Data Loss Prevention (DLP) Best Practices
Data Loss Prevention (DLP) Best Practices
Download your free copy now
Data leaks can be debilitating for organizations. In fact, most of our customers tell us that if they were to suddenly lose all of their data, they wouldn’t even be able to keep the business open. That’s why it’s critical every organization has a practical plan for preventing data loss—preventing damaging leaks and establishing acceptable ways for employees, contractors, and vendors to exchange information.
This guide is meant to be a starting point for your business. It paints a picture of what things you need to be thinking about when creating a DLP policy, and allows you to mold and shape policies and procedures from its recommendations.
This document will help you:
- Understand what capabilities a data loss prevention program should contain to start
- Learn where the focus should be in data loss prevention
- Find places where you can get more information
- Shape recommendations into actions and security policies while logging the changes
Data Loss Prevention (DLP)
By taking a phased approach that focuses on preventing the most damaging leaks and establishing better ways for users to exchange sensitive data, data loss prevention can be effective, practical, and successful.
An effective DLP strategy should possess the following capabilities:
- Manage: Define data use policies, establish an incident response capability to enable corrective actions that remediate violations and report data loss incidents. Data loss prevention isn’t just a technology issue—it’s also a policy and policy management issue. Data use policies should address issues such as how data access is determined and authenticated and how policies are enforced. Management functions should also include data loss reporting capabilities and incident remediation workflow management. Train users on data use policies.
- Discover: Define the classification of organizational sensitive data based on its sensitivity, criticality, and regulatory requirements, create an inventory of sensitive data based on classification, identify where sensitive data is stored, identify who has access to sensitive data, and manage data cleanup. This includes ensuring sensitive data at rest or stored on endpoints is included in the inventory or is relocated to a location that is managed and controlled.
- Map: Map the flow of sensitive data from external sources as well as internally from system to system and to users. Maintain an inventory of all data egress points (a good starting point is to analyze your network diagram, and to review firewall and router rule sets).
- Monitor Data: Monitor the use of sensitive information. This could include monitoring data in motion by inspecting network communications in violation of data security policies and monitoring data at the endpoints to see if it’s downloaded to local drives, copied to USB or other removable media devices, burned to CD/DVDs, and printed or faxed electronically.
- Protect: Enforce security policies to proactively secure data and prevent it from leaving the organization. Automatic protection of sensitive data across endpoint, network, and storage systems should include protecting data at rest with automatic encryption, quarantine, and removal. Restrict printing, saving, copying, accessing, moving, and downloading sensitive data to removable media or other drives. Stop data in motion from being sent when it is in violation of security policies or automatically encrypt it for secure exchange.
Focus on Data Risk
Although a comprehensive program to address all relevant aspects of data loss is the goal, it makes far more tactical and financial sense to protect data that represents the most danger to the enterprise immediately. DLP best practices are to first identify and all the potential data loss modes and then prioritize them based on criteria such as past breaches, communication volume, data volume, the likelihood of a breach, and the number of users with access to those modes. Focusing first on the most significant and highest impact areas makes it easier to justify solutions and DLP software and get started on detection response. For example, a Ponemon Institute study estimated that 88 percent of data leak incidents were the result of user negligence or insider threat, and just 12 percent were due to malicious intent.
Implementing DLP systems and practices should not interrupt legitimate business activities. To work effectively, a data loss prevention must operate without affecting system performance or preventing workers from doing their job. Solutions that don’t scale can cause performance issues as companies grow. Solutions that aren’t properly tested and tuned can also cause both false positives and false negatives that drain valuable resources.
Data loss prevention solutions are constantly evolving, with no single option providing all the capabilities that most organizations require. Enterprises need to address the data loss problem by creating a flexible and modular architecture that lets them cost-effectively address their most critical protection needs while still being able to add new controls as those needs change.
Waivers from certain policy provisions may be sought following the FRSecure Waiver Process.
Personnel found to have violated this security policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.