FPP Policy Descriptions
This document provides an overview of all the policies that are available
within release R3 of Orchestria's "Foundation Policy Pack", (FPP). However
licensing restrictions may limit the policies that are available on any
particular installation.
The document is organized in the way that the policies are viewed in the
iConsole policy editor. The first section covers 'Global Options' that apply
to all policies. Subsequent sections cover alphabetically sorted
groups of policies and within each group are the individual
alphabetically sorted policies with a brief description.
Global OptionsAction Configuration - Data At Rest
This section enables user to apply global 'Action' options for all 'Data At Rest' policies.
Action Configuration - Data In Motion - E-mail
This section enables user to apply global 'Action' options for all 'Data In Motion - E-mail' policies.
Security Officer Contact Information Configuration
This section enables users to specify a common security contact within the 'Message To Users' field.
Miscellaneous
Corporate and Regulatory ComplianceAnti-Money Laundering - OFAC
This policy detects suspicious financial transactions such as tax evasion or false accounting, especially with entities that appear on the U.S. OFAC list.
Bribes/Kickbacks/Quid Pro Quos/Blackmail
This policy detects involvement in bribery or blackmail schemes.
Solicitations: Charitable
This policy detects solicitations or requests for contributions to charities, student fundraisers, or other non-commercial and non-political organizations.
Solicitations: Political
This policy detects solicitations or requests for contributions to political causes or campaigns.
Solicitations: Religious
This policy detects solicitations or requests for contributions to religious organizations.
Customer/Supplier TreatmentCustomer Complaints Response
Customer complaint handling has legal and regulatory implications. There may also be corporate policy that governs this activity. This policy detects responses to customer complaints when communicated externally.
Gifts and Entertainment
Gifts and entertainment form a common part of many business relationships, yet have the potential to create conflicts. This policy identifies when a business expense violates policy or law and becomes a gift.
Guarantees and Assurances
Guarantees, though often considered a part of "fair and balanced" communication, carry with them legal, regulatory, and financial risks, as well as risks to a firm's reputation. This policy detects prohibited guarantees or assurances and can be used to prevent them from reaching customers.
Employee BehaviorCoercive Behavior and Intimidation
Coercive behavior and intimidation in the workplace can have significant negative impact on employee morale and productivity. This policy detects such behavior so that enforcement is confidential and immediate.
Communication with Competitors
This policy detects electronic communication between an employee and competitor companies.
Communication with the Press/News Organizations
This policy detects electronic communication between an employee and the press or media organizations.
Discrimination and Racism
This policy detects inappropriate discriminatory language and/or actions based on race, gender, disability, sexual orientation, religion, age, and other legally protected classes. Sexual harassment related issues are covered by the Harassment policy.
Fantasy Leagues
This policy identifies events and activities associated with participation in running a fantasy sports league.
Foreign Language
This policy detects words generally considered to be the 100 most commonly used in foreign languages such as French, Spanish, Russian, German, Japanese, Korean, Chinese and others. It is designed to capture more than nominal use of the language; a simple phrase or occasional word will not trigger the policy.
Gambling Prohibition
This policy detects gambling and betting among employees which is subject to various jurisdictional regulations. Fantasy leagues are covered by a separate policy.
Harassment
This policy detects harassment such as quid pro quo requests for sexual contact, or behavior that is designed to alarm or annoy others.
Inappropriate, Offensive and Sexual Language
This policy identifies communications indicative of offensive and sexual language.
Intent To Resign
This policy detects language indicative of an employee who is dissatisfied with their position or workplace and is actively engaged in seeking employment.
Jokes
This policy detects electronic communication of a wide range of joke formats and subjects. It does not address communication that originated outside the firm, but will capture such events if the recipient within the firm attempts to forward them.
Office Relationships: Romantic
This policy detects events of a romantic nature, or language indicating that such a personal relationship exists.
Resumes
This policy is designed to detect US resumes in standard format.
Termination/Layoff Discussions
This policy is designed to detect events concerning potential and pending terminations and layoffs.
Intellectual Property (IP)Confidential Trade Data
This policy detects confidential information such as trade secrets, proprietary processes and technical competitive differentiators.
Related Regulations/Guidelines: SOX, FERC/NERC, FISMA, OMB, NIST, DoD and ITAR/OFAC equations.
Patent Applications
This policy detects non public patent applications.
Product and Design Specifications
This policy detects functional or marketing specifications of material, products, or services.
Proprietary Software Code
This policy detects software code, programs, and executables.
Related Regulations/Guidelines: FERC/NERC, FISMA, OMB, NIST, DoD and ITAR/OFAC.
Technical Specifications or Designs
This policy detects technical designs and specification documents related to products or services.
Related Regulations/Guidelines: FERC/NERC, FISMA, OMB, NIST, DoD and ITAR/OFAC.
LegalAttorney Client Privilege
When an uncontrolled privileged event occurs or a document leaves an organization, any privilege associated with it may be waived. This policy can be used to prevent such events from occurring.
Related Regulations/Guidelines: SOX.
Discussion of Legal Proceedings
This policy detects events related to legal proceedings such as pending civil lawsuits, criminal proceedings, and/or administrative hearings or trials. Threats of contemplated litigation against the organization are not intended to be covered by this policy.
Related Regulations/Guidelines: SOX.
Potential Ethical Issues
This policy identifies potential ethical misconduct or claims of ethical misconduct and alerts the proper internal legal representative.
Potential Legal Issues
Often, questions are circulated internally about the legality of a particular action or business practice without informing a legal representative until the problem has been made public or resulted in some harm. This policy identifies such discussions and alerts the appropriate legal representative.
Threats of Litigation
This policy detects discussions indicating an outside party or an internal employee suggesting or overtly threatening to file a lawsuit against the company.
Non-Public Information (NPI)Board Minutes and Discussions
This policy is designed to detect events occurring between or concerning board members of an organization.
Related Regulations/Guidelines: SOX.
Customer Lists
This policy detects multiple occurrences of various types of customer contact information.
Related Regulations/Guidelines: HIPAA, PCI, PIPEDA and FERC/NERC.
Draft Documentation
This policy can be used to prevent draft documentation, and discussions surrounding it, being sent outside an organization.
Financial Information - Balance Sheet
This policy detects content found on financial balance sheets.
Related Regulations/Guidelines: SOX.
Financial Information - Income Statement
This policy detects content found on financial income statements.
Related Regulations/Guidelines: SOX.
Financial Information - Projections
This policy detects the disclosure of financial projections.
Related Regulations/Guidelines: SOX.
Information Security Label Control
This policy detects sensitive material classified in various ways such as "confidential", "top secret", and "not for distribution".
Related Regulations/Guidelines: SOX, HIPAA, GLBA, PCU, EUDP, FERC/NERC, FISMA, OMB, NIST, DoD and ITAR/OFAC.
Inside Information: Non-Public Company Information Loss
This policy detects non-public company insider information, such as management discussions.
Inside Information: Non-Public Financial Information Loss
This policy detects unauthorized disclosure of non-public company financial and stock information.
Inside Information: Rumors and Secrets
This policy detects unsubstantiated information or rumors about any organization or client for legal purposes.
Internal IT Support Documents
This policy identifies internal IT system and support documentation.
Related Regulations/Guidelines: SOX, FERC/NERC, FISMA, OMB, NIST and DoD.
Licensing Agreements
This policy is designed to detect information containing software license agreements.
Related Regulations/Guidelines: FISMA, OMB, NIST, and DoD.
Mergers and Acquisitions
This policy identifies discussions and documents pertaining to pending or proposed merger and acquisition transactions in which the organization is or will be participating. Transactions such as IPOs, private placements, and other prospectus offerings are not expressly included in this policy.
Pricing List
This policy is designed to detect non public pricing information.
Related Regulations/Guidelines: SOX.
Project Information
This policy identifies various types of project information such as project plans, timelines, project codes, task lists, and issue lists related to project planning and deployments.
Related Regulations/Guidelines: FERC/NERC, FISMA, OMB, NIST, DoD and ITAR/OFAC.
Restricted List
This policy detects items and content on restricted lists in e-mails and files. Restricted lists are associated with services, products, companies, customers, or other defined business elements that have restrictions.
Note: There are no positive indicators defined for this policy. Customers must enter words or phrases in the field labeled 'Positive Indicators' in order to trigger this policy.
Related Regulations/Guidelines: FISMA, OMB, NIST, DoD and ITAR/OFAC.
Sales Information
This policy detects company sales information, sales collateral such as tools, models, contracts, fee structures, and deal information, and other elements supporting the sales organization.
Related Regulations/Guidelines: SOX, PCI.
Personal Health Information (PHI)Benefits Enrollment Information
This policy detects benefit applications and other forms that include personal health information.
Related Regulations/Guidelines: HIPAA, PIPEDA and FERPA.
Diagnosis Information
This policy detects medical diagnosis information including mental, physical and addiction-related ailments.
Related Regulations/Guidelines: HIPAA, PIPEDA and FERPA.
Individually Identifiable Health Information (IIHI)
This policy detects individually identifiable information in conjunction with medical information related to patients, employees, or customers.
Related Regulations/Guidelines: IIHI 1173(d), HIPAA 1177(a), PIPEDA and FERPA.
Medical Billings and Claims
This policy detects medical billing information and claims data including submissions to insurance companies, approvals and denials of payment, and continuing correspondence.
Related Regulations/Guidelines: HIPAA, PIPEDA and FERPA.
Medical History
This policy detects medical history information including diagnosis and prescription details.
Related Regulations/Guidelines: HIPAA, PIPEDA and FERPA.
Medical Record Numbers
This policy detects medical record numbers used in the identification and treatment of patients.
Related Regulations/Guidelines: HIPAA, PIPEDA and FERPA.
Medical Record Numbers - Threshold
This policy detects a specified amount (or threshold) of medical record numbers used in the identification and treatment of patients.
Related Regulations/Guidelines: HIPAA, PIPEDA and FERPA.
Personally Identifiable Information (PII)Account Number
This policy detects specific account numbers and/or account numbers that fall within a particular range. Numbers may be entered exactly or matched with a template. If using a template, please refer to the online help for syntax.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP and PIPEDA.
Account Number - Threshold
This policy detects a specified amount (or threshold) of specific account numbers and/or account numbers that fall within a particular range.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP and PIPEDA.
Account Number and Routing Information
This policy detects both an organization's account number(s) and the associated routing number(s).
Account Number with Additional PII
This policy detects specific account numbers and/or account numbers that fall within a particular range when accompanied by at least one or more pieces of identifying information such as name, address or DOB that could be used for identity theft.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP and PIPEDA.
Background Checks
This policy detects background information checks, including private and often sensitive data that might be communicated inappropriately.
Related Regulations/Guidelines: HIPAA, EUDP, PIPEDA, FISMA, OMB, NIST, DoD and FERPA.
Canadian Social Insurance Number
This policy detects one or more Canadian Social Insurance Numbers in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
Canadian Social Insurance Number - Threshold
This policy detects a specified amount (or threshold) of Canadian Social Insurance Numbers in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
Canadian Social Insurance Number with Additional PII
This policy detects one or more Canadian Social Insurance Numbers when accompanied by at least two pieces of identifying information such as name, address or DOB which could be used for identity theft.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
Credit Card Information
This policy detects credit card numbers in various ranges and formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP and PIPEDA.
Credit Card Information - Threshold
This policy detects a specified amount (or threshold) of credit card numbers in various ranges and formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP and PIPEDA.
Credit Report
This policy detects inappropriate distribution of credit reports or credit related data issued by consumer reporting agencies.
Related Regulations/Guidelines: USP and EUDP.
Employee Compensation Information
This policy detects the release of employee information related to compensation outside the firm.
Related Regulations/Guidelines: EUDP, PIPEDA, FISMA, OMB, NISF and DoD.
Employee Evaluation Information
This policy is designed to identify employee evaluations, often regarded as private between an employee and an organization.
Related Regulations/Guidelines: EUDP, PIPEDA, FISMA, OMB, NISF and DoD.
Social Security Number
This policy detects one or more Social Security Numbers in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
Social Security Number - Threshold
This policy detects a specified amount (or threshold) of Social Security Numbers in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
Social Security Number with Additional PII
This policy detects one or more Social Security Numbers when accompanied by at least one or more pieces of identifying information such as name, address or DOB that could be used for identity theft.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
UK Driving Licence
This policy detects one or more UK Driving Licence Numbers in various formats.
UK Driving Licence - Threshold
This policy detects a specified amount (or threshold) of UK Driving Licence Numbers.
UK National Insurance Number
This policy detects one or more UK National Insurance Numbers (i.e. the U.K. equivalent of the U.S. SSN) in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, EUDP, PIPEDA and FERPA.
UK National Insurance Number - Threshold
This policy detects a specified amount (or threshold) of UK National Insurance Numbers in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, EUDP, PIPEDA and FERPA.
UK National Insurance Number with Additional PII
This policy detects one or more UK National Insurance Numbers when accompanied by at least two pieces of additional identity information such as name, address or DOB that could be used for identity theft.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, EUDP, PIPEDA and FERPA.
UK Tax Identification Number
This policy detects one or more UK Tax Identification Numbers in various formats.
Related Regulations/Guidelines: EUDP and PCI.
UK Tax Identification Number - Threshold
This policy detects a specified amount (or threshold) of UK Tax Identification Numbers in various formats.
Related Regulations/Guidelines: EUDP and PCI.
Unencrypted Wire Transfer Information
This policy assists organizations that want to be alerted to or prevent unencrypted disclosure of wire transfer information.
Related Regulations/Guidelines: SOX and GLBA.
US Drivers License
This policy detects one or more US Drivers License Numbers in various formats.
US Drivers License - Threshold
This policy detects a specified amount (or threshold) of US Driver License Numbers in various formats.
US Individual Taxpayer Identification Number (ITIN)
This policy detects US Taxpayer Identification Numbers in various formats.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
US Individual Taxpayer Identification Number (ITIN) - Threshold
This policy detects a specified amount (or threshold) of US Taxpayer Identification Numbers.
Related Regulations/Guidelines: HIPAA, GLBA, PCI, USP, FISMA, OMB, NIST, DoD and FERPA.
US Passport Number
This policy detects US Passport Numbers in various formats.
US Passport Number - Threshold
This policy detects specified amount (or threshold) of US Passport Numbers in various formats.
Security GeneralAudio Files
This policy identifies audio media files in various formats.
Related Regulations/Guidelines: FISMA, OMB, NIST and DoD.
E-mail to Personal Addresses
This policy identifies electronic communication with attachment(s) being sent to non-commercial domains (e.g., Hotmail, Yahoo, Gmail, and domains ending in .gov, edu., info etc.), which immediately raises concerns as to whom the information is being distributed.
Forwarding Senior Management E-mail or Documents
This policy detects the forwarding of content originally sent by senior management.
Related Regulations/Guidelines: SOX, FISMA, OMB, NIST and DoD.
Graphic and Image Files
This policy identifies graphic and image files in various formats.
Related Regulations/Guidelines: FISMA, OMB, NIST and DoD.
Large Message or File Size
This policy identifies users sending or receiving messages over a certain size.
Network Security Threats
This policy identifies common hacking utilities and terms such as spoofing, buffer overflow tools, log wiping tools and password database cracking tools.
Password Protection/Encryption: Prohibition
This policy detects content that has been protected with a password or has been encrypted.
Related Regulations/Guidelines: FISMA, OMB, NIST and DoD.
Sharing of Usernames and Passwords
This policy detects the disclosure and sharing of passwords both inside and outside the organization.
Related Regulations/Guidelines: EUDP, FISMA, OMB, NIST, DoD and FERPA
Suspicious E-mail Behavior
This policy identifies electronic communication with blank subjects whose context suggests that the sender is attempting to avoid detection.
Transfer of Attachments - Threshold
This policy identifies electronic communication with more than four attachments, which could suggest a drive dump or other inappropriate bulk transfer of files.
Transfer of Personal E-mail File Folders
This policy identifies inappropriate bulk transfer of e-mail file folders which includes .PST and .NSF files.
Video Files
This policy identifies video media files in various formats.
Related Regulations/Guidelines: FISMA, OMB, NIST and DoD.
User DefinedUser Defined 1
This policy detects keywords and phrases provided entirely by an organization. If enabled for e-mail, this policy will only apply to an explicitly defined set of included e-mail addresses.
User Defined 2
This policy detects keywords and phrases provided entirely by an organization. If enabled for e-mail this policy will apply to all users unless they are explicitly excluded.
User Defined 3
This policy detects keywords and phrases provided entirely by an organization. If enabled for e-mail this policy will apply to all users unless they are explicitly excluded.
Web Communication ControlBlogging/Messaging Sites
This policy identifies blogging and other message-posting Web pages where users are able to enter comments, post articles, or send messages.
Related Regulations/Guidelines: FERC/NERC.
Social Networking
This policy identifies users accessing social networking sites used to communicate, upload files, or otherwise provide information to a competitor or entity that should not have access to such information.
Wiki Posting Control
Wiki sites allow users to post anonymously, creating an avenue for information disclosure. This policy allows organizations to prevent users from accessing these sites to minimize the risk of exposure.