siliconindia logo
CIO City >>  Expert  >>  

Kaushal Chaudhary

"A short and pointed Acceptable Use Policy should be carved out from the security policy"

 

Building An Effective Dlp Programme
Heavy dependence of business on IT produces two types of threats – visible and invisible. ‘Visible’ threats directly interfere with our ability to do business. For example, threat from virus or spam mails are visible as they slowdown or disrupt services. The business leaders see the threat clearly and sanction fund to contain the threat. However, ‘invisible’ threats, such as data theft which cause tremendous damage, generally don’t draw attention as they generally do not cause disruption of services.

Hence, it is essential to have an effective DLP program in every organization that handles sensitive data and addresses the ‘invisible’ but serious threat to the organization. Sensitive data is the one which needs to be protected to ensure regulatory compliance, reduce operational impact in business, avoid adverse publicity resulting into negative effect on organization’s brand, reputation and finally loss of business opportunities.

A DLP program is a systematic way of identifying, monitoring and protecting the confidentiality, integrity and availability of data in motion, at rest or in use. Effective DLP Program Strategy consists of the following activities:
• Carry out need analysis- This includes data profiling and comparison of the cost of risk with that of the DLP solution. Different organizations have different kinds of data and the loss due to leakage of such data could have different impact on the organizational risk.
• Identify sensitive data- During this step, one should prepare data classification standard and process for the organization if it does not already have. The ownership of data and its handling process should be defined.
• Consider Governance Issues- This is the most important success factor for an effective DLP program. Roles and  responsibilities for all actors of DLP operations should be clearly defined and process for oversight and management review should be clearly documented.
• Increase Employee Awareness- DLP program is generally resisted by employees due to obvious reasons. Still their support is crucial for its effectiveness. A short and pointed Acceptable Use Policy should be carved out from the security policy and every employee should be made to read and sign it as a joining formality.
• Service Level Agreement with Vendor- SLA should clearly define the data protection  equirements, vendor’s role throughout the implementation program and consequences for failing to provide the proper protection and breach notification requirements as claimed by the vendors.

Real Operation Value Of A Dlp Program
Merely installation of a good DLP solution does not make the DLP program effective. In fact it gives false sense of security which is worse than no security. Hence, a holistic approach is required for its implementation. Four most important factors that produce real operational value of the program are:
• Top management sponsorship
• Involvement of all employees
• Continuous monitoring
• Communication of learning from incidents