siliconindia logo
CIO City >>  Expert  >>  

Umesh Mehta

"Work with the business people to plan out policies for identifying sensitive data and remediation actions"

Building An Effective DLP Programme
Data theft is one of the biggest threats in today’s business environment. Ignorance, defiance, and simple lack of concerns are primary factors for this information loss. The problem is further exacerbated with adoption of smartphones, widespread use of USB storage devices and easy access to internet.

Companies are now deploying Data Loss Prevention (DLP) to mitigate the risk of data loss. The following sections outline key considerations for implementing DLP:

Understand statutory, regulatory or contractual obligations applicable to the organization:
This includes requirements like Sebi Clause 49, PCI and others. Also the contractual obligations/ privacy laws needs to be studied, especially for industry which handles the data of customers and clients.

Secure sponsorship from within the senior management or executive team:
The DLP is not an IT project. It is a business project. Before implementing DLP, we need to bring together stakeholders from business units like HR for risk assessment and creating policies to keep confidential information safe.

Identify & classify the data:
Not all the data in the company is confidential. Before implementing DLP one need to identify the types of data that could infringe regulations or leak intellectual capital/ assets if exposed.

This could be done as follows:
• For existing data, the DLP tools could be used to locate and catalog sensitive information.
• For the new data, organizations can also go for classification tools which will force end users to classify data based on the classifications policy of the company.

Selecting the right DLP product and implementation vendor:
The process starts with documenting. For selecting vendors, one can use market research or independent research. You can also look if the DLP has been implemented in a similar industry.

Various DLP products can be tested by placing it in your network in passive monitor mode and loading up some sample rule-sets that represent the kind of rules you’d like to deploy. This lets you compare products side by side, running equivalent rules on the same traffic.

Design policies and deploy:
Work with the business people to plan out policies for identifying sensitive data and remediation actions. Many organizations start with only monitoring & notifying the data loss, others put policies to block the data.

In many cases, IT persons could not understand the sensitivity of the information. In such cases business people needs to be involved.

Educate users:
User awareness about information security policy, classification policy and DLP are critical to the success of DLP strategy. The training will ensure that employees are aware about the DLP, policies and will also help you to refine your policies with business needs.

Report, remediate and refine:
Exception reports about the movement of confidential and sensitive documents including who views, prints and emails documents should be presented to business leaders. This will help you make your DLP implementation more effective.

Implementing DLP solutions is a complex process and is prone to fail if hurriedly implemented. Careful planning and involvement of stakeholders is critical for success of DLP program