"While DLP solution does improve controls, it is not a silver bullet for data protection"
Building an effective DLP programme
A financial services organization like an insurance company collects a lot of sensitive data related to its customers, distributors, employees among others. This is converted into meaningful information that is of immense value to the organization. Given the nature of data and the regulatory compliance requirement of the insurance business, it is imperative that this sensitive information is protected at all times.
The risk of losing data to a competitor or a hacker is very real in today’s world, and the repercussions are enormous. A Data Leakage Prevention program should top the list of priority initiatives of all insurers, and CIOs should take the lead here.
The way to go about protecting data is to first identify it, classify based on confidentiality, and understand the collection and consumption pathways. The dynamics of boundary-less organization, the explosion of newer trends like BYOD, social networking and Cloud computing, will add to an already complex subject.
Data Leakage Prevention program can consist of multiple solutions and processes. It can start from basic blocks like access controls based on least privilege, encryption during transmission and at storage, and extend to more sophisticated data leakage prevention tools like Information Rights Management (IRM). A Data Leakage Prevention tool will be able to restrict unauthorized data exfiltration, but an IRM tool will be able to control what authorized personnel will be able to perform on given data, effectively controlling post-distribution scenarios.
One of the crucial aspects in the program is educating users on handling data and usage of the various tools implemented. Properly implemented tools and processes will ensure prevention of inadvertent or willful data leakage.
In summary, financial services organizations should first assess the nature of information generated and the consumers of the same. Access to information must be limited, and as far as possible, restricted to on-screen enquiries. Requests from non-IT users to read production databases need to be monitored and controlled. Issues of leakage crop up when there is too much information generated within an enterprise with no mechanisms to manage it. While DLP solution does improve controls, it is not a silver bullet for data protection. Complementary efforts on institutionalizing structured data governance along with stringent policies will make a DLP program successful.