Data Loss Prevention Best Practices
An FRSecure Self-Help Document of Guidelines and Best Practices
Data Loss Prevention
By taking a phased approach that focuses on preventing the most damaging leaks and establishing better ways for users to exchange information securely, data loss prevention can be effective, practical, and successful.
An effective data loss prevention program should possess the following capabilities:
- Manage: Define data usage policies, establish an incident response capability to enable corrective actions that remediate violations and report data loss incidents. Data loss prevention isn’t just a technology issue—it’s also a policy and policy management issue. Data usage policies should address issues such as how data access is determined and authenticated and how policies are enforced. Management functions should also include data loss reporting capabilities and incident remediation workflow management. Train users on data usage policies.
- Discover: Define the classification of organizational sensitive data based on its sensitivity, criticality, and regulatory requirements, create an inventory of sensitive data based on classification, identify where sensitive data is stored, identify who has access to sensitive data, and manage data cleanup. This includes ensuring sensitive data at rest or stored on endpoints is included in the inventory or is relocated to a location that is managed and controlled.
- Map: Map the flow of sensitive data from external sources as well as internally from system to system and to users. Maintain an inventory of all data egress points (a good starting point is to analyze your network diagram, and to review firewall and router rule sets).
- Monitor: Monitor the use of sensitive data. This could include monitoring data in motion by inspecting network communications in violation of data security policies and monitoring data at the endpoints to see if it’s downloaded to local drives, copied to USB or other removable media devices, burned to CD/DVDs, and printed or faxed electronically.
- Protect: Enforce security policies to proactively secure data and prevent it from leaving the organization. Automatic protection of sensitive data across endpoint, network, and storage systems should include protecting data at rest with automatic encryption, quarantine, and removal. Restrict printing, saving, copying, accessing, moving, and downloading sensitive data to removable media or other drives. Stop data in motion from being sent when it is in violation of security policies or automatically encrypt it for secure exchange.
Focus on Risk
Although a comprehensive program to address all relevant aspects of data loss is the goal, it makes far more tactical and financial sense to begin by protecting the data that represents the most danger to the enterprise. This means first identifying all the potential data loss modes and then prioritizing them based on criteria such as past breaches, communication volume, data volume, the likelihood of a breach, and the number of users with access to those modes. Focusing first on the most significant and highest impact areas makes it easier to justify solutions and get started on plugging the leaks. For example, a Poneman Institute study in 2009 estimated that 88 percent of data leak incidents were the result of user negligence, and just 12 percent were due to malicious intent.
Data loss prevention solutions should not interrupt legitimate business activities. To work effectively, a data loss prevention solution must operate without affecting system performance or preventing workers from doing their job. Solutions that don’t scale can cause performance issues as companies grow. Solutions that aren’t properly tested and tuned can also cause both false positives and false negatives that drain valuable resources.
Data loss prevention solutions are constantly evolving, with no single option providing all the capabilities that most organizations require. Enterprises need to address the data loss problem by creating a flexible and modular architecture that lets them cost-effectively address their most critical protection needs while still being able to add new controls as those needs change.
Waivers from certain policy provisions may be sought following the FRSecure Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.