Data leakage prevention has repeatedly emerged as an information security priority for organizations across the world. Concerns over the need to better control and protect sensitive information have given rise to a new set of solutions called as data leak or loss prevention (DLP) tools. ISACA, the nonprofit association of 95,000 IT professionals, has recently launched a whitepaper which enumerates best practices for DLP implementation.
The white paper notes that DLP is still an adolescent technology which is not yet sufficiently developed to deter more sophisticated methods of data theft. Implementation of a DLP solution is a complex undertaking that requires significant preparatory activities such as policy development, business process analysis, along with detailed inventories and analysis of the types of information used by an enterprise. Let’s look at some key best practices for DLP tool implementation as detailed by the ISACA white paper.
Guideline 1: Data classification should be the keystone of DLP implementation
Enterprises are often unaware of all of the types and locations of information they possess. So prior to purchasing a DLP solution, it’s important to identify and classify sensitive data types and their flow from system to system and to users. Understanding the enterprise’s data life cycle (from point of origin through processing, maintenance, storage and disposal) will help uncover data repositories and transmission paths.
Classifications can include categories such as private customer or employee data, financial data, and intellectual property. Having a good idea of data classifications and location of the primary data stores proves helpful in the DLP solution’s selection and placement.
Additional information should be collected by conducting an inventory of all data egress points. This is because not all business processes are documented and not all data movement is a result of an established process. Analysis of firewall and router rule sets can aid these efforts, notes the DLP implementation white paper.
Guideline 2: Set up policies first
Once information has been located and classified, policies should be created or modified to define specific classifications and the appropriate handling of each category. Business and IT staff should be involved in the initial policy development. The policy should take a risk-based approach. This part of the DLP implementation plan should include the data categories that are targeted, the actions that will be taken (and by whom) to address violations, the escalation processes, and any process required for exception requests. It is important to also ensure that appropriate incident management processes exist and are functional for each of the categories of rules prior to the DLP implementation going live.
Guideline 3: Implementation of DLP
Enterprises should strongly consider implementing DLP in a monitoring-only mode at first. This will allow the system to be tuned and predict the impacts to business processes and the organizational culture. While leadership may have significant concerns regarding the amount of sensitive data “flying out the door” once the system is activated, initiating actual blocking too soon can cause greater problems by breaking or severely impeding critical business processes.
DLP solutions generally provide a great deal of useful information regarding the location and transmission paths of sensitive information. However an enterprise can get quickly dismayed at the volume and extent of its sensitive data footprint and loss. This might lead it to rush forward to try to address all issues at once as part of DLP implementation, which is a recipe for disaster.
As part of DLP implementation, rules should continue to be reviewed and optimized. Enterprises should ensure that all stakeholders are diligent in reporting any new data formats or data types that may not be represented in the existing DLP rule set.
Guideline 4: Be aware of DLP technology limitations
While DLP solutions can help enterprises gain greater insight into and control of sensitive data, they also have current limitations that are important to understand (prior to DLP implementation). For example, DLP solutions can only inspect the encrypted information that they can first decrypt. If users have access to personal encryption packages where keys are not managed by the enterprise and provided to the DLP solution, the files cannot be analyzed. Yet another caveat is that DLP solutions cannot intelligently interpret graphics files. Additionally, with the surge in mobile device use, there are invariably communications channels that DLP solutions cannot easily monitor and control.