When you are ready to implement DLP, ensure that you apply good communications practices. Keep business leaders, stakeholders and users appropriately informed of your plans and timelines. The rule of thumb I follow for communications is:
- Tell them that you're going to tell them
- Tell them
- Then tell them that you told them
It seems redundant, but you will find this approach is highly effective in getting your message across. You will want to develop different communications for each segment of your business community; one for executive leadership; one for team leadership; and one for the end user population. Don't surprise anyone with DLP. Surprise in this case can quickly appear like "big brother" just moved in, and that is likely not the image you want.
Review architecture options
DLP solutions come in various forms including software, hardware or cloud-based solutions. Several DLP vendors offer a mixture of one or more of these. Depending on what sensitive data you wish to protect, where it resides, and how it is accessed, the DLP solution that is a best fit for your business may include any one or more of these.
Software-based DLP solutions include perpetual or subscription based licenses for endpoint clients and the management server. You will need to separately provide for the underlying computer hardware, operating system and virtualization software (if appropriate), a database server and management server.
Hardware based solutions include one or more DLP appliances. Minimally you will need to separately provide one or more Mail Transfer Agents (if you intend to encrypt or block emails), a database server and management server.
Cloud based DLP solutions typically represent a zero footprint subscription solution. Endpoint users are directed to your DLP cloud provider via either Web Cache Communication Protocol (WCCP) configurations on your routers, or a PAC file that is installed on each endpoint to redirect their outbound traffic to the DLP provider's cloud.
Roles & responsibilities
After you have a good idea which of the DLP architectures may best suit your needs, start to define the roles and responsibilities you will follow. Build a RACI chart which details who is responsible, who is accountable, who needs to be consulted and who is informed for each activity related to the care and feeding of your DLP solution. Doing so will clearly spell out who owns and does what. This will help you avoid conflicts with other support groups that manage DLP, or any of its underlying components, later on.
Each RACI entry is important, however, there are two particular items that you should include. First, ensure that you build in a segregation of duties to help prevent misuse. Do this by assigning rights to the security team allowing them to create DLP policies but not the ability to implement them. Then, assign rights to your support team (IT for example) allowing them to implement the DLP policies developed by the security team but not the ability to create policies. By applying this check and balance, we prevent a single team from subverting the solution or in causing harm by implementing something that should not have been implemented.
Sign up for MIS Asia eNewsletters.