as for CA DLP email endpoint agents.

  When the CFSA scans the local hard disk, it applies the ‘Default Policy For Data At Rest’. This is a CA DLP user account set up specifically for this purpose; it is defined in the client machine policy. It defaults to the DefaultClientFileUser; this is a CA DLP user account created automatically when you install a CMS.