"IT maintains the platform and its configuration, but the lines of business are responsible for deciding on the business rules and resolution of data loss events"
Building An Effective Dlp Program
Data Leakage (DLP) is a comprehensive process, not a Technology or "set and forget" program. Implementing DLP technology as an IT initiative in isolation of lines of business can lead to shortcomings, such as a misalignment between actual business risks and the detection business rules programmed into the DLP platform resulting inadequate reporting.
The reported incidents also have to be backed by stringent actions from the Risk and HR team. IT is the custodian and will be managing the platform and its configuration, but the lines of business are responsible for deciding on the business rules and resolution of data loss events. It is important that the operational roles of each stakeholders should be clearly defined, before selecting or deploying any DLP tools.
A holistic approach along with a comprehensive solution was required to address the issues of identification, classification, and limit the use of sensitive and personal data throughout the company by offering:
• Identifying and analyzing data at all control points including at the endpoint, at rest, at the gateway, and on the network.
• Reducing the risk of high-profile losses of Personally Identifiable Information and Medical Information.
• Preventing the inadvertent or malicious disclosure of sensitive information.
• Addressing statutory and industry specific regulations.
• Prevent violations of corporate security and HR behavioral policies.
Challenges and the Problem of Implementing the Technology without Processes
• Vendor implementation methodologies focus on technology rather than mitigating business risk
• Lack of process discipline and sense of data ownership within organization.
• Leading cultural change within the organization and adaptability with new security solutions
• Lack of commitment and Buy-in from senior and middle management in lines of business
• A failure by implementation teams to seek advice on critical success or failure factors in DLP implementation projects.
Key Success Criteria:
• Active participation of the CFO and the CEO.
• IT maintains the platform and its configuration, but the lines of business are responsible for deciding on the business rules and resolution of data loss events.
• Identify the operational roles of each stakeholder, and develop and communicate clearly defined, business- and use-case specific DLP processes before selecting or deploying any DLP tools.
• DLP with all implementation and operational responsibilities should NOT be solely allocated to IT. If the lines of business do not actively support the project, by assisting in the development of processes, defining DLP rules and committing to resource requirements to meet their responsibilities, then consider ceasing the project.
• Formal, documented and signed off processes around the management and use of the DLP platform once it becomes operational will enable to derive full value. Use the defined processes as a foundation for operational management and reporting to drive value from the technology and also to ensure that it is managed securely.