So you want to implement a Data Loss Prevention Program to secure your data. You go ahead and purchase one of the top rated(?) DLP products on the market and begin planning for implementation. One way or the other, depending on the complexity and the requirements of the product, the technical implementation will come to an end rather quickly.
But are you confident that the deployed solution is effective? You shouldn’t be, because technical implementations are not the key to an effective DLP Program.
There are a number of activities that must take place when initiating and during the lifecycle of a DLP Program.
Identify you data
Again (as always), you CANNOT protect what you dont know.
Learn how your business works, what data are created, used and communicated and for what purpose.
This stage is critical. Consult with your line managers and get as much information as possible.
Prioritize and classify
Not all data are equal. Determine which data may cause the biggest problems to the organization if they are stolen. Learn from the business and dont try to protect every single bit of information that comes and goes through so many channels (email, chat, webpages etc) it is virtually impossible. Protecting it all requires cultural changes in the organization, a lot of time and manpower.
By agreeing to a consistent way to classify the data (who created it, storage location, source application etc.) you can track your data more easily.
Create Data Flow Diagrams and Monitor data movement
Understand how data are being used. This way you can determine, by monitoring, if the transfer of data is legitimate or not.
What data are being used by which departments and people? Are they creating new data? What programs, systems or services are being used to process, transfer and store data?
Develop Security Controls
Now that you have a more clear view on your data origin, usage and movement, you can work with the line managers to understand the reasons behind all these actions and develop security controls to protect them.
You will not protect your data with just on product. You need a series of controls across your environment. Dont trust vendors who claim to provide “total” DLP solutions.
Employee Training
Develop a culture where your employees understand the risks of data loss and that they play an important role in securing the company’s information. Insider leaks are the most common and most difficult to prevent.
Learn and evolve
This is where the word “Program” comes to life. Your DLP Program is ongoing. You don’t set it up and let it work by its own. It will mature over time and you will be able to fine tune it to fit your needs and mitigate specific risks applicable to your environment.
If you don’t approach Data Loss Prevention as an ongoing effort where participation is necessary across the organization, whichever solution you select to deploy you will probably fail.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
