Data can be both an asset and a liability. As organisations grow,the volume and complexity of data required to support the business increases. All organisations store sensitive data that their customers, business partners, shareholders and the Board expect them to protect against theft, loss and misuse.
DLP Solution is implemented by IT for the business with the close association of various business departments; DLP implementation requires strong upper management commitment and support, in-depth involvement of middle management, IT operation and business/data owners of various departments.
In our experience, a successful DLP solution/program must be approached holistically, focusing not just on the technology, but also on the people and processes needed to support and interface with the system(s). The approach we propose is as follows:
- Governance (Strategy, Requirements, Organisational Structure, Policies and Procedure, Training, Metrics&Monitoring)
- Process (Incident Response Workflows, Incident Response Plan, Optimisation)
- Security Integration (Integration with Enterprise Security Solutions)
- System Implementation (Rules& Policy Configuration, Access Configuration)
DLP Implementation in Range of Industries
Travel and Aviation
Banking & Insurance
Energy & Utilities
Transport & Logistics
BOLD&Digital's approach for DLP Implementation
Identify the data that would cause the biggest issue if it was exposed in a data leak or loss incident. The most sensitive data at organizations varies according to the industry they operate in. In healthcare, for example, the most important data to secure is patient data, while in a manufacturing organization it’s likely to be intellectual property.
Not only is it important to identify sensitive information; you also need to track how this sensitive data flows between different systems. A DLP tool is able to track the path and location of all sensitive information, however, you need to first classify the data to track its movement. We classify by context, such as the type of data or the data store in which the information resides.
Due diligence is imperative in choosing the right DLP tool, and it’s a good idea to create an evaluation framework of important questions you need to ask about potential vendor tools.
You must have a clear definition of roles and responsibilities for using and maintaining your DLP software. It’s prudent to segregate roles based on who creates the DLP policy and who implements the policy rules in your chosen system. For example, the security team can create rules based on data security needs, but your IT support system can implement the policy in your DLP tool. Clear roles and responsibilities are also crucial for promptly responding to any potential data loss or leak incidents that the DLP system flags.
With something as complex as DLP, it is unwise to go “all-in” from the outset. Begin by trying to secure a subset of your most sensitive data to get a simple win with the tool before extending to more data. This pilot project can teach valuable lessons for extending the DLP solution to a full-scale deployment while also growing confidence in the system. In the initial pilot phase, perhaps start by monitoring the data only before moving on to blocking user actions or auto-encrypting data as it moves across systems.
DLP solutions generate alerts using policy-based rules. These alerts are then escalated to support teams or incident response teams. It’s important to test policies before going live because high volumes of false positives can frustrate support teams and disrupt normal business processes
DLP tools provide more visibility, control, and protection of sensitive data, but they cannot analyze encrypted data without the keys to decrypt the files. Another limitation is that organizations with a lot of sensitive data contained in rich media such as graphics files will struggle to get much use from DLP tools because they are unable to parse and classify this type of content.
With any large-scale business investment, there is inevitably pressure from stakeholders at the executive level to prove the value that the investment provides. It is vital to define DLP metrics and success criteria. After defining the key performance indicators, you need to ensure they are regularly collected and reported on to relevant stakeholders. Useful metrics include the number of false positives (ideally close to zero), detection accuracy, number of data loss incidents since implementation, etc.