One way to think about this is to consider Pareto's "Law of the Vital Few" (or 80/20 rule). This principle states that 80% of your risks come from 20% of your sources. By focusing your DLP protections in your high-risk areas, you will make a significant positive impact on your company's risk profile and be able to share attractive ROI figures with senior management at the same time.
Identify business requirements
Before diving into the technology and available vendor solutions, you should first build a good understanding of what your business requirements for DLP will be. Be sure that your business requirements include the following:
- Transparency: Requirements for transparency should be addressed so that it is clear what users may expect post installation. Think about how their use of data and information systems may change after the introduction of DLP into your environment. Will DLP complicate or simplify their lives?
- Performance: Consider the performance impact that your DLP solution may have on your environment. Performance of laptops and desktops may be impacted due to DLP endpoint client software, or large policies enforced at endpoints. The performance of your network and servers may also be impacted if DLP is used to aggressively discover the locations of sensitive data within your environment.
- Compatibility: Consider what operating systems and applications you will need DLP to support within your environment. Some DLP vendors provide support for Mac OS, but most don't for example.
- Availability: Consider whether your DLP solution will need to be highly available, or if best effort is good enough. If your DLP solution stops working for some reason, what will be the impact?
Define security requirements
After identifying your business requirements, next sketch out a set of security requirements to support them. You may decide you need to encrypt any PI when someone attempts to copy it to USB, or whenever someone attempts to move it off disk in any way. Perhaps you only care about large quantities of PI, so above a certain threshold you choose to block it from being moved. Or maybe you simply want DLP to alert support staff without blocking or encrypting anything. Each business has a different set of requirements. Define a set of security requirements that fit your specific business needs.
If you are pitching DLP to leadership, think "safety net" rather than "big brother." DLP should be considered a collaborative solution. Sell it in a positive light explaining how it can protect your sensitive data, keep your business out of the media (for the wrong reasons), and afford you a competitive advantage. Plan to involve key stakeholders from across the company early on. These key groups typically include IT, HR, Finance, Legal and Internal Audit. Later when you are ready to implement DLP, you will want and need support from these business leaders.
Sign up for MIS Asia eNewsletters.