Exam 350-701 topic 1 question 211 discussion

It is B. Read chapter 5. Creating Data Loss Prevention Message Actions https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html

It is definetely A. deliver and add disclaimer text

I would choos A based on this: https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html#:~:text=Adding%20disclaimer%20text/HTML%20to%20the%20message -Sending bcc copies of the message. -Adding disclaimer text/HTML to the message.

IT is D, look this scenario: Sending copies (bcc) of messages to other recipients. For example, you could copy messages with critical DLP violations to a compliance officer's mailbox for examination. ----------------------- Not A, Not B, Because not mentioned about "send a copy of message" Not B, Although you guys mentioned about the below secondary action in your comments, But in the second option (B) there is not any sign of a copy of message (((Secondary actions include: Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in addition to providing another way to monitor DLP violations. When you release the copy from the quarantine, the appliance delivers the copy to the recipient, who will have already received the original message.)))

B without a doubt. Emails violating internal DLP policies shouldn't be delivered, otherwise what's the point? The provided link explains it perfectly: 5. Creating Data Loss Prevention Message Actions Create DLP Quarantines If you’d like to keep a copy of messages violating DLP policies you can create individual Policy quarantines for each type of policy violation. This is especially useful when running a ‘transparent’ POV, where Outbound messages violating DLP policies are logged and delivered but no action is taken on the messages.

the question states : ...The organization wants a copy of the message to be delivered... So B and C are excluded

I think B is correct (not too certain though) Primary actions include: Deliver Drop Quarantine Secondary actions include: Sending a copy to a policy quarantine if you choose to deliver the message. The copy is a perfect clone of the original, including the Message ID. Quarantining a copy allows you to test the DLP system before deployment in addition to providing another way to monitor DLP violations. When you release the copy from the quarantine, the appliance delivers the copy to the recipient, who will have already received the original message. https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html

As per the link Vl_Vershinin posted and under "Secondary actions include.."

Here I will choose "D". The question said the organization wants a "copy of the message to be delivered". Only option "D" would do "sending copies. Refer to "https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html#con_1304495", only this point can meet - "Sending copies (bcc) of messages to other recipients. (For example, you could copy messages with critical DLP violations to a compliance officer’s mailbox for examination.)".

Absolutely A!

deliver and add disclaimer text

as per https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/216086-best-practice-guide-for-data-loss-preven.html Primary actions include: Deliver Drop Quarantine For a read-only state where DLP violations are logged and reported but the messages are not stopped/quarantined or encrypted, the Deliver action is most often used. Secondary actions include: Sending a copy to any custom quarantine or the ‘Policy’ quarantine. Encrypt the message. The appliance only encrypts the message body. It does not encrypt the message headers. Altering the Subject header. Adding disclaimer text/HTML to the message. Sending the message to an alternate destination mailhost. Sending bcc copies of the message. Sending DLP violation notification to the sender and/or other contacts.

A or B

I prefer A

It is D https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html

its deliver because the questions says "wants a copy of the message to be delivered" and in the Configuration guide "Note If you select Deliver, you can choose to have a copy of the message sent to a policy quarantine. The copy of the message is a perfect clone, including the Message ID." then add disclaimer text because the question says "to be delivered with a message added to flag it as a DLP violation" and in configuration guide it says : "To include disclaimer text when delivering messages with DLP violations or suspected violations, specify disclaimer text in Mail Policies" so answer is A

Answer is D. In the referenced guide, it mentions that you can take two actions for DLP messages, primary and secondary. Here the primary would be "Deliver" and secondary "Sending DLP violation notification to the sender and/or other contacts." It also says: "For a read-only state where DLP violations are logged and reported but the messages are not stopped/quarantined or encrypted, the Deliver action is most often used." Since the question clearly states that message needs to be delivered, the answer cannot be B or C. We're left with A and D. I am picking D because the secondary action it specifies is the only that sends violation notifications.