Data Loss Prevention Operations and its Best Implementation Practices
Data is the vital component for any organization and every organization fears losing its critical or confidential data. Fear of losing such sensitive data has evolved the concept of “Data Loss Prevention” and numerous DLP products have been designed to diagnose and prevent data leakage. Such products run by performing operations in a defined manner as discussed below:
For a proper working of security system it is vital that DLP product is properly monitored. For this to happen, DLP product must be created with right policies on the identified sensitive data across three channels:
- Data in motion: at users workstations
- Data at rest: at servers or databases
- Data in transit: on channels like HTTPS, FTP
DLP operations are, thereafter, categorized into the following three phases:
After the policies have been set up for a DLP product, the security team monitors any alerts issued by them. The monitoring team looks after triaging the event against various conditions like who leaked data, what type of data has been leaked, where the data was leaked, etc. The alert is, thereafter, declared as an incident and the processing of the incident starts with a risk profile. A risk profile that is text-based includes important incident information and the level of severity ranging from low to high. After the risk profile is updated, the incident is assigned to the respective team.
Incident Reporting and Escalation phase
In this phase, the security team checks with the respective team if the data loss is acceptable or not. If yes, it will move to the tuning phase after being declared as a false positive. In another scenario, the security will be escalating the incident to the respective team along with proofs. The security team will then be closing and archiving the incident.
In this phase, all the false positive incidents are passed. The security team, here, is concerned with the fine tuning of the policies due to any changes or wrong configurations. And the incident is repeated to perform a check.
In DLP, there is no resolution phase as the incident reported is already of a data loss and is therefore escalated for the action to be taken.
Best Practices For DLP Implementation
Here is a lowdown of the best practices to be adopted for a successful “Data Loss Prevention” deployment:
- Before deciding a suitable DLP vendor, the organizations must identify their business needs and the sensitive data to be prevented.
- Also, it must be checked that the product to be shortlisted is compatible with the format in which data is stored in the organization.
- After a DLP product and vendor is shortlisted, its implementation must start with a minimal base. It is vital so as to handle false positives on a smaller base and further to handle sensitive or critical data on a larger base.
- The operations must be in a position to successfully identify false positives.
- The fine tuning of DLP policies is crucial for the successful working of DLP product and should be done a regular basis.
- To draw out the duties of DLP polices, a RACI matrix should be set up.
- The updating of risk profiles and a detailed documentation of various DLP incidents must be done.
DLP if implemented with stringent measures is a boon for any organization in this digital data world.
Image Courtesy: security-faqs.com