Policy Definition Document
Document version: v0.1
Target Product: SHIELD Gate
Scope: Business System Control (Top Level) · App Conditional Policy · URL Input Field Conditional Policy
SHIELD_Gate_Policy_Definition_Work_System_Conditional_Policy_v0.1.xlsx
0. Document Overview
- This document is SHIELD GateConditional Policy for Business SystemsThe policy items that can be set by the administrator, by itemWhat to do / How it appears to the user or is blocked / Product recommendationsThis is the policy consultation sheet organized with __PH_0__.
- During the introduction process, the client representative is responsible for each item.
적용 정책Enter the adoption value in the column to finalize the policy.
Default Provision vs Option (Separate Introduction) Distinction
The following items are**Not a standard feature and requires separate implementation (optional)**Available only during the time. In the table[옵션]is represented as.
| Option items | Content |
|---|---|
[옵션] SHIELD Viewer | Viewer for previewing in read-only mode without downloading the file |
[옵션]SHIELDGate File Cabinet (SHIELDrive) | Isolated storage for storing downloaded files in an isolated environment |
[옵션]CDR Decontamination | File Sanitization Engine. Required when using CDR download. |
If the option is not introduced, the corresponding repository and inspection options will not be displayed on the policy screen or will be unavailable for selection. Please confirm the scope of introduction with the sales/deployment team.
1. Overview of Conditional Policies and Application Principles
1.1 Policy 3-Tier Structure
| division | Explanation | User Screen · Actions When Applied | Note |
|---|---|---|---|
| Business System Control Conditional Policy (Top Level) | Access permission for the app·URL input field menu itself, limit on the number of simultaneous screens | If the menu is blocked, entry is not possible regardless of the sub-policy. | |
| App Conditional Policy | Access and Isolation Security Policy by Registered App | Access, Block, Authenticate according to policy when clicking the app | Target = App / App Group |
| Conditional Policy for URL Input Field | Site-specific Access and Isolation Security Policies via URL Input Field | Input Address · Access · Block · Authentication According to Policy | Target = All Sites / Registered Sites·Groups / Web Categories |
⚠️ Top Priority Principle: Menus (app/URL input fields) that are not allowed in the top-level control policy cannot be accessed by users, regardless of how many subordinate conditional policies are set.
1.2 Priority Principle
| item | Explanation | Note |
|---|---|---|
| Priority Number | The smaller the number, the higher the priority (1 > 2 > 3 …) | Drag and drop · Quick move for adjustment |
| Collision Handling | If multiple policies apply under the same conditions, the most restrictive policy takes precedence. | Exception policies are placed with high priority |
| Search Filter Status | Priority changes are not possible while applying search filters. | Need to clear all filters when changing |
1.3 Policy Evaluation Flow
- User Access (App Click or URL Input)
- Top-level control policy determination → Menu access permission status · Screen count verification
- Members·Conditions (Location·Time·Device) Judgment → Application Policy Determination
- Access Policy Enforcement (Allow / Block / Additional Authentication)
- Usage Policy (Isolation Security Policy) Enforcement (Keyboard, File, Clipboard, etc.)
- Execution Result Reflection and Log Recording
2. Business System Control Conditional Policy (Top Level)
The top priority control policy that limits the number of screens that can be opened simultaneously and the work systems (app·URL input field) accessible by each member.
| division | Setting Options | Explanation | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|---|
| Policy Name | text | Unique name for policy identification (no duplicates allowed) | — | Name the target to be identifiable | mandatory |
| Members | All Users / Users·Groups (Assign·Exclude) | Policy Application Target Designation | Applied only to assigned members, excluded ones are not applied. | group unit | 'All users' cannot be excluded |
| Target Business System — App | Allowed / Not Allowed | Access Permission for Registered App List | Access to app menu is not allowed. | Allow Work Necessary Group | If not allowed, app conditional policy invalidation |
| Target Business System — URL Input Field | Allowed / Not Allowed | Direct URL Input Feature Access Permission | If not allowed, URL input field cannot be used | Decision Based on Policy | Invalid URL conditional policy when not allowed |
| Condition — Location | No Limit / Registration Location | Policy Application Scope Based on Connection IP | Conditions outside the location are not applied | Review of separation between in-office and remote work | Management Center [Condition Item] Registration |
| Condition — Time | No Limit / Registration Time | Application Scope of Policy Based on Connection Time Zone | Conditions outside of the time zone are not applied. | Specify Working Hours | same |
| Condition — Device | No Limit / Desktop·Tablet·Mobile | Scope of Policy Application Based on Access Devices | Devices outside the conditions are not applicable. | Review limited to work terminals | same |
| Number of Concurrent Screens | No limit / Up to N items (1 or more) | Number of isolated browser screens that can be viewed simultaneously | Display "Screen Opening Limit Notification" modal when trying to open a new screen after reaching the limit (close the existing screen and retry) | Differentiation by Job Category (See Notes Below) | Resource Protection |
| Usage Status | Use / Do not use | Policy Activation Status | Not operational when unused | use |
3. Policy Basic Information (App / URL Input Field Common)
| division | Setting Options | Explanation | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|---|
| Policy Name | Text (up to 20 characters) | Unique Name for Policy Identification | — | Name to identify target and grade clearly | mandatory |
| Explanation | Text (up to 200 characters) | Policy Additional Explanation | — | Operating Intent Documentation | Selection |
| Members — Assignment | All Users / User·Group Selection | Specify the target for policy application | Policy actions only for assigned users | Minimize Target Scope | Group Unit Recommendation |
| Members — Exclude | User·Group Selection | Target for policy non-application regardless of allocation | Excluded members have no policy impact. | Specify exceptions only | 'All users' cannot be excluded |
| Target (App) | App / App Group (Multiple) | Specify the app to which the policy will be applied | Apply policy only to selected apps | Separation by business app | App Policy Only |
| Target (URL) | All Sites / Registered Sites·Groups / Web Categories | Specify the site to which the policy will be applied | Apply policy only to selected targets | Default Block (All Sites) + Selective Allowance | URL Policy Only |
Target Setting Strategy (URL): Set "All Sites = Block Access" to a low priority, and allow specific sites and categories with a separate policy at a high priority.
4. Conditions (Connection Environment)
| division | Setting Options | Explanation | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|---|
| Location | All Locations / Registered Locations (Exception Selection) | Limit Policy Application Scope Based on Connection IP | The policy does not apply outside of the specified conditions. | Separation by location such as in-office and remote | Register Location in the Management Center [Condition Items] |
| time | All Time / Registered Time (Exception Selection) | Limit the scope of policy application based on the access time zone. | The policy does not apply outside the specified time zone. | Specify Working Hours | Management Center [Condition Item] Register Time |
| device | All Devices / Desktop / Tablet / Mobile | Policy Application Based on Type of Access Device | Policy not applied to devices outside the conditions. | Review limited to work terminals (Desktop) |
5. Execution Policy — Access Policy
| division | Setting Options | Explanation | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|---|
| Access Permission | Access Allowed / Access Denied | Determining Target Accessibility | Access unavailable when blocked, display guidance page | Work Target Allow / Non-Work Block | Top-level control |
| Additional Authentication | Not Used / Email Verification / OTP Verification | Additional identity verification required upon access approval | Display authentication screen → Access after authentication. If failed, "Authentication has failed." popup, access not possible. | General target not used / Sensitive target OTP | Can only be set in the access permission policy. |
| Email Verification (Detailed) | — | Display of authentication code input field, time limit 5 minutes | Enter the code within 5 minutes. If not received, 'Resend verification code' | — | Environment required for receiving emails |
| OTP Authentication (Detailed) | — | Enter the authentication code after registering the initial QR code and recovery key. | Initial registration screen → Then enter OTP code | Recommended for High Security Targets | Authentication app required |
6. Isolation Security Policy (Usage Policy)
After access is granted, it controls user behavior within the isolated browser. All items are set to allow/block (or enable/disable).
| division | Setting Options | Explanation | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|---|
| Keyboard Input | Allow / Block | Control of Keyboard Input in Isolated Browser | Input not allowed when blocked, display "Input is prohibited due to policy." at the bottom center. | Read-only target is blocked | |
| Site Navigation | Allow / Block | Control of Moving to External Sites in the Target Domain | Allowed: Free movement / Blocked: Only representative and related URLs can be accessed, external movement will show "This action is prohibited by policy." guidance page | Blocking Work System / Allowing Search and Portal | High impact in URL policy |
| File Upload | Allow / Block (+Extension Restriction, Storage) | Control of File Uploads to Isolated Environments | Cannot upload when blocked / Only specified extensions and storage are allowed when permitted | Allowed only when necessary for work | Repository: My PC Files /[옵션]SHIELDGate File Cabinet |
| File Download | Allow / Block (+Extension Restriction, Storage) | File Download Control in Isolated Environments | Blocked: "This action is prohibited by policy. Downloading is prohibited by policy." Guidance page (returns upon closing) | Differentiated by target grade | Repository details are below |
| └ Repository: My PC File Folder | Selection | Download to User's Local PC | Save file locally | Low-risk subjects only | Provided by default. Highest risk of leakage. |
| └ Repository: SHIELDGate File Storage | Selection (SHIELDrive designation) | Save to SHIELDrive storage | Store in isolated storage instead of local | Recommended Security Targets | [옵션] **Separate introduction.**Members must be assigned to SHIELDrive storage to be available. |
| └ Repository: SHIELD Viewer | Selection | Read-only preview instead of download | View without receiving the original file | Recommended for subjects that only require viewing | [옵션] **Separate introduction.**Subdivide into 3 options |
| └─ PDF Download | Allow / Block | Download the original as a PDF after conversion | Only available for receipt as PDF when allowed. | allowed | Default: Allow (within SHIELD Viewer options) |
| └─ Download Original | Allow / Block | Download the original document as is | Cannot receive original when blocked | Block | Default: Block |
| └─ CDR Download | Allow / Block | Download after CDR declassification processing | Possible to receive a decontaminated version upon approval | Block | Default: Block.[옵션] CDR engine required |
| Clipboard — Isolation → PC | Allow / Block | Copy from the isolated browser to PC | Copying is not allowed when blocked, display "Clipboard usage is prohibited due to policy." at the bottom center. | Block | Data Export Path |
| Clipboard — PC→Isolation | Allow / Block | Pasting in an Isolated Browser on PC | Cannot paste when blocked | allowed | Input Convenience |
| Input Sensitive Information Check | Allow (Inspection) / Unused (+ Regular Expression Selection) | Check and block input text with regular expressions | Input Blocking and Audit Log Recording During Pattern Matching | Used for entering sensitive information | [옵션] **Master Page Overlay (Company Unit) Introduction.**Regular expression · Target domain is managed in [Input Sensitive Information Management] |
| Session Maintenance | Used / Unused (+ Idle Time Min) | Data Protection with Screen Lock During Inactivity | Screen lock after idle time, return with 'Refresh' | Use (according to idle time policy) | Minute setting |
| Screen Marking | used / unused | Display user identification watermark on the screen | Username·Email watermark displayed on the screen | use | The display method is customized in [Security Screen Settings]. |
| Print Watermark | used / unused | Inserting User Identification Watermark in Printed Materials | Print with watermark included | use | The display method is customized in [Security Screen Settings]. |
| Video Conference Mode | used / unused | Video Conference Performance Optimization Mode | No shortcut icon for SHIELDGate in the upper right corner when active. | Use only for video conference participants | Performance Optimization Purpose |
| Context Menu | Use / Unused (+ Area-specific ON/OFF) | Right-click menu control by area | OFF area does not display right-click menu, blocks associated shortcut keys (e.g., Print OFF → blocks Ctrl+P) | Use (Sensitive Items OFF) | The details of the area are below |
6.1 Context Menu Area
| area | Representative Menu | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|
| Page Background Area | Back, Forward, Refresh, Print, View Page Source, Inspect | Display right-click menu when ON / Hide when OFF · Block linked shortcut keys | View Page Source · Inspect OFF | Clicking the top navigation button is not blocked (only keyboard shortcuts are blocked) |
| Text Selection Area | Copy, Print | Display on right-click after text drag / Not displayed when OFF | Sensitive Target Copy/Print OFF | |
| link | Open in new tab, Copy link address | Display on right-clicking the link / Not displayed when OFF | Maintain default value (ON) | |
| image | Save Image, Copy Image | Right-click on the image to display / Not displayed when OFF | Download block target is storage OFF | |
| video | Play/Pause, Save Video | Right-click on the video to display / OFF to hide | Maintain default value (ON) | |
| Audio | Play/Pause, Save Audio | Right-click on the audio to display / Not displayed when OFF | Maintain default value (ON) | |
| Input Field | Cut, Copy, Paste | Right-click on the input box to display / Not displayed when OFF | Clipboard Policy and Compliance Settings |
Hide the right-click menu for the area when all items in the area are OFF.
전체 ON / 전체 OFF / 초기화provided.
7. Policy Settings
| division | Setting Options | Explanation | User Screen · Actions When Applied | Recommended Policy | Note |
|---|---|---|---|---|---|
| Usage Status | Use / Do not use | Policy Activation Status | Policy does not work when not in use | use | |
| Expiration Date | Not set / Period setting | The duration of policy operation | Does not operate outside the period | Not set (indefinite) | Set limited-time policy only |
8. Policy Operation and Management (Reference)
| division | Explanation | Note |
|---|---|---|
| Priority Management | Drag and Drop, Move to Top/Bottom, Directly Move Number | Only possible when the search filter is disabled. |
| Management of Default Execution Policy | Automatic application of default execution and isolation security policies when registering a new policy | App·URL defaults are independently managed |
| Policy Search | Search by policy name, members, target, conditions, execution policy, and usage status. | AND between filters, OR within filters |
| Policy Application Status Inquiry | Period-specific Applied/Not Applied Policy Inquiry · Excel Download | Managing Complexity through Non-Application Policy Summary |
| Import·Export | JSON (Backup·Restore) / Excel (Status·Reporting) | ZIP for multiple selection |