Why Are My SSN and CCN Policies Not Triggering?

Some common reasons why these policies do not trigger incidents.

There are a few reasons why a Social Security Number (SSN) or Credit Card Number (CCN) policy may not trigger incidents. Almost always the flaw lies in the policy creation and the content of the files being scanned for the policy. Here are a few examples of what might be causing the policy not to trigger:

Valid SSNs and CCNs

Often after the initial set up of a SSN or CCC policy an admin will run a test to verify the policies function correctly. However, plugging in any random numbers as false socials or credit cards will not render a valid violation for these policies. The policies require that actual SSN and CCNs be in the files being scanned. For testing purposes, websites can provide generated but valid numbers (such as http://www.theonegenerator.com/ssngenerator).

Threshold

The threshold of a policy determines the importance of the number of times a social or credit card number appears in a file. The default threshold is 1, which means that it will only take 1 instance of a social or credit card number for the policy to trigger. Setting the threshold to 5 for example, would require that 5 different social security numbers are scattered throughout the document before it is considered a violation. It is possible a policy may not be triggering an incident if the threshold is set to high, 3 or 4 perhaps, and most of the documents in the environment only have 1 or 2 socials or credit cards listed.

Tolerance

The Tolerance of a policy determines how wide or narrow the search parameters are for the content in question. For example, a Lenient Tolerance may solely search for a social security number in a document with perhaps one extra validation check. This can produce a lot of false positives and a long list of incidents. The default Tolerance is Strict, which usually requires both the social or credit card number and a few key words or phrases in close proximity. For example, a policy with Strict Tolerance may not pick up on a spreadsheet with a list of credit card numbers, however, if there were a second column that listed the credit card type, (e.g. Visa, MasterCard, etc), which are some of the key phrases needed for Narrow breadth in a credit card number policy, then the file is likely to be flagged.