siliconindia logo
CIO City >>  Expert  >>  

Sagar Karan

"Data security is more of a ‘people’s issue rather than a ‘technology’ issue"

 

Building An Effective Dlp Programme
Organizations make substantial investments to ensure information security. However, most of these investments are towards ensuring a secured channel to deliver data to various partners and resources. Data once passed to a third party is available with partner for use at their own discretion. This is like wrapping your sensitive information in a secured gift Box and handing it over to third parties with a read receipt, thinking that my data has not moved outside the organization. The fact that such data does not expire, or is restricted meant that irrespective of any investment to implement security controls over transport mechanism, you are bound to lose data.

Protecting Sensitive Information?
One cannot restrict all data from moving out of the organization. If you are worried about Data Loss, there is no alternative than a good recruit. Data security is more of a “people’s” issue rather than a “technology” issue. However, you can use technology to trace and reduce instances of data leak but, one should understand that human mind is superior and technology is aping to simulate human brain pattern. So, no matter what controls you set, there would still be instances of untraced Information security breaches. However, this does not mean one should not invest or explore technology options to build or enhance information security. Technology solutions around information security help mold people to work and think in a defined pattern.

Building A DLP Program That Delivers Real Operational Value
As a good practice, do not implement a DLP program just because everyone in the industry is implementing.

As a first step, understand your line of business. Chalk down what liability you run if you do not set up a DLP program.

If the outcome is no liability, then it is pretty clear, no matter what strategy or tool you adopt, you will find it difficult to devise a program that delivers value for your business.

Key to achieving success in a DLP program is the business buy-in along with loss value determination.

One needs to work immensely to enhance nderstanding of the subject amongst the management folks along with end users. You may begin with a base program of alerting managers of data leak instances via email, internet or endpoints. Trending of data leak instances will help your organization correct/modify and reinforce certain policies and at the same time help convey operational value of the DLP program.

As a thumb rule big bang approach seldom works. It is always a good idea to build prototypes that can be easily demonstrated to the business owners. Findings from data leak monitoring are better appreciated by business owners if they can assign a business value for loss instance. Also, employees appreciate this if they are able to correlate the consequences of their action in line with the organizational data security policy.

There may not be a blueprint for a DLP program that delivers real operational value. However, for a program to be successful it is very essential to have a top down approach with management buy in.