"Decision on which specific DLP controls to deploy should be based on where you will see measurable results in risk reduction quickly"
Building an effective DLP programme
As scale and sophistication of data stealing attacks on businesses continue to rise. I see DLP ad commonly abbreviated for Data Leak Prevention and right there I have an issue, and it is with the word “Prevention”. You cannot prevent – you can reduce/minimize incidents of data loss, but cannot prevent. And it is not just semantics – it sets the tone for how you sell such an initiative and expectations among key stakeholders including senior management. So, it is better to communicate this as a Data Loss Protection initiative.
The initial challenge is to show value and get funding for the initiative. The common measure is the reduce incidents of data loss that multiplied by impact per incident.
Practically, I advise a show and tell approach. Most product vendors would be happy to assist you with a proof of concept that you can implement at a specific location in a monitor only mode. You are bound to see potentially interesting information, which you can present to the highest levels in management to get traction for the initiative.
Next, narrow down your scope of deployment into phases and start with a small set of achievable goals. The key is to go top down – reach out all the functional heads, and let them appoint a DLP champion who can shepherd the process within the function.
Start with a limited set of policies. Data of strategic importance that is routinely reviewed by senior management, customer data, PII, compensation data; applicable regulations etc could be in the initial list.
Decision on which specific DLP controls to deploy should be based on where you will see measurable results in risk reduction quickly. I would strongly advise deployment of a data discovery component that can help you locate sensitive information in specific file shares, ftp servers etc.
To ensure right governance structures in place, it’s good to create a DLP working committee with representations from information security and various functional areas. This committee should meet monthly to discuss DLP findings, policy creation/changes, changes to alerting/escalation mechanisms etc. Roles and responsibilities must be clearly defined and incident workflows chalked out based on incident severity and priority.
The system should be in monitor mode for a period of time wherein you analyze the data. Supplement your initiative with an employee awareness drive to make sure everyone involved can identify sensitive data and know what to do to ensure data is not at risk. And ensure that there is right security tools and processes in place to enable secure movement of data to meet business needs. Thus, a combination of monitoring/detection/prevention through a DLP software, employee awareness, and adequate security tools to enable secure movement of data will help manage risk to information assets while still enabling the business.