Data Loss Detection Policy

A Data Loss Detection Policy determines what data-loss activity is tracked.

This feature is supported on Windows and Mac-based server policies.

These options are available:

  • Enable detection of USB storage insertion: Enables the detection of insertion of a USB-based external storage. A screenshot is created with a window title starting with the text USBCONNECT and the following information:

    • For mobile devices - The device model, manufacturer, and user-defined name (if configured).

    • For non-mobile devices - The letter of the drive assigned by the operating system, and the user-defined name (if configured).

  • Enable detection of text copy: Enables the detection of copying text to the clipboard.

  • Enable detection of file copy: Enables the detection of any copying to the clipboard of files/folders and any mouse-dragging of files/folders. A specific screenshot is created with a window title starting with the text FILECOPY/LARGEFILECOPY followed by the number of files, total file size (in MB), the name of the copied/dragged files/folders and the name of the parent folder. When this check box is selected, you can also configure the following settings:

    • Set minimum file-copy thresholds: This option (selected by default) allows you to specify thresholds for the minimum total size (by default 30 MB) of the files that can be copied/dragged or the minimum number of files that can be copied/dragged (by default 10). Upon exceeding one of these thresholds specified for "total size exceeds" or "file count exceeds", the FILECOPY action will be detected and displayed in a specific screenshot.

    • Record as LARGEFILECOPY if: (selected by default) Allows you to specify thresholds for the minimum total size (by default 100 MB) of files that can be copied/dragged or the minimum number of files that can be copied/dragged (by default 100 MB). Upon exceeding one of the thresholds specified for "total size exceeds" or "file count exceeds", the text LARGEFILECOPY will be used in the window title (instead of FILECOPY).

  • Enable detection of paste: Enables the detection of paste activity by right-click menu item Paste. By default this option is set to off. In addition, if you want to enable detection of paste performed by Ctrl-V (Windows), Cmd-V (Mac) select Enabling Keylogging in the System Policy.

These features are enabled on the ITM On-Prem (ObserveIT) Agent by configuring a data loss detection policy in the Recording Policies settings of the ITM On-Prem Web Console. By default, these features are enabled in the policy.

You can configure (enable/disable) data loss detection policy settings manually per endpoint (Agent) from the Configuration > Endpoints page, or by using Recording Policies to configure many endpoints (Agents) simultaneously.

To configure data loss detection policy settings using Recording Policies

  1. In the ConfigurationEndpoint Management > Recording Policies page, click Create or select a server policy template (Windows-based policy).

  2. In the Data Loss Detection Policy section of the Recording Policy Template page, configure the settings you want.

  3. Click Save to save your changes.

Changes will take effect on new user sessions.