The CISO’s Guide to Data Loss Prevention

A 7 Step Framework for Developing and Deploying DLP Strategy

Welcome to The CISO’s Guide to Data Loss Prevention – the definitive guide to developing and deploying data loss prevention strategy.

2

Background

Data Loss Prevention (DLP) has always been a concern for businesses

In earlier days, the focus was on protecting physical documents from loss or theft

The proliferation of data and digital communication channels has made the criminal’s job easier

A DLP program can be a manageable, progressive process if organizations follow a phased approach

In the words of Gartner Research VP Anton Chuvakin:

4

“Deployment of a DLP tool should go from one tactical success to another (a "quick-wins" approach) to avoid outright failure due to complexity and organizational politics.”

A 7 Step Framework for Developing and Deploying Data Loss Prevention Strategy

There are a number of fundamental activities that must occur when initiating a data loss prevention program. This framework provides general guidelines that your DLP strategy should follow. These requirements can also be used to help choose the right DLP solution for your organization.

5

1. Prioritize Data

Determine which data would cause the biggest problem if stolen.

Data loss prevention should start with the most valuable or sensitive data that is most likely to be targeted by attackers.

Manufacturing companies might choose to prioritize intellectual property such as design documents in their DLP efforts.

Retailers and financial service companies should obviously rank PCI data highly.

2. Categorize (classify) the data

A simple, scalable approach is to classify by context.

Applying persistent classification tags to the data allows organizations to track its use.

Content inspection, which examines data to identify regular expressions representative of social security and credit card numbers or keywords, is also useful and often comes with pre-configured rules for PCI, PII and other standards.

7

3. Understand when data is at risk

Network-based security controls may provide protection when data is at rest, inside the firewall.

However, for data distributed to user devices, or shared with partners, customers and the supply chain, different risks are present.

• In these cases, data is often at highest risk on endpoints or at the moment it is put into motion.

• Examples include attaching data to an email or moving it to a removable storage device.

A robust data loss prevention program must account for the mobility of data and all moments when data is put at risk.

8

4. Monitor all data movement

Understanding how data is used and identifying existing behavior that puts data at risk are critically important.

Without this knowledge, organizations cannot develop appropriate policies that mitigate risk of data loss while allowing appropriate data use.

Not all data movement represents data loss –organizations should monitor all data movement to gain visibility into what’s happening to their sensitive data and determine the scope of their risks.

9

5. Communicate and develop controls

10

Monitoring will provide insights into how data is put at risk.

Work with business line managers to understand why this is happening and create controls for reducing data risk.

Target the most common risky behaviors while generating support from line managers.

Develop more granular, fine-tuned controls to mitigate specific risks as the data loss prevention program matures.

6. Train employees and provide continuous guidance

11

User training can often mitigate the risk of accidental data loss by insiders.

Employees often don’t recognize that their actions can result in data loss, and will self-correct when educated.

Prompting employees of data use that may violate company policy or simply increase risk.

Advanced DLP solutions offer user prompting to inform employees of data use that may violate company policy or simply increase risk (in addition to controls to outright block risky data activity).

7. Roll Out

12

Some organizations will repeat these steps with an expanded data set or extend data identification and classification to enable more fine-tuned data controls.

By starting with a focused effort to secure a subset of your most critical data, DLP is simpler to implement and manage.

A successful pilot will also provide lessons for expanding the program.

Over time, a larger percentage of your sensitive information will be included, with minimal disruption to business processes.

Additional DLP Resources

13

Is your DLP program up to snuff? Use our Data Protection Vendor Evaluation Toolkit to find out:

Get the Data Protection Vendor Evaluation Toolkit

For more on data loss prevention and the fundamentals of data security, check out our Data Protection 101 Series:

Data Protection 101