Enterprise Recon 2.3.1
Risk Mapping Criteria
PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.
This section covers the following:
Overview
ER2 risk profiles are defined as a combination of risk level with one or more criteria. Risk profiles are mapped to a location if the sensitive data location matches at least one rule for every defined criteria.
Criteria | Description |
---|---|
Data Types | Define the data type combination and rules that must be fulfilled for the sensitive data location to match to the risk profile. See Data Types Criteria for more information. |
Location | Select the Group(s) or Target(s) that the risk profile applies to. If the All Groups option is selected, the risk profile will only be applicable to Target Groups that were available when the risk profile was created. Risk profiles are applicable to new Targets that are added to Target Groups that were selected when the risk profile was created. |
Metadata | Define the metadata information that must exist for the match location. See Metadata Criteria for more information. |
Access | Map the location to the risk profile if any of the specified groups or users have any form of access permissions to the location. Use the following format to add domain groups or user: <domain>\<group or username>. See Data Access Management for more information. |
Operation | Select the operation status(es) associated with the match location. E.g. No Status, Confirmed Match, Unable to modify permissions. |
See Risk Mapping for more information.
Data Types Criteria
The Data Types criteria lets you specify data type rules in terms of:
- combination of data types, and / or
- volume of sensitive data matches
that must be found in a location for it to be mapped to a risk profile.
Data type rules that are configured will be displayed as an expression within the Data Types section in the Settings > Analysis > Risk Profile page.
Match Count Rule
Field | Description |
---|---|
Select a Data Type | Check the match volume of the selected data type in the match location. |
[Comparison Operator] | Use comparison operators to determine if the match count for the data type meets a specific criteria.
|
[Value] | Positive integer value to be evaluated against the comparison operator. |
Examples:
Select a Data Type | Comparison Operator | Value | Description |
---|---|---|---|
American Express | is equal to | 2 | Map the location to the risk profile if there are exactly 2 American Express data type matches. |
United States National Provider Identifier (robust) | is greater or equal to | 1 | Map the location to the risk profile if there is at least 1 United States National Provider Identifier (robust) data type match. |
SWIFT Code | is less than | 10 | Map the location to the risk profile if there are less than 10 SWIFT Code data type matches. |
Contains or Does Not Contain Rule
Field | Description |
---|---|
[Comparison Operator] | Check if the location has at least one, or no matches for the selected data type.
|
[Select a Data Type] | Data type to be evaluated against the comparison operator. |
Examples:
Comparison Operator | Select a Data Type | Description |
---|---|---|
Contains | American Express | Map the location to the risk profile if there is at least one American Express data type match. |
Does not contain | SWIFT Code | Map the location to the risk profile if there are no SWIFT Code data type matches. |
Contains Any Rule
Field | Description |
---|---|
Operator | Contains any operator checks the presence of n number of unique data types from the selected data types, where the number of selected data types must be equal to or larger than n. |
Select a Data Type | Check the presence of the selected data types in the match location. |
[Value] | n number of unique data types, where n is any positive integer, e.g. 0, 1, 2, ..., n. |
Examples:
Operator | Select a Data Type | Value | Description |
---|---|---|---|
Contains any | American Express, Visa, Mastercard, Discover | 2 | Map the location to the risk profile if there is at least one match for
at least two of the four selected data types. For example:
|
Logical and Grouping Operators
You can combine multiple data type rules with logical and grouping operators to create complex data type criteria for the Risk Profile.
Operator precedence and order of evaluation for these operators is similar to operator precedence in most other programming languages. When there are several operators of equal precedence on the same level, the expression is then evaluated based on operator associativity.
Logical Operators
The following logical comparators can be applied to standalone data type rules, or a group of data type rules:
Operator | Precedence | Syntax | Description |
---|---|---|---|
NOT | 1 | NOT a | Negates the result of any term it is applied to. |
AND | 2 | a AND b | Evaluates to TRUE if both rule a and rule b are true. |
OR | 3 | a OR b | Evaluates to TRUE if either rule a and rule b are true. |
AND NOT | - | a AND NOT b | Evaluates to TRUE if rule a is true, and rule b is false. |
OR NOT | - | a OR NOT b | Evaluates to TRUE if either rule a is true, and rule b is false. |
Grouping Operators
Grouping operators can be used to combine a number of statements into a single logical statement, or to alter the precedence of operations.
You create a new group each time you create a new data type rule. You can manage the data type rules by clicking on the:
- Group icon to group a data type rule with the rule or group preceding it, or
- Ungroup icon to ungroup a data type rule from the rule or group preceding it, or
- Delete icon to delete a specific data type rule.
Data Types Criteria Example
A Risk Admin creates four distinct data type rules for the "HIPAA Compliance" risk profile:
# | Data Type Rule | Description |
---|---|---|
1 | Contains United States Social Security Number (robust) | Check if the location contains at least one United States Social Security Number (robust) data type match. |
2 | Contains any 3 data types from United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English) | Check if the location contains at least one match from at least three of the selected personal identifiable (PI) data types. |
3 | Contains any 1 data types from American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa | Check if the location contains at least one match from any one of the selected cardholder data types. |
4 | Contains any 1 data types from Generic Bank Account Number, International Bank Account Number (IBAN) | Check if the location contains at least one match from any one of the selected bank account number data types. |
For every data type rule created, the Risk Admin can define the logical operation and grouping relationship between the rules.
Example 1
In this example, all four data type rules are kept as separate groups. The AND operator is selected for rule #2 and rule #3, while the OR operator is set for rule #4.
In this configuration, a sensitive data match location will be mapped to the "HIPAA Compliance" risk profile if either condition 1 or condition 2 is fulfilled, where:
- The match location contains:
- At least one United States Social Security Number (robust) data type match, and
- At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
- At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa).
- The match contains at least one Generic Bank Account Number or International Bank Account Number (IBAN) data type match.
Example 2
In this example, rule #4 is grouped with the preceding rule #3 with the OR operator. Rule #1 and rule #2 remain as separate rules with the AND operator selected for the relationship between the groups.
In this configuration, a sensitive data match location will be mapped to the "HIPAA Compliance" risk profile if all the following conditions are fulfilled, where the match location contains:
- At least one United States Social Security Number (robust) data type match, and
- At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
- At least one match from any of the selected cardholder data types (American Express, China Union Pay, Diners Club, Discover, JCB, Laser, Maestro, Mastercard, Private Label Card, Troy, Visa), or at least one match from the selected bank account number data types (Generic Bank Account Number, International Bank Account Number (IBAN)).
Metadata Criteria
The Metadata criteria lets you specify the metadata information that must be present in a sensitive data location for it to be mapped to a risk profile.
Metadata | Description |
---|---|
Document | Map the location to the risk profile if the stored document metadata matches the criteria or values defined for the (i) document owner, (ii) document creation date, and / or (iii) document modified date. |
Map the email location to the risk profile if the stored email metadata matches the criteria or values defined for the (i) email sender, and / or (ii) date range for the email delivery. | |
Filesystem | Map the location to the risk profile if the stored filesystem metadata matches the criteria or values defined for the (i) filesystem owner, (ii) filesystem creation date, and / or (iii) filesystem modified date. |
Risk Mapping Criteria Example
A Risk Admin creates a Risk Profile with the following configuration:
Field / Criteria | Value |
---|---|
Risk Label | HIPAA Compliance (Strict) |
Risk Level | High |
Data Types | |
Operation | No Status, Confirmed Match, Unable to mask, Unable to quarantine, Unable to encrypt, Unable to delete, Unable to modify permissions |
In this configuration, a sensitive data match location will be mapped to the "HIPAA Compliance (Strict)" risk profile with a ⬤ risk level if all the following criteria are fulfilled:
- Data Types criteria
- The match location contains at least one United States Social Security Number (robust) data type match, and
- At least one match from at least three of the selected personal identifiable (PI) data types (United States Health Insurance Claim Number (relaxed), United States Health Plan Identifier (relaxed), Date Of Birth, Email addresses, Personal Names (English)), and
- At least one match from any of the selected cardholder data types (American Express,
China Union Pay, Diners Club, Discover, JCB, Laser, Maestro,
Mastercard, Private Label Card, Troy, Visa), or
At least one match from the selected bank account number data types (Generic Bank Account Number, International Bank Account Number (IBAN)).
- Operation criteria
- The match location has any of the selected Operation statuses (No Status, Confirmed Match, Unable to mask, Unable to quarantine, Unable to encrypt, Unable to delete, Unable to modify permissions).
The "HIPAA Compliance (Strict)" risk profile may be mapped to all locations regardless of the metadata or access permissions information reported by the location since no Location, Metadata and Access criteria was configured for the risk profile.