Building An Effective Dlp Program
Building an effective Data Loss Prevention Program begins with the realization that DLP is a business utility, not an IT Security tool. To deliver operational value, security leaders need to identify and work closely with business leaders who can assist in formulating a strategic plan for the daily use and continuous maintenance of a DLP Program. Business leaders can be instrumental in defining and supporting the key objectives of the program, reducing the risk of data loss while demonstrating compliance to regulatory and contractual expectations. An effective security leader can add value to the DLP Program by matching the tool and technology capabilities to the needs of the business.
Initially, a DLP Program should begin on a small scale with a clear definition of the specific data types that, if not adequately protected, constitute potential risk to the organization. Although modern DLP tools can support many different categories, a practical approach is to focus on established data types that are less likely to create false positive alerts, such as social security or credit card numbers. In addition, successfully DLP implementations will begin in "monitor" mode without proactively blocking either emails or network access. Inevitably, DLP tools reveal that data, rather than staying only within established business processes, tends to go beyond those boundaries. With detailed incident data at hand, security leaders can work with business process owners to understand and remediate the gaps that caused the alert.
The most significant value that a DLP tool brings to an organization is security awareness training. In my experience, DLP-detected incidents are almost always caused by well-meaning individuals who simply did not realize that they were putting corporate data at risk. Using specific DLP detected events in security awareness training processes can make a powerful impact as they identify real world behaviors that are the root cause of the problem. Of course, incident data must be cleansed of names and data, but the issue can still be discussed. An example would be the employee who forwards sensitive data to his or her personal email account because he or she didn't know about IT's secure web mail access offering.
A truly effective DLP Program can empower the business by delivering capabilities that might have been previously perceived to be too risky without the oversight of DLP technology. One example is the security problem caused by the proliferation of USB memory sticks. Initial, heavy handed security approaches to USB sticks might have been to ban them outright or disable USB accessible ports on PCs.
Every organization must establish its own risk tolerances in choosing which controls to implement and how those controls should be implemented. At its best, a mature DLP Program can help the organization understand where its data flows, train employees to better protect sensitive data and provide reasonable mitigations that empower businesses to focus on growth and not security limitations. The keys to success are for IT and security to work with the business owners to craft workable DLP policies and to establish a mindset of continuous, incremental improvement.
Today's Threat Landscape Requires Adaptive Security
Staying Abreast of Application Development and Delivery
How to Ensure Information Security when Outsourcing Your Projects
This Is How Your Computer Gets Hacked!
By James Seevers, CIO & GM, Toyoda Gosei
By Bill Krivoshik, SVP & CIO, Time Warner Inc.
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Alberto Ruocco, CIO, American Electric Power
By Bruce. D. Smith, SVP & CIO, Information Systems, Advocate...
By Adrian Mebane, VP-Global Ethics & Compliance, The Hershey...
By Graham Welch, Director-Cisco Security, Cisco
By Michael Watkins, Senior Product Director, Global Knowledge
By Bernd Schlotter, President of Services, Unify
By Patrick Hale, CIO, VITAS Healthcare
By Steve Bein, VP-GIS, Michael Baker International
By Jason Alan Snyder, CTO, Momentum Worldwide
By Mike Morris, CIO, Legends
By Louis Carr, Jr., CIO, Clark County
By Bill Dow, SVP and General Manager of Business Solutions,...
By Jim Whitehurst, CEO, Red Hat
By Darren Cockrel, CIO, Coyote Logistics, a UPS Company...
By Nathan Johnson, SVP and CIO, Werner Enterprises [NASDAQ:...
By David Tamayo, CIO, DCS Corporation
By Neil Hampshire, CIO, ModusLink Global Solutions, Inc....