Data governance¶

Can wildcard characters be used in the Specific Keywords section of the Data Governance module within the Coro Console?¶

In addition to wildcard character support, the Specific Keywords section supports searches based on regular expression (regex).

What is the difference between Can Access vs Can Access and Expose permissions?¶

Can Access and Expose: Users with these permissions can share sensitive data files and emails, as well as access files shared by other users. Tickets will not be generated.

Can access: Users with these permissions can access files containing sensitive data shared by other users without generating a ticket. However, such files cannot be shared, and sharing tickets will be generated.

Is Coro MITRE certified?¶

No, Coro is not MITRE certified.

Why does Coro only detect a small number of files containing sensitive data when a file scan is run?¶

The purpose of file scans (on endpoint drives and in general) is to identify files containing sensitive information so that administrators are notified of potential risks and can take appropriate measures, either by adjusting data governance permissions or by taking measures prescribed by their organization's data governance policy to protect the sensitive information in question. It is not necessary to detect all occurrences of each type of sensitive information within a given file for that, so Coro limits the number of such detected occurrences to optimize performance and (in the case of endpoint devices) improve end-user experience.

What social security number (SSN) pattern does Coro detect?¶

Coro recognizes social security numbers (SSNs) in the format: ###-##-####. Coro additionally detects SSNs on a predefined list of keywords if the SSN is in an unrecognized format.

Examples:

• 457-55-5462 is flagged as it is in the recognized format (###-##-####)
• 457555462 is not flagged as it is not in the recognized format (###-##-####)
• SSN 457555462 is flagged as a predefined keyword is detected despite the SSN not being in the recognized format (###-##-####)

Under what circumstances will Coro automatically close DLP tickets?¶

Tickets containing sensitive information, but do not require manual review by administrators are automatically closed.

Such tickets are included in the Coro console ticket log for audit, monitoring, analysis, and to satisfy regulatory compliance requirements. They are typically triggered automatically by events such as the detection of sensitive information in an email, file, or file sharing. Some examples of this type of ticket include:

PII: IP and MAC address. NPI: Monthly payment (Financial Content) and email address. PHI: Medical Records Number (MRN).

Why does Coro create multiple DLP tickets related to the same event?¶

Coro can identify stored sensitive information on user devices that potentially violate one or more regulatory or data compliance standards. Such information falls into one of the following categories:

Personally Identifiable Information (PII): Information that allows a reasonable inference of the identity of a person either directly or indirectly, such as full name, email address, passport number, or social security number.

Payment Card Industry (PCI): a set of security standards created by major credit card providers designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Protected Health Information (PHI): Information about an individual's health or medical history that is collected, stored, used, or disclosed in the course of providing health care services, such as patient name, medical history, and health insurance details.

Non-Public Personal Information (NPI): personal financial information that is collected and stored by financial institutions, such as social security numbers, financial account numbers, home addresses, email addresses, income details, and employment information.

The following table lists sensitive information detectors that Coro is able to identify and their respective categories:

What is a false positive DLP ticket?¶

These tickets are most likely not false positives, but rather Coro is generating data monitoring tickets according to your Monitoring options under Data Governance.

To configure data monitoring in Coro, navigate to the Control Panel (the "gear" icon at the top-right).

From here, select the Data option followed by the Monitoring tab:

Enable or disable each option as applicable to your needs. Data Exposure relates to access and exposure of privacy-sensitive data via email and cloud drive sharing. Data Possession relates to privacy-sensitive data on devices, detected by remotely initiated scans.

Can I exclude certain indicators to limit the number of tickets generated by Coro?¶

Yes, you can exclude indicators. Navigate to the Control Panel (the "gear" icon at the top-right). From here, select the Data option followed by the Monitoring tab:

Is there a document available that details how Coro helps companies follow the NIST framework?¶

Please see the FISMA compliance document.

FISMA aims to reduce the potential risk of unauthorized data use, and to develop, document, and implement an information security and protection program disclosure. The governed federal agencies need to comply with the information security standards guidelines, and mandatory required standards developed by NIST.