We have a DLP Configuration Challenge I'd like to see if someone can assist with:
Background: Currently we encrypt outbound SMTP traffic by two automatic response rules and allow the email to bypass (DLP exception) if the email contains the keyword. All incidents are based on severity (Low=1-249, med=250-499, high=500+). We recently lowered the block threshold ‘without Send Secure in the subject line' to a medium severity. The encryption is accomplished by an Cisco IronPort rule that detects the presence of [Send Secure] in the subject line of the outbound email and encrypts the email accordingly. The DLP blocking auto response rule action is the same in that DLP inserts a value into the email's header and Cisco IronPort rejects the email. We currently do not use groups, so all policies apply to all users.
Project in a nutshell: We would like to drop the global exception (if email contains [send secure]) while allowing and enforcing Low severity email to still sent encrypted, keep the block the same, and have a means of allowing approved emails to be sent encrypted that exceed the block threshold. (special keyword, white list, . . . )