Building An Effective Dlp Program
Building an effective Data Loss Prevention Program begins with the realization that DLP is a business utility, not an IT Security tool. To deliver operational value, security leaders need to identify and work closely with business leaders who can assist in formulating a strategic plan for the daily use and continuous maintenance of a DLP Program. Business leaders can be instrumental in defining and supporting the key objectives of the program, reducing the risk of data loss while demonstrating compliance to regulatory and contractual expectations. An effective security leader can add value to the DLP Program by matching the tool and technology capabilities to the needs of the business.
Initially, a DLP Program should begin on a small scale with a clear definition of the specific data types that, if not adequately protected, constitute potential risk to the organization. Although modern DLP tools can support many different categories, a practical approach is to focus on established data types that are less likely to create false positive alerts, such as social security or credit card numbers. In addition, successfully DLP implementations will begin in "monitor" mode without proactively blocking either emails or network access. Inevitably, DLP tools reveal that data, rather than staying only within established business processes, tends to go beyond those boundaries. With detailed incident data at hand, security leaders can work with business process owners to understand and remediate the gaps that caused the alert.
The most significant value that a DLP tool brings to an organization is security awareness training. In my experience, DLP-detected incidents are almost always caused by well-meaning individuals who simply did not realize that they were putting corporate data at risk. Using specific DLP detected events in security awareness training processes can make a powerful impact as they identify real world behaviors that are the root cause of the problem. Of course, incident data must be cleansed of names and data, but the issue can still be discussed. An example would be the employee who forwards sensitive data to his or her personal email account because he or she didn't know about IT's secure web mail access offering.
A truly effective DLP Program can empower the business by delivering capabilities that might have been previously perceived to be too risky without the oversight of DLP technology. One example is the security problem caused by the proliferation of USB memory sticks. Initial, heavy handed security approaches to USB sticks might have been to ban them outright or disable USB accessible ports on PCs.
Every organization must establish its own risk tolerances in choosing which controls to implement and how those controls should be implemented. At its best, a mature DLP Program can help the organization understand where its data flows, train employees to better protect sensitive data and provide reasonable mitigations that empower businesses to focus on growth and not security limitations. The keys to success are for IT and security to work with the business owners to craft workable DLP policies and to establish a mindset of continuous, incremental improvement.