How To Perform Remedial Actions

This section covers the following topics:

Overview
Review Matches
Remediate from Investigate
- Customize Tombstone Message
- Remediation Rules

Overview

Remediation is permanent
Remediation can result in the permanent erasure or modification of data. Once performed, remedial actions cannot be undone.

Matches found during scans must be reviewed and, where necessary, remediated. ER Cloud has built-in tools to mark and secure sensitive data found in these matches.

Remediating matches is done in two phases:

Review Matches
Remediate from Investigate

Navigate to the Investigate page to review the sensitive data matches found during scans, and perform remediation or delegate remediation where necessary.

To delegate remediation tasks to another user, refer to the Perform Delegated Remediation section.

All remedial actions are captured in the Operation Log (refer to the View Operation Log section). When attempting to remediate a match location, you are required to enter a name in the Sign-off field.

Review Matches

When matches are found during a scan, they are displayed in the Investigate page as match locations. The results grid, location filters and match inspector are some of the features available to help user review and verify the scan results.

Reporting resource permissions are required to review match results in the Investigate page. For the table of resource Permissions required to access specific features and/or components in Enterprise Recon Cloud, refer to the Permissions by ER Cloud Components section.

If a match is found to contain sensitive data, ER Cloud provides tools to report and secure the match location.

To delegate remediation tasks to another user, refer to the Perform Delegated Remediation section.

Remediate from Investigate

To remediate a match location from the Investigate page:

(Optional) Select one or more filters in the Filter Locations by panel and click Apply Filter to display Targets and match locations that fulfill specific criteria in the results grid.
Select the Targets and match locations that you want to remediate.

Click Remediate and select one of the following actions:

Remediation	Remedial Actions
Act directly on selected location	Mask all sensitive data - Masks all found sensitive data in the match location with a static mask. Masking data is destructive. It writes over data in the original file to obscure it. This action is irreversible, and may corrupt remaining data in masked files. Quarantine - Moves the files to a secure location you specify and leaves a tombstone text file in its place. Quarantine remedial action can only be performed if all selected match locations belong to a single Target. Delete Permanently - Securely deletes the match location (file) and leaves a tombstone text file in its place. Attempting to perform a Delete permanently action on files already deleted by the user (removed manually, without using the Delete permanently remedial action) will update the match status to "Deleted" but leave no tombstone behind. Encrypt file - Secures the match location using an AES encrypted zip file. For more information, refer to Act Directly on Selected Location in the Remedial Actions in ER Cloud section.
Mark locations for compliance report	Confirmed - Marks selected match location as "Confirmed". The location has been reviewed and found to contain sensitive data that must be remediated. Remediated manually - Marks selected match location as "Remediated Manually". The location contains sensitive data which has been remediated using tools outside of ER Cloud and rendered harmless. Test Data - Marks selected match location as "Test Data". The location contains data that is part of a test suite, and does not pose a security or privacy threat. False Match - Marks selected match location as a "False Match". The location is a false positive and does not contain sensitive data. Remove Mark - Unmarks selected location. Marking PCI data as test data or false matches When a match is labeled as credit card data or other data prohibited under the PCI DSS, you cannot add it to your list of Global Filters through the remediation menu. Instead, add the match you want to ignore by manually setting up a new Global Filter. For more information, refer to the Set Up Global Filter section. For more information, refer to Mark Locations for Compliance Report in the Remedial Actions in ER Cloud section.

Remediation

Remedial Actions

Act directly on selected location

Mask all sensitive data - Masks all found sensitive data in the match location with a static mask.

Masking data is destructive. It writes over data in the original file to obscure it. This action is irreversible, and may corrupt remaining data in masked files.
Quarantine - Moves the files to a secure location you specify and leaves a tombstone text file in its place.

Quarantine remedial action can only be performed if all selected match locations belong to a single Target.
Delete Permanently - Securely deletes the match location (file) and leaves a tombstone text file in its place.

Attempting to perform a Delete permanently action on files already deleted by the user (removed manually, without using the Delete permanently remedial action) will update the match status to "Deleted" but leave no tombstone behind.
Encrypt file - Secures the match location using an AES encrypted zip file.

For more information, refer to Act Directly on Selected Location in the Remedial Actions in ER Cloud section.

Mark locations for compliance report

Confirmed - Marks selected match location as "Confirmed". The location has been reviewed and found to contain sensitive data that must be remediated.
Remediated manually - Marks selected match location as "Remediated Manually". The location contains sensitive data which has been remediated using tools outside of ER Cloud and rendered harmless.
Test Data - Marks selected match location as "Test Data". The location contains data that is part of a test suite, and does not pose a security or privacy threat.
False Match - Marks selected match location as a "False Match". The location is a false positive and does not contain sensitive data.
Remove Mark - Unmarks selected location.

Marking PCI data as test data or false matches
When a match is labeled as credit card data or other data prohibited under the PCI DSS, you cannot add it to your list of Global Filters through the remediation menu. Instead, add the match you want to ignore by manually setting up a new Global Filter. For more information, refer to the Set Up Global Filter section.

For more information, refer to Mark Locations for Compliance Report in the Remedial Actions in ER Cloud section.

Only remedial actions that are supported across all selected match locations can be selected from the Remediate dropdown menu in the Investigate page. For more information, refer to Remediation Rules in the Remedial Actions in ER Cloud section

Remediate Specific Data Types

Apply data type filters to remediate specific data types for a selected match location.

For example, File A has one Personal Names (English) and two Mastercard matches. Only Mastercard matches will be remediated if Mastercard is the only data type filter that was selected when remedial action was taken.

If no data type filters are selected, all data type matches will be remediated for a selected match location.

Refer to Filter Targets and Locations in the View Investigate Page section.

Enter a name in the Sign-off field.
Enter an explanation in the Reason field.
Click Ok.

Once remediation operations are completed, the remediation dialog box progress bar reaches 100%. The Status column in the Investigate page will be updated to indicate if the remedial action taken was successful for each match location.

All remedial actions are captured in the Operation Log. Refer to the View Operation Log section.

Customize Tombstone Message

You can customize the contents of the tombstone text file that is left in place of a location that has been remediated using the Quarantine or Delete Permanently methods.

The message in the tombstone text file can be customized to provide useful information when someone tries to access the remediated locations. Separate messages can be configured for Quarantine and Delete Permanently tombstone text files.

You must have Global Admin or System Manager permissions to modify the contents of the tombstone text file.

Log in to the ER Cloud Web Console.
Go to the Settings > Remediation > Tombstone Text Editor page.
Go to the Quarantine Tombstone File or Delete Permanently Tombstone File section.
Click on Edit to customize the message in the tombstone text file. The character limit for the text is 1000.

If an empty tombstone message is saved, the tombstone message will automatically revert back to default ER Cloud tombstone message. For example, for Quarantine remediation, "Location quarantined at user request during sensitive data remediation".

Using non-ASCII characters may cause the tombstone message to be displayed incorrectly for users on unsupported platforms.
To ensure that users view meaningful content, configure a message with minimal non-ASCII characters, or set up a tombstone message that contains multiple languages.
Once done, click on Save. The new tombstone message will be applicable to all Targets.

For match locations with very small file sizes, the tombstone message may be truncated to ensure the tombstone file size does not exceed the original file size of the match location.

Names, email addresses, contact numbers or other PII data contained within the tombstone message will be detected as matches if the remediated locations are scanned again. You can use global filters to exclude the contents of tombstone text files from future scan results. Refer to the Set Up Global Filters section.

Remediation Rules

While remediation happens at individual file level, remediation action that can be taken is dependent on both the Target platform and file type.

For more information, refer to Remediation Rules in the Remedial Actions in ER Cloud section.