Every organization, regardless of size or industry, needs a data loss prevention (DLP) strategy to prevent data from being improperly accessed or deleted. The strategy primarily focuses on the protection of valuable and sensitive data. DLP typically involves both technologies and policies. For example, common techniques include configuring user workstations to block the use of USB devices and having formal policies regarding sharing confidential data via email.
Through this whitepaper, we will walk through the basics of strategies which can be incorporated to have an effective DLP process (tied to a DLP Policy) up and running, and assist you to be compliant to global policies and standards, viz. GDPR, CCPA, SOC, SSAE, PCI and so on.
Baseline for developing a data protection strategy using DLP
Identify – Identify what information needs to be protected based on the risk posed to business, and then build business and functional requirements accordingly. You need to identify all the places it can reside.
Develop – Develop a DLP program that can meet the business needs of the organization and ensure that all DLP implementation and operational responsibilities are not solely allocated to IT.
Closure – Ensure that “the loop is closed” by having management reporting, that leads to the resolution of systemic information security weaknesses.
Analyse for an effective DLP
Build Business and Functional Requirements That Reflect Your Purpose.
DLP should be implemented as a business risk management process designed to address unauthorized information movement. Some examples that illustrate the analytical process for an understanding of information risk controls includes:
- Discovering the presence, use and location of sensitive information across the organization.
- Controlling the flow of sensitive information.
- Capturing evidence of an information transfer to support internal investigations.
Implement Five Simple Processes to Help Use DLP Effectively
There are five processes that one should document, implement and audit.
A High-Level Process to Provide Context
As part of this high-level process:
- Risky business processes are identified by the business.
- Sensitive data associated with these business processes is analysed.
- The set of existing DLP policies are reviewed, edited and tested.
- Any requirement for review of events, policy breaches or resolution related to specific business processes or datasets is identified.
A Process to Create or Update DLP Policies
The purpose of this process is to create and update policies to ensure that:
- A line-of-business “owner” for the policy is assigned, and responsibilities and expectations regarding events are clearly understood.
- The policy is relevant and aligned with business risks.
- A metric to determine the effectiveness of both the policy and the rule.
A Process to Provision and Deprovision Access to the DLP Platform
This process is used to manage authorized access to the console for administration and policy breach review and resolution, and to remove access when it is no longer needed.
A Process to Maintain Effective Detection of Sensitive Data
Every organization experience changes in data risk over time. This process should establish what is the best approach to reliably detect new sensitive data based on experience.
A Process for Triage and Resolution
Every event generated must be processed. Depending on the nature of the event, it may be:
- Closed during initial triage.
- Handed off to second tier operational risk and technical staff.
- Sent to investigation staff if malfeasance is suspected.
Documentation and audit of this process are critical to a successful implementation, since a line of business, when notified of an event that must be addressed, may seek specific advice from the security team on a proposed solution.
Implement Reporting Linked to DLP Policies
The triage and resolution process should feed into security-oriented or risk-oriented reporting so that the value returned from the platform, as expressed by outcomes from each rule and the overall goals, may be demonstrated. Ensure that you can provide some indication of the risk benefits that have been derived from the DLP platform and the broader DLP process.
Kanoo Elite has several years of experience in providing information security and privacy services to many clients in the middle east.
Our Digital risk management services provide a focus on strategy and design, execution of threat mitigation strategies and continuity of operations.