Egnyte Secure & Govern offers several built-in classification policies that are targeted toward compliance with data security and privacy standards in several regional jurisdictions. An overview of all available policies can be found in this article. Detailed policy-matching criteria for some specific policies can be found below.
Quick links to individual policy criteria:
HIPAA: Health Insurance Portability and Accountability Act
Egnyte HIPAA Narrow Version
Egnyte HIPAA Broad Version
GDPR: General Data Protection Regulation Policy
Egnyte GDPR Narrow Version
Egnyte GDPR Broad Version
CCPA: California Consumer Privacy Act Policy
Egnyte CCPA Narrow Version
Egnyte CCPA Broad Version
GLBA: Gramm-Leach-Bliley Financial Modernization Act Policy
Egnyte GLBA Narrow Version
Egnyte GLBA Broad Version
PCI-DSS: Payment Card Industry Data Security Standard Policy
SOX: Sarbanes-Oxley Act Policy
ITAR: International Traffic in Arms Regulations
CUI: Controlled Unclassified Information
Egnyte CUI Narrow Version
Egnyte CUI Broad Version
Specific Classification Policy Criteria
HIPAA: Health Insurance Portability and Accountability Act
Egnyte HIPAA Narrow Version
Policy Criteria: To match the Narrow Version, an object must contain:
- Any of following:
- Social Security Number (US)
- Health Insurance Claim Number
- In addition to #1 above, a match to at least one of the following within 200 characters of above match:
- ICD-10 Codes
- ICD-10 Ailments Narrow version
- ICD-10 PCS Codes
- ICD-10 PCS Procedures
- CPT Codes
- CPT Procedures Narrow version
- National Provider Identifier (NPI) number
- DEA Registration Number
Egnyte HIPAA Broad Version
Policy Criteria: To match the Broad Version, an object must contain one identifier from each of the following lists:
- Personally Identifiable Information(PII) or Personal Health Information (PHI) of US which includes -
- Person Name
- Postal Address (US)
- Date of Birth
- Telephone/Fax Number (US)
- Email address
- Social Security Number (US)
- Bank Account Number
- VIN Number (US)
- IP Addresses
- Medical terminology in one of the following categories -
- ICD-10 Codes
- ICD-10 Ailments
- ICD PCS Codes
- ICD PCS Procedures
- CPT Codes
- CPT Procedures
- National Provider Identifier (NPI) number
- DEA Registration Number
- CMS Forms
- Proprietary and generic names of drugs approved by the US FDA
GDPR: General Data Protection Regulation Policy
Egnyte GDPR Narrow Version
Policy Criteria: To match the Narrow Version, an object must contain at least one of the following:
Any of Personally Identifiable Information(PII) of EU which includes -
- EU countries Driver's License Number
- EU countries National Identifiers Number
- and if any other pattern is added in the future for EU under the PII tag
- Passport Number
- Any of Banking Information(PIFI) of EU which includes -
- EU Countries IBAN number
- EU bank identifiers and bank account number
- EU countries Single Euro Payments Area (SEPA) number
- EU countries VAT number
- and if any other pattern is added in the future for EU under the PIFI tag
- Any of Personal Health Information (PHI) of EU which includes -
- Personal Health Identifiers of supported EU countries
- and if any other pattern is added in the future for EU under the PHI tag
Egnyte GDPR Broad Version
Policy Criteria: To match the Broad version, an object must contain Partially Personal Information (PPI) but only if a person's name is found within 200 characters of the matched content which includes:
- EU Postal Address
- EU Telephone Number
- and if any other pattern is added in the future for EU under the PPI tag
- Email Address
- Date of Birth
- Ip Address
- WebLog
- Any of Personally Identifiable Information(PII) of EU which includes -
- EU countries Driver's License Number
- EU countries National Identifiers Number
- and if any other pattern is added in the future for EU under the PII tag
- Passport Number
- Any of Banking Information(PIFI) of EU which includes -
- EU Countries IBAN number
- EU bank identifiers and bank account number
- EU countries Single Euro Payments Area (SEPA) number
- EU countries VAT number
- and if any other pattern is added in the future for EU under the PIFI tag
- Any of Personal Health Information (PHI) of EU which includes -
- Personal Health Identifiers of supported EU countries
- and if any other pattern is added in the future for EU under the PHI tag
CCPA: California Consumer Privacy Act Policy
Egnyte CCPA Narrow Version
To match the Narrow Version, an object must contain the following:
- A match to any of the following patterns only if a person's name is found within 200 characters of the matched content
- Social Security Number
- Drivers License Number (US)
- VISA Number (US)
- MagStripe track
- Credit/debit card number
- Bank account number (US)
- Health Insurance Claim Number(US)
Egnyte CCPA Broad Version
Policy criteria: To match the Broad Version, an object must contain at least one of the following:
- A match to any of the following pattern only if a person's name is found within 200 characters of the matched content
- Social Security Number
- Drivers License Number (US)
- VISA Number (US)
- MagStripe track
- Credit/debit card number
- Bank account number (US)
- Health Insurance Claim Number(US)
- A match to any of the following patterns only if a privacy policy keyword is found within 200 characters of the matched content:
- Email address
GLBA: Gramm-Leach-Bliley Financial Modernization Act Policy
Egnyte GLBA Narrow Version
To match the Narrow Version, an object must contain the following:
- Social Security Number (US)
- In addition to SSN, a match to at least one of the following -
- Registered Investment Advisors (RIAs)
- US Bank names
- Bank account number (US)
- Credit/debit card number
- MagStripe Track
Egnyte GLBA Broad Version
Policy criteria: To match the Broad Version, an object must match to any of Personally Identifiable Information(PII) of US which includes
- Social Security Number (US)
- Drivers License Number (US)
- VISA Number(US)
- and if any other pattern is added in the future for US under the PII tag
- Passport Number
In addition to above, a match to at least one of the following
- Registered Investment Advisors (RIAs)
- US Bank names
- Bank account number (US)
- Credit/debit card number
- MagStripe Track
- At least two Personal Finance terms
PCI-DSS: Payment Card Industry Data Security Standard Policy
Policy criteria: To match the PCI-DSS Policy, an object must contain Payment Information, which includes any of the following:
- Credit/Debit Card Number
- MagStripe Track
SOX: Sarbanes-Oxley Act Policy
Policy criteria: To match the SOX Policy, an object must contain at least one of the following:
- Corporate Information of US and the Securities and Exchange Commission (SEC) Fair Disclosure forms. Corporate Information includes
- IRS Employer Identification Number (US)
- National Provider Identifier (NPI) number (US)
- DEA Registration Number
- IRS Employer Identification Number of US with at least five unique terms from Common Financial Statement Terms
- At least ten unique Common Financial Statement Terms
ITAR: International Traffic in Arms Regulations
Policy criteria: To match the ITAR policy, an object must contain a match to at least one of the following:
- US Munitions which consists of 19 different lists of munitions keywords
- Aeca Debarred Parties List
- Export Control and Distribution Statement List
CUI: Controlled Unclassified Information
Egnyte CUI Narrow Version
To match the CUI policy, an object must contain a match to at least one of the following (based on https://www.archives.gov/cui/registry/category-marking-list):
General rules for markings:
- Markings are mostly UPPERCASE letters with some hyphen characters and spaces - dissemination controls (see below) may contain lower case characters.
- Markings are split into portions which are separated by '//' and '/'.
- There is a defined set of values for markings - note that the sets of possible values are CASE SENSITIVE.
Marking makeup:
- markings always begin with CONTROLLED or CUI (both are interchangeable)
- (optional after CONTROLLED or CUI), // followed by one or more category markings. Multiple category markings are split by a single forward slash /
- (optional after category markings), // followed by one or more dissemination controls. multiple dissemination controls are separated by a single forward slash:
Valid examples (note that all of the following would appear in the header of all documents that meet CUI):
- CUI (Basic marking, no category marking)
- CONTROLLED (alternative basic marking, no category marking)
- CUI//PERS/ (Single category marking)
- CUI//SP-PERS/SP-SUB (Multiple category markings)
- CUI//PERS//NOFORN (single category, single dissemination control)
- CUI//SP-PERS/SP-SUB//NOFORN/NOCON (multiple categories, multiple dissemination controls)
- CONTROLLED//SP-PERS//REL TO [USA,AUS,CAN] (single category, single dissemination control with country codes)
Egnyte CUI Broad Version
The broad version CUI policy will search for content that could constitute CUI based on keywords in the content as well as CUI banner markings listed in the Narrow version.