Egnyte Secure & Govern offers several built-in classification policies and patterns that are targeted toward compliance with data security and privacy standards in several regional jurisdictions. An overview of all available policies can be found in this article. Detailed policy-matching criteria for some specific policies and patterns can be found below.
Table of Contents:
- Architecture, Engineering & Construction
- Finance
- General Privacy
- Government & Defense
- Healthcare
- Other Policies
- Sensitive Content Patterns
- Pattern Definitions
- Financial
- Document Types
Specific Classification Policy Criteria
Architecture, Engineering & Construction
Building Safety Act
Search for keywords that relate to the UK Building Safety Act. Examples include Building Control, Fire Safety, Emergency Exit
Finance
GLBA: Gramm-Leach-Bliley Financial Modernization Act Policy
To match the Narrow Version, an object must contain the following:
- Social Security Number (US)
- In addition to SSN, a match to at least one of the following -
- Registered Investment Advisors (RIAs)
- US Bank names
- Bank account number (US)
- Credit/debit card number
- MagStripe Track
Policy criteria: To match the Broad Version, an object must match any of the Personally Identifiable Information(PII) of the US, which includes:
- Social Security Number (US)
- Drivers License Number (US)
- VISA Number (US) and if any other pattern is added in the future for the US under the PII tag
- Passport Number
In addition to above, a match to at least one of the following:
- Registered Investment Advisors (RIAs)
- US Bank names
- Bank account number (US)
- Credit/debit card number
- MagStripe Track
- At least two Personal Finance terms
PCI-DSS: Payment Card Industry Data Security Standard Policy
Policy criteria: To match the PCI-DSS Policy, an object must contain Payment Information, which includes any of the following:
- Credit/Debit Card Number
- MagStripe Track
SOX: Sarbanes-Oxley Act Policy
Policy criteria: To match the SOX Policy, an object must contain at least one of the following:
- Corporate Information of US and the Securities and Exchange Commission (SEC) Fair Disclosure forms. Corporate Information includes
- IRS Employer Identification Number (US)
- National Provider Identifier (NPI) number (US)
- DEA Registration Number
- IRS Employer Identification Number of US with at least five unique terms from Common Financial Statement Terms
- At least ten unique Common Financial Statement Terms
General Privacy
CCPA: California Consumer Privacy Act Policy
To match the Narrow Version, an object must contain the following:
- A match to any of the following patterns only if a person's name is found within 200 characters of the matched content
- Social Security Number
- Drivers License Number (US)
- VISA Number (US)
- MagStripe track
- Credit/debit card number
- Bank account number (US)
- Health Insurance Claim Number(US)
Policy criteria: To match the Broad Version, an object must contain at least one of the following:
- A match to any of the following patterns only if a person's name is found within 200 characters of the matched content
- Social Security Number
- Drivers License Number (US)
- VISA Number (US)
- MagStripe track
- Credit/debit card number
- Bank account number (US)
- Health Insurance Claim Number(US)
- A match to any of the following patterns only if a privacy policy keyword is found within 200 characters of the matched content:
- Email address
GDPR: General Data Protection Regulation Policy
Policy Criteria: To match the Narrow Version, an object must contain at least one of the following:
Any Personally Identifiable Information(PII) of the EU which includes -
- EU countries Driver's License Number
- EU countries National Identifiers Number and if any other pattern is added in the future for the EU under the PII tag
- Passport Number
- Any Banking Information(PIFI) of EU which includes -
- EU countries IBAN number
- EU bank identifiers and bank account number
- EU countries Single Euro Payments Area (SEPA) number
- EU countries VAT number and if any other pattern is added in the future for EU under the PIFI tag
Any Personal Health Information (PHI) of EU which includes -
- Personal Health Identifiers of supported EU countries and if any other pattern is added in the future for EU under the PHI tag
Policy Criteria: To match the Broad version, an object must contain Partially Personal Information (PPI) but only if a person's name is found within 200 characters of the matched content which includes:
- EU Postal Address
- EU Telephone Number and if any other pattern is added in the future for the EU under the PPI tag
- Email Address
- Date of Birth
- Ip Address
- WebLog
- Any of Personally Identifiable Information(PII) of the EU which includes -
- EU countries Driver's License Number
- EU countries National Identifiers Number and if any other pattern is added in the future for the EU under the PII tag
- Passport Number
- Any of Banking Information(PIFI) of the EU which includes -
- EU countries IBAN number
- EU bank identifiers and bank account number
- EU countries Single Euro Payments Area (SEPA) number
- EU countries VAT number and if any other pattern is added in the future for the EU under the PIFI tag
- Any of Personal Health Information (PHI) of the EU which includes -
- Personal Health Identifiers of supported EU countries and if any other pattern is added in the future for the EU under the PHI tag
Government & Defense
CUI: Controlled Unclassified Information
To match the narrow CUI policy, an object must contain a match to at least one of the following (based on the category marking list).
General rules for markings:
- Markings are mostly UPPERCASE letters with some hyphen characters and spaces - dissemination controls (see below) may contain lowercase characters.
- Markings are split into portions which are separated by '//' and '/'.
- There is a defined set of values for markings - note that the sets of possible values are CASE SENSITIVE.
Marking makeup:
- markings always begin with CONTROLLED or CUI (both are interchangeable)
- (optional after CONTROLLED or CUI), // followed by one or more category markings. Multiple category markings are split by a single forward slash /
- (optional after category markings), // followed by one or more dissemination controls. multiple dissemination controls are separated by a single forward slash
Valid examples (note that all of the following would appear in the header of all documents that meet CUI):
- CUI (Basic marking, no category marking)
- CONTROLLED (alternative basic marking, no category marking)
- CUI//PERS/ (Single category marking)
- CUI//SP-PERS/SP-SUB (Multiple category markings)
- CUI//PERS//NOFORN (single category, single dissemination control)
- CUI//SP-PERS/SP-SUB//NOFORN/NOCON (multiple categories, multiple dissemination controls)
- CONTROLLED//SP-PERS//REL TO [USA, AUS, CAN] (single category, single dissemination control with country codes)
The broad version of the CUI policy will search for content that could constitute CUI based on keywords in the content and CUI banner markings listed in the Narrow version.
ITAR: International Traffic in Arms Regulations
Policy criteria: To match the ITAR policy, an object must contain a match to at least one of the following:
- US Munitions, which consists of 19 different lists of munitions keywords based on the US Munitions List
- Aeca Debarred Parties List based on Trade Controls Debarred Parties
- Export Control and Distribution Statement List
Healthcare
HIPAA: Health Insurance Portability and Accountability Act
Policy Criteria: To match the Narrow Version, an object must contain:
- Any of the following:
- Social Security Number (US)
- Health Insurance Claim Number
- In addition to #1 above, a match to at least one of the following within 200 characters of above match:
- ICD-10 Codes
- ICD-10 Ailments Narrow version
- ICD-10 PCS Codes
- ICD-10 PCS Procedures
- CPT Codes
- CPT Procedures Narrow version
- National Provider Identifier (NPI) number
- DEA Registration Number
Policy Criteria: To match the Broad Version, an object must contain one identifier from each of the following lists:
- Personally Identifiable Information(PII) or Personal Health Information (PHI) of the US which includes -
- Person Name
- Postal Address (US)
- Date of Birth
- Telephone/Fax Number (US)
- Email address
- Social Security Number (US)
- Bank Account Number
- VIN Number (US)
- IP Addresses
- Medical terminology in one of the following categories -
- ICD-10 Codes
- ICD-10 Ailments
- ICD PCS Codes
- ICD PCS Procedures
- CPT Codes
- CPT Procedures
- National Provider Identifier (NPI) number
- DEA Registration Number
- CMS Forms
- Proprietary and generic names of drugs approved by the US FDA
Other Policies
Encryption keys and API secrets
Detects API keys and web secrets from top industry vendors. Examples include: AmazonAWSAccessKey, GoogleAPIKey, RSAKey, PGPKey.
Sensitive Content Patterns
Pattern Definitions
Corporate
Documents are identified based on keywords that indicate confidentiality in documents. Examples include Confidential, Privileged, Secret.
Financial
Common Financial Statement Terms
Documents are identified based on keywords that are common in financial statements. Examples include Accounts Payable, Dividend Income, Gross Profit.
Registered Investment Advisors
Documents identified as including registered investment advisors based on the SEC list.
Personal Finance Terms
Documents are identified based on keywords that are common in personal finance. Examples include Account Number, Cardholder, Home Equity.
Document Types
Document Classes
Classes trained on industry standards and customer-provided documents of similar types
Classes trained on Architecture, Engineering, and Construction industry-standard formats and
customer provided documents of similar types.
-
CMS forms
-
Documents matching specific CMS forms. The forms identified are:
-
-
- CMS-1500
- CMS-1450
- CMS-1490
- CMS-4040
- CMS-L564
- CMS-R285
- CMS-40B
- CMS-10036
- CMS-10106
- CMS-10114
- CMS-10125
- CMS-10126
- CMS-10269
- CMS-10287
- CMS-1696
- CMS-1771
- CMS-1980
- CMS-20027
- CMS-2628
- CMS-20031
- CMS-2728
-
Fannie Mae 1003 Mortgage Application - Uniform Residential Loan Application used by lenders to obtain personal financial Information from borrowers
Credit Report Forms - Documents related to the Fair Credit Reporting Act. Keywords include Credit Score, Financial Statement, and Public Records.
Merger & Acquisition documents
M&A Documents: Common terms associated with documents such as Merger Agreements, Asset Purchase Agreements, Letters of Intent
SEC forms identified are 6-K, 8-A, 8-K, Form 10, 10-D, 11-K, 13-F, 20-F, CB, 40-F, SCI, S-1, S-11, Form 144, Form 10-K, Form 10-Q