Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

7 strategies for a successful DLP strategy

Curtis Dalton | March 18, 2014
Data Loss Prevention can provide some powerful protection for your sensitive information. It can be used to discover Personal Information (PI) within your environment, identify various forms of PI from names and phone numbers to government identifiers and credit card numbers, assemble multiple subsets of PI to accurately identify a whole record, and even do all of this in multiple languages.

When you are ready to implement DLP, ensure that you apply good communications practices. Keep business leaders, stakeholders and users appropriately informed of your plans and timelines. The rule of thumb I follow for communications is:

  • Tell them that you're going to tell them
  • Tell them
  • Then tell them that you told them

It seems redundant, but you will find this approach is highly effective in getting your message across. You will want to develop different communications for each segment of your business community; one for executive leadership; one for team leadership; and one for the end user population. Don't surprise anyone with DLP. Surprise in this case can quickly appear like "big brother" just moved in, and that is likely not the image you want.

Review architecture options

DLP solutions come in various forms including software, hardware or cloud-based solutions. Several DLP vendors offer a mixture of one or more of these. Depending on what sensitive data you wish to protect, where it resides, and how it is accessed, the DLP solution that is a best fit for your business may include any one or more of these.

Software-based DLP solutions include perpetual or subscription based licenses for endpoint clients and the management server. You will need to separately provide for the underlying computer hardware, operating system and virtualization software (if appropriate), a database server and management server.

Hardware based solutions include one or more DLP appliances. Minimally you will need to separately provide one or more Mail Transfer Agents (if you intend to encrypt or block emails), a database server and management server.

Cloud based DLP solutions typically represent a zero footprint subscription solution. Endpoint users are directed to your DLP cloud provider via either Web Cache Communication Protocol (WCCP) configurations on your routers, or a PAC file that is installed on each endpoint to redirect their outbound traffic to the DLP provider's cloud.

Roles & responsibilities

After you have a good idea which of the DLP architectures may best suit your needs, start to define the roles and responsibilities you will follow. Build a RACI chart which details who is responsible, who is accountable, who needs to be consulted and who is informed for each activity related to the care and feeding of your DLP solution. Doing so will clearly spell out who owns and does what. This will help you avoid conflicts with other support groups that manage DLP, or any of its underlying components, later on.

Each RACI entry is important, however, there are two particular items that you should include. First, ensure that you build in a segregation of duties to help prevent misuse. Do this by assigning rights to the security team allowing them to create DLP policies but not the ability to implement them. Then, assign rights to your support team (IT for example) allowing them to implement the DLP policies developed by the security team but not the ability to create policies. By applying this check and balance, we prevent a single team from subverting the solution or in causing harm by implementing something that should not have been implemented.


Previous Page  1  2  3  4  Next Page 

Sign up for MIS Asia eNewsletters.