Chat now with support
Chat with Support

ControlPoint 8.7 - User Guide

Preface Getting Started with ControlPoint Using Discovery to Collect Information for the ControlPoint Database Cache Searching for SharePoint Sites Managing SharePoint Objects Using ControlPoint Policies to Control Your SharePoint Environment Managing SharePoint User Permissions Data Analysis and Reporting
Specifying Parameters for Your Analysis Analysis Results Display Generating a SharePoint Summary Report Analyzing Activity Analyzing Object Properties Analyzing Storage Analyzing Content Generating a SharePoint Hierarchy Report Analyzing Trends Auditing Activities and Changes in Your SharePoint Environment Analyzing SharePoint Alerts Analyzing ControlPoint Policies Analyzing Users and Permissions The ControlPoint Task Audit Viewing Logged Errors
Scheduling a ControlPoint Operation Saving, Modifying and Running Instructions for a ControlPoint Operation Using the ControlPoint Governance Policy Manager Using Sensitive Content Manager to Analyze SharePoint Content for Compliance Using ControlPoint Sentinel to Detect Anomalous Activity Provisioning SharePoint Site Collections and Sites Default Menu Options for ControlPoint Users About Us

Creating, Editing, and Deleting Sensitive Content Manager Profiles

IMPORTANT: As of Metalogix Sensitive Content Manager version 2.0:

·The concept of Public vs. Private Profiles has been eliminated.  All Profiles can be viewed by all members of the Compliance Administrators group.

·The range of possible Severity Thresholds has been reduced to between 1 and 10.  If you have upgraded from an earlier version, Standard (BuiltIn) Profiles will reflect this change.  Any Custom Profiles, as well as pending content submissions and/or ControlPoint Policies that use older Profiles, may need to be re-created.

To create a Sensitive Content Manager Custom Profile:

1.From the Manage panel, choose Compliance > Profile Maintenance.

SCM Profile Maintenance

2Click [Create].

3Enter a unique title for the Profile, as well as a description that will be visible to end users.

Create Complinace Profile Title and Description

4If different than the defaults, using a range from 1-10, adjust the relative weights (that is, the degree of severity of a possible content match) for each  threat level (Mild, Moderate, and Severe).

SCM Weight Values

5From the Search Term List, select the Search Term(s) that you want to add to the Profile, then click [Add] to move the term(s) to the Profile Search Terms list.

SCM Search Term Selection

NOTE:  If you want to include a Search Term that does not display in the list, you can create a custom Search Term.

6Click [Create].

To edit a Custom Profile:

1In the Compliance Search Terms Manager page, select the Custom Profile you want to edit, then click [Edit].

2Update fields as needed, then click [Update].

Note that BuiltIn Profiles are provided by Quest and cannot be edited or deleted.  

Deleting a Custom Profile

You can delete a Custom Profile only if:

·a content analysis job that uses the profile has not yet been run

AND/OR

·it is not being used by any ControlPoint Policies.

Managing Compliance Search Terms

Sensitive Content Manager includes a number of out-of-the-box BuiltIn Search Terms for use in creating Profiles.  These include terms related to:

·Personal Identification Information (PII)

·Payment Card Information (PCI)

·Protected Health Information (PHI)

·General Data Protection Regulation (GDPR) compliance.

NOTE: Note that Quest continually adds Standard (BuiltIn) Search Terms, which cannot be edited or deleted.

Members of the Compliance Administrators can also create and maintain custom Search Terms to meet the organization's unique compliance needs.

To launch the Compliance Search Terms Manager page:

From the Manage panel, choose Compliance > Search Terms Maintenance.

NOTE:  You can also access this page from the Compliance Profile Manager page by clicking [Create Custom Search Term].

Compliance Search Terms

To create custom Search Terms:

1Click [Create].

2Enter a Search Term Title and Search Term Description.

SCM Search Term Info

4.Enter a valid regex expression.  

NOTE:  Do not enter any leading or ending slashes (/)

SCM Regex Expression

5.To test the validity of the expression:

a)enter representative text in the Sample Text Goes Here: field.

SCM Search Term Sample Text

b)Click the [Test Expression] at the bottom of the dialog.

A pop-up will display informing you that either:

§a match can be found for the text using the given regex

SCM  Regex Validate

OR

§a match cannot be found for the text using the given regex.

SCM Validate Fail

 

To edit a custom Search Term:

1In the Compliance Search Terms Manager page, select the term that you want to edit, then click [Edit].

SCM Search Term EDIT

2Update fields as needed, then click [Update].

NOTE: Any Search Term for which the regex is not visible is a BuiltIn Term provided by Quest that cannot be edited.

SCM Seach Term Uneditible Enabled

Defining Compliance Action Rules

Members of the ControlPoint Compliance Administrators group can define Compliance Action rules to determine how non-compliant content should be handled, based on the severity level detected.  You can also specify that one or more users be alerted via email when a Compliance Action is taken.

REMINDER:  Metalogix Sensitive Content Manager version 2.0 or later must be installed in your environment and you must be a member of the ControlPoint Compliance Administrators group to use this functionality.

To access the Compliance Actions page:

Use the information in the following table to determine the appropriate action to take.

If you are creating ...

Then ...

a global set of rules independent of a particular scan job

from the Manage panel, choose Compliance > ControlPoint Compliance Actions.

a set of rules for a specific scan job that has been returned from Metalogix Sensitive Content Manager

·From the Compliance Summary page, select the scan job to which you want to apply the rule.

·Click [Apply Compliance Actions].

a ControlPoint Policy to scan for sensitive content

from the Create ControlPoint Policy page, select one of the policies to scan for sensitive content:

·Scan items for sensitive data when content is updated

OR

·Scan items for sensitive data when content is updated or saved.

To define Compliance Action rules:

1Enter a unique name to create a new Compliance Action, or choose an existing action from the drop-down.

Compliance Actions NAME

WARNING:  If you choose to Update Existing Compliance Actions, the changes will be applied to all scan jobs that use it going forward.  This is especially noteworthy in the case of ControlPoint policies, because once the policy is created the most current definition of the Compliance Actions is applied automatically based on scan results.

2For each of the Severity levels (Mild, Moderate, and Severe), specify the action that should be applied when a threat is detected.  You can choose to have ControlPoint:

·Take No Action on non-compliant content

·Quarantine non-compliant content

·Use an Approval Workflow to address non-compliant content

·Remove non-compliant content

Note that an action must be defined for all three severity levels.  You can navigate from one rule to the next via the Select actions for threat level: button.

Compliance Actions Select Level

3If you want ControlPoint to send an email alert when a specified action is taken:

a)Check the Alert Users box.

b)Click [Create New User].

c)Complete the Select Users for the user to which you want to send the alert.

NOTE:  Currently, you can only select one user at a time.  Repeat substeps b) and c) for each user you want to alert.

If you have chosen to have ControlPoint Quarantine an item with non-compliant content, you can also choose to have an alert sent to all members of the ControlPoint Compliance  Administrators group.

Compliance Rules QUARANTINE GROUP ALERT

If you have chosen to use an Approval Workflow, follow the instructions for "Using an Approval Workflow," following.

4When you have finished defining Compliance Rules for each Severity Level, click [Save].

Using An Approval Workflow

If you have chosen to use an Approval Workflow to address non-compliant content, after clicking the [Create New User] button:

1First, select the user who will be notified by ControlPoint to start the workflow when non-compliant content is found

2Select additional users who will be designated as approvers.

Compliance Actions WORKFLOW

NOTE:  The user you select to start the workflow must have permissions to Edit Items and approvers must have permissions to Approve Items for lists within the scope of the Compliance Action.

You can also choose to have SharePoint notify approvers

§One at a Time (Serial)

OR

·All At Once (Parallel)

3Click [Add User].

4If you want SharePoint to notify additional users when an approval workflow starts and ends:

a)Click [Create New User].

b)Select the users you want to notify.

c)Choose Notify these people when the workflow starts and ends without assigning tasks to them.

d)Click [Add User].

5For Request, enter the message that you want to be sent to users with assigned tasks.

Compliance Action WORKFLOW 2

Compliance Action Alert Email

When a Compliance Action rule includes an alert, an email, which identifies the Severity Level and action taken, is automatically sent to selected recipients.

ControlPoint Application Administrators can change the default text for the email by updating the applicable ControlPoint Configuration Setting:

·ComplianceMildLevelThreatsEmailBody

·ComplianceModerateLevelThreatsEmailBody

·ComplianceSeverLevelThreatsEmailBody

Refer to the ControlPoint Administrators Guide for details.

Deleting a Compliance Action Rule

You can delete a Compliance Action rule only if it is not being used by any ControlPoint Policies.

Setting Sensitive Content Manager EndPoints and Managing Scanning Preferences

ControlPoint Application Administrators use the ControlPoint Sensitive Content Manager Configuration dialog to set EndPoints to point to the server(s) on which Sensitive Content Manager is configured.  Members of the Compliance Administrators group can also test the availability of each EndPoint and change default preferences for scanning content.

NOTE:  ControlPoint Application Administrators can also configure EndPoints individually and update other configuration settings via ControlPoint Configuration Settings - Compliance settings.

To launch the ControlPoint Sensitive Content Manager Configuration dialog:

From the left navigation Manage tab, choose Compliance > Sensitive Content Configuration Maintenance.

Setting EndPoints

The Value of each Sensitive Content Manager EndPoint must be set to point to the server(s) on which Sensitive Content Manager is configured your environment.  Use the information in the following table for guidance.

SCM Configuration Settings

SCM Configuration Settings O365

 

Endpoint

Description

Value*

Sensitive Content Manager Upload EndPoint

The URL for the Sensitive Content Manager for sending files.

This corresponds to the File Upload URL specified at the time Sensitive Content Manager was installed.

http://<server.domain>

(or if installed on multiple servers:  
http://<server.domain>:port)

Sensitive Content Manager Results EndPoint

The URL for the Sensitive Content Manager service for retrieving files job results.

This corresponds to the Results Service URL specified at the time Sensitive Content Manager was installed.

http://<server.domain>

(or if installed on multiple servers:  
http://<server.domain>:port)

Sensitive Content Manager Profile EndPoint

The URL for the Sensitive Manager service for retrieving profiles.

This corresponds to the Profile Service URL specified at the time Sensitive Content Manager was installed.

http://<server.domain>

(or if installed on multiple servers:  
http://<server.domain>:port)

Sensitive Content Manager Search Terms

The URL for the Sensitive Content Manager service for retrieving rules used to identify a specific kind of sensitive content.

This corresponds to the Subquestion Service URL specified at the time Sensitive Content Manager was installed.

http://<server.domain>

(or if installed on multiple servers:  
http://<server.domain>:port)

* If you have upgraded from a pre-8.0 version of ControlPoint, default values that end with the text "onmetalogix.com" must be overwritten.

When you have finished setting EndPoints, click [Update].

Testing Availability of EndPoints, File Upload, and Results

From the EndPoint Testing tab, you can test the availability of each endpoint that you set, as well as whether files can be uploaded to/received from Metalogix Sensitive Content Manager.

If you click a [Test EndPoint] button and the status returns as Unavailable, make sure that the URL is correct and that the service is available on the Metalogix Sensitive Content Manager server side.

If you click [Test File Upload], ControlPoint will send a sample file to Metalogix Sensitive Content Manager, and will display a log of the action.  If you then click [Test File Results], ControlPoint will log the progress of the file's return.

SCM EndPoint Testing

Managing Scanning Preferences

ControlPoint can create columns called Scan Results and/or Terms Detected. Each time a scan is performed, the Severity Level is populated for the scanned item.

PII Scan Results

ControlPoint Application Administrators can allow this column to be created/populated by changing the value(s) of Automatically add Scan File Results column and update with severity level in SharePoint Lists and/or Automatically Add Terms Detected column and update with severity level in SharePoint Lists from false to true.

By default, ControlPoint Compliance Administrators have the options to Scan item for sensitive data when content is added and Scan item for sensitive data when content is updated or saved when creating ControlPoint Policies.  ControlPoint Application Administrators can, however, hide these options by changing the value of the ControlPoint Setting Allow use of ControlPoint Policies to automatically scan items added or updated in SharePoint lists from True to False.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating