Security advisor for data protection

Supported editions for this feature: Business Plus; Enterprise Standard and Enterprise Plus. Compare your edition

With Security advisor’s data protection feature, you can block (or warn) your users when they try to share sensitive data outside your organization. You can protect against sharing of the following types of data:

  • Personal identifiable information (PII)—email addresses, Social Security numbers, full names and addresses
  • Financial data—Bank account numbers, credit card numbers
  • Healthcare data—National insurance numbers'
  • Global sensitive data—IMEI numbers, IP addresses

Security advisor for data protection also performs regular scans of your Drive files, identifies when sensitive files are being shared externally, and recommends the appropriate data protection settings to prevent sharing.

Admin privileges needed

Before you begin, sign in to your super administrator account or a delegated admin account with these privileges:

  • View DLP rule
  • Manage DLP rule

Note that you must enable both View and Manage permissions to have complete access for viewing and editing Security advisor for data protection settings. We recommend you create a custom role that has both privileges. 

Default settings 

Default Security advisor data protection settings vary according to your Workspace edition:

Business Plus

Enterprise Standard or Enterprise Plus

Data protection is off by default.

View or change Security advisor data protection settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. In the Security advisor section, click Go to security advisor for data protection.

    The main settings page shows the four data type categories:

    • Personal identifiable information (PII)
    • Financial data
    • Healthcare
    • Global sensitive data

    Each category contains a subset of data types. You can apply a setting to the category as a whole, or drill down into a category and make custom settings for each data type in the category.

About data types

Security advisor for data protection data types are a subset of the predefined content detectors that are available in Workspace’s data loss prevention (DLP) feature. For more information on a specific data type:

  1. Go to How to use predefined content detectors.

    Content detectors are grouped by country or by category (such as Global).

  2. Locate and expand the category that matches the data type. For example, for Canada - Passport, expand the Canada section.
  3. Locate the specific detector in the table.

 

Apply a setting to a category as a whole

  1. Click the dropdown menu at right and choose an option: Warn users, Block users, or Off.
  2. A prompt confirms the update.

The setting at the category level applies to all the data types within the category and resets any customized settings you may have made to individual data types within the category.

Apply settings to individual data types within a category

  1. Click the pulldown menu next to a category and choose Customize.  

    The data types for that category open on a new tab.

  2. Next to a data type, click the pulldown menu and choose a setting: Warn users, Block users, or Off.
  3. Close the tab to return to the main settings page.

The setting for the category changes to Customized to indicate that you’ve made individual settings for that category. (You may need to refresh the main page to see the changed setting.)

Edit default data protection rules

Security advisor data protection settings have associated default data protection rules, which you can view and edit.

  • For default rules, editing is limited—you can change the action associated with the data protection setting (Warn, Block), or turn the rule on or off.
  • For Enterprise customers, we recommend reviewing the default protection rules to ensure that they don’t conflict with any existing DLP custom rules you may already have in effect.
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenData protection.
  3. To display default rules:
    • (Enterprise) In Data protection rules and detectors, click Manage rules.
    • (Business Plus) In Data protection rules, click Manage rules  

    In the rules list, Security advisor data protection rules have a [Default] prefix.

  4. (Optional) To turn a rule on or off from the rule list, change the setting in the Status column (Active or Inactive).

    Note: This is equivalent to turning the setting to Off in Security advisor data protection settings.

  5. (Optional) Click a default rule to open its settings page.
    • Click the status pulldown menu at left to make a rule Active or Inactive.
    • Click Actions to change the rule action.
  6. (If you clicked Actions) On the Edit rule screen, in Actions, set the action (block or warn), then click Continue.
  7. Review settings and click Update.

Any changes you make to the default rules are reflected in the rule status when viewed again in Security advisor data protection settings.

Related articles

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
17269519239661151748
true