Building An Effective Dlp Program
Building an effective Data Loss Prevention Program begins with the realization that DLP is a business utility, not an IT Security tool. To deliver operational value, security leaders need to identify and work closely with business leaders who can assist in formulating a strategic plan for the daily use and continuous maintenance of a DLP Program. Business leaders can be instrumental in defining and supporting the key objectives of the program, reducing the risk of data loss while demonstrating compliance to regulatory and contractual expectations. An effective security leader can add value to the DLP Program by matching the tool and technology capabilities to the needs of the business.
Initially, a DLP Program should begin on a small scale with a clear definition of the specific data types that, if not adequately protected, constitute potential risk to the organization. Although modern DLP tools can support many different categories, a practical approach is to focus on established data types that are less likely to create false positive alerts, such as social security or credit card numbers. In addition, successfully DLP implementations will begin in "monitor" mode without proactively blocking either emails or network access. Inevitably, DLP tools reveal that data, rather than staying only within established business processes, tends to go beyond those boundaries. With detailed incident data at hand, security leaders can work with business process owners to understand and remediate the gaps that caused the alert.
The most significant value that a DLP tool brings to an organization is security awareness training. In my experience, DLP-detected incidents are almost always caused by well-meaning individuals who simply did not realize that they were putting corporate data at risk. Using specific DLP detected events in security awareness training processes can make a powerful impact as they identify real world behaviors that are the root cause of the problem. Of course, incident data must be cleansed of names and data, but the issue can still be discussed. An example would be the employee who forwards sensitive data to his or her personal email account because he or she didn't know about IT's secure web mail access offering.
A truly effective DLP Program can empower the business by delivering capabilities that might have been previously perceived to be too risky without the oversight of DLP technology. One example is the security problem caused by the proliferation of USB memory sticks. Initial, heavy handed security approaches to USB sticks might have been to ban them outright or disable USB accessible ports on PCs.
Every organization must establish its own risk tolerances in choosing which controls to implement and how those controls should be implemented. At its best, a mature DLP Program can help the organization understand where its data flows, train employees to better protect sensitive data and provide reasonable mitigations that empower businesses to focus on growth and not security limitations. The keys to success are for IT and security to work with the business owners to craft workable DLP policies and to establish a mindset of continuous, incremental improvement.
Today's Threat Landscape Requires Adaptive Security
Staying Abreast of Application Development and Delivery
How to Ensure Information Security when Outsourcing Your Projects
This Is How Your Computer Gets Hacked!
By Phil Jarvis, VP, IT, Thirty-One Gifts
By Dr.Chris Ewell, CISO, Seattle Children
By Eloise Young, CIO, Philadelphia Gas Works
By Phil Stevens, CIO, The Exchange
By Herman Nell, SVP & CIO, Rent-A-Center
By John Honeycutt, CTO, Discovery Communications
By Mark Wead, Chief Enterprise Architect– North America...
By Federico Flórez, Chief Information & Innovation Officer,...
By David Berry, CIO, Daymon Worldwide
By Douglas Turk, Chief Marketing Officer, JLT Speciality
By Tekin Gulsen, CIO, Global IT & Corporate Planning...
By John Sprague, Deputy CTO, IT and the End User Architect,...
By Craig C Shrader, CIO Engagement Partner, Tatum, a...
By Bill Schimikowski, VP, Customer Experience, Fidelity...
By Tom Bressie, Vice President, Oracle Cloud
By Jeff Katz, CTO, Energy & Utilities, IBM [NYSE:IBM]
By Dr Dirk E Mahling, VP, Technology, Alliant Energy
By Steven John, CIO, AmeriPride Services
By Leon Ravenna, CISO, KAR Auction Services, Inc.