Skip to content

5 Areas to Consider When Developing DLP Policies

Security breach incidents have become as ubiquitous as Monday morning traffic. Occurrences appear to be getting more sophisticated in scale when it comes to the volume of data stolen and the financial impact to both enterprise and individuals. Adopting strong DLP policies is key when it comes to protecting data. 

The latest security breach to dominate the airwaves—Facebook—involved “50 million accounts,” the social media giant initially said, though they recently walked that number back to only “29 million accounts.” Unsurprisingly, they are keeping very quiet about possible culprits—more than likely state-sponsored, but that remains to be proven.

Why Is This Important?

The kind of data stolen—birth dates, hometowns, phone numbers and emails—could potentially be a serious problem for account holders. More importantly, the breach points to significant flaws in Facebook’s data loss prevention (DLP) policies.

Data loss prevention has to be ingrained as part of organizational culture in the form of formal best practices. These are some areas to consider when formulating or updating your DLP policies.

Define Your Objectives

Today’s cybersecurity landscape mandates that enterprises have concrete policies in place. These policies must be customized for their particular business model, yet elastic enough to adapt to change when necessary.

Goals must be tailored to meeting the challenges of protecting sensitive data from unauthorized use, storage, or modification, even if that means implementing policies enabling a fluid IT budget spend.

Minimizing data loss will have a significant impact on a business’s financial profitability and planning, so a proactive strategy will always be a best practice.

Know the Data Loss Prevention Phases

Part of your DLP security posture will be knowing how to identify prevention phases as follows:

  • DLP Strategy – Workflow goes from data mapping to a written roadmap describing formal DLP policy.
  • DLP Implementation – Defines DLP placement leading to DLP technical policy managed by IT.
  • Security Incident & Event Management – Starts with DLP monitoring policy leading to rapid identification of breaches.

This architecture should be the basic structure of your DLP policy, but your organization may need to add more, depending on your industrial sector.

Carefully Define Data That Needs to Be Protected

The types of data that need to be protected are based on your organization’s industrial sector, policies, and processes, but generally will involve legal, marketing, sales, IT, finance, and HR.

On a legal level, communications, patent applications, intellectual property documents, and contracts need to be secured. Customer pricing, sales quotes, and upcoming sales campaigns have data protection implications as they signal the profitability of the company.

Likewise, IT configuration files, access keys, and earnings data are key data that needs to be locked down, along with personally identifiable information that HR keeps on employees.

Identify Vulnerable Data Leakage Endpoints

Recent reports point to a dismal statistic indicating that up to 96 percent of breaches are due to inadequate implementation of data security policies or negligence on the part of organizations.

Part of vulnerability is caused by inadequate policies governing the actual machines used to transmit and store sensitive data. Examples include:

  • Sensitive data stored on portable devices, such as laptops and tablets, without encryption
  • Unnecessary services running in the background of other apps used by employees
  • Emailing data without encryption
  • Sensitive data left in plain sight on printers by forgetful employees

To go a step further, even information from brainstorming sessions left on whiteboards is vulnerable to theft by visitors and temporary contractors. These DLP leakage points are relatively easy to resolve with the right policies in place that include rigorous employee training on security measures.

Draft a Formal Strategy for Data at Rest and in Motion

Data at rest is defined as data stored in databases, file systems, shared servers and the like. This type of data has a high probability of being stolen for a number of reasons, including lack of encryption policies and where they physically are used and operated.

NIST standards, for example, currently specify AES 256 encryption for maximum data security protection.

The first part of implementing policy for this type of data is to discover where it is located in the first place. It could be on corporate files shares, employee workstations, or servers. Once you discover where this data is, you can then develop policies and practices that define its access as a data breach triggering a DLP event.

Data in motion refers to data endpoints where the data is used. This can be flash drives, hard disks, and other removable media. You will need to create custom policies for data in motion across endpoint machines or across networks and apply those policies to sources and destinations with defined actions permitting you to block destinations and sources based on rules.

Rules should be based on classifiers as to who is permitted to send and receive certain data. Also, there should be severity levels assigned—from low to high. Depending on the severity level, actions including audits, notifications to managers, and blocking options should be automated.

Conclusion

Data loss prevention policies are requirements from both a compliance and financial stability perspective for any organization handling or processing personally identifiable information and/or data. Fail to have a robust DLP policy in place, and your business stands to potentially lose out when it comes to your bottom line and future profitability.

 

eBook-Essential-Guide-to-SOC-2