DLP Governance & Change Considerations

Over the last decade, enterprises have become increasingly reliant on digital information to meet business objectives. Significant amounts of information fuel business processes that involve parties both inside and outside of enterprise network boundaries on any given business day. There are many paths for these data to travel and they can travel in many forms—e-mail messages, word processing documents, spreadsheets, database flat files and instant messaging are a few examples. Much of this information is innocuous, but in many cases, a significant subset is categorized as “sensitive” or “proprietary,” indicating that this information needs to be protected from unauthorized access or exposure. This need can be externally driven by privacy and other types of regulation, or internally driven by business objectives to protect financial, strategic, or other types of competitive information.

Data leak prevention (DLP) is a suite of technologies aimed at stemming the loss of sensitive information that occurs in enterprises across the globe. By focusing on the location, classification, and monitoring of information at rest, in use, and motion, this solution can go far in helping an enterprise get a handle on what information it has and stop the numerous leaks of information that occur each day.

DLP is not a plug-and-play solution. The successful implementation of this technology requires significant preparation and diligent ongoing maintenance. Enterprises seeking to integrate and implement DLP should be prepared for a significant effort that, if done correctly, can greatly reduce risk to the organization. Those implementing the solution must take a strategic approach that addresses risks, impacts, and mitigation steps, along with appropriate governance and assurance measures.

"Prior to the selection and implementation of DLP technology, it is important to ensure that appropriate policies are developed to govern its use"

The introduction of a DLP solution to an enterprise can impact many IT systems and business processes. These impacts may involve significant changes to long-standing business processes, greater overhead on key systems, and network configurations. 

It is also important that DLP policy development involves key business stakeholders who understand what information should be restricted and why. 

“Organizations underestimate the need for the involvement of non-IT business units. In many instances, it’s not really appropriate for IT people to be in the middle of looking at what DLP systems can report about data compliance issues, but the practical use of DLP monitoring sometimes doesn’t make it into the hands of the right business people”

The key takeaway is that the correct business people should be involved in the initial policy development as well as when the DLP program is live because they will be critical in making judgment calls regarding violations. The business data owner who has an idea of the context is far more equipped to make these decisions than an IT security analyst. It is also important that these stakeholders fully understand the ramifications of the expected changes and that there is appropriate preparation to avoid a negative impact on the business processes.

It is also important to recognize that significant changes to business processes or longstanding procedures can have broader cultural impacts to the enterprise. Despite best efforts to communicate and educate prior to implementation, some individuals may not understand or accept the changes and may seek ways to circumvent the new controls, introducing additional risk to the enterprise. Understanding the systemic nature of information security management, such as that described in the ISACA research publication An Introduction to the Business Model for Information Security, can assist in the development of strategies to address this risk.

Enterprises should ensure that a risk-based approach is utilized when implementing a DLP solution. Even when deployed in a monitoring-only mode, it is easy to be overwhelmed with the amount of information presented by the system. When this occurs, there is a distinct possibility that the solution will either be tuned down to the point that it is ineffective or will eventually be ignored, as was the case with many early intrusion detection systems (IDSs)

An approach that some enterprises are taking is implementing DLP only for specific systems or protocols that they have determined to be at high risk. A single channel frequently covered is e-mail since it often poses the single greatest data loss risk to an enterprise

Now, let me put more rays of light on Assurance Considerations for DLP

"Assurance professionals have the task of ensuring that the DLP solution is properly deployed, managed, and governed."

This involves having a clear understanding of the risks as well as on-going monitoring of four key areas:

A) Enterprise strategy and governance

• Review the data protection strategy to examine whether it is in line with the business objectives and risks.
• Pay attention to indirect risks where confidential information may be abused by competitors. Assess whether there are checkpoints to keep data strategy aligned with changing business objectives.
• Verify whether a clear governance framework is in place to orchestrate actions across people, processes, and technology.
• Verify whether all applicable regulations, legislation, and privacy laws are considered.

B) People

• Verify whether appropriate stakeholders are engaged during and after DLP implementation.
• Key stakeholders include: –  

- Legal, privacy, corporate security, information security

- IT engineering and operations

- HR and employee representatives

- Key business line representatives

- Executive management 

• Review the training and awareness program to ensure that employees are aware of their roles and responsibilities.
• Ensure that staff required to handle confidential information is properly trained according to the enterprise’s security policy and that only staff with a business requirement has access to confidential information
• Ensure that the appropriate stakeholders are involved in the identification of sensitive data and the workflow that evaluates and addresses DLP policy violations

C) Business Process

• Review business processes with access to confidential information and determine whether that access is required to perform each process.
• Identifying the need for access to confidential information from business processes is one of the strongest methods of protecting such data.
• In addition, appropriate processes for monitoring, detecting, qualifying, handling, and closing data leakage incidents should exist.

D) Technology

• Review the specific technology that has been deployed and determine whether it is installed as designed. For example, determine whether it covers all egress points and devices critical to the enterprise. This should include business partner egress points and devices with access to sensitive information.
• In addition, ensure that it covers all of the required elements of the technology in use at the enterprise.
• Finally, periodic reviews of logs and event handling processes ensure that the solution is being utilized in an appropriate and optimized manner.

Conclusion:  

Ensuring that the organization takes adequate measures to protect against information loss or leakage is an important responsibility of the IT department. Management has to provide assurance to its stakeholders that measures are in place to protect sensitive corporate digital assets, including IP, as well as personal and financial data. A comprehensive and integrated DLP solution should provide reasonable controls to protect data loss from internal sources. At the same time, successfully implementing a DLP solution for a larger organization needs careful planning, systematic implementation, and effective processes.

Only those DLP solutions should be deployed where pre-defined rules do not get implemented automatically or control policies should not be enabled on the very first day on the end-points as it can create many false positives.

DLP solution should be kept in monitoring mode from the very first day till the organization identifies the risk holes and accordingly prevention and control mode should be enabled.

Thank You !!