Data Loss Prevention (DLP) is the practice of implementing policies and tools for the purpose of protecting business information against data exfiltration, data breaches, and data corruption. A DLP policy defines the process, while a DLP solution implements some or all aspects of the policy.
DLP solutions are generally categorized into three groups that represent a stage of the data lifecycle:
- A storage DLP is built for data at rest
- A network DLP is built for data in motion
- An endpoint DLP is built for data in use
There are out-of-the-box DLP solutions that provide a dedicated tool for each of the data types, and there are DLP solutions that provide one platform that covers all of the data types. The most common use of a DLP is data security, and compliance with regulations.
Organizations use DLP to monitor, manage, and analyze data activity, through an added layer of User and Event Behavioral Analytics (UEBA). You can also use DLP to block ransomware attacks, stop data leaks, and protect data against attacks that originate at endpoint devices.
In this article, I’ll explain what is a DLP policy, its importance for a DLP operation, and how you can create your own DLP policy by following the steps below.
What Is a DLP Policy?
A DLP policy is a document that outlines what type of data activity is allowed within the network. That includes classifying content types, roles, and privileges. We define what content is sensitive, private, and financial, and then we define which roles are allowed access to this content, and how and where they’re permitted to use the content.
Once we have a DLP policy, we can start practicing it in the organization. We can also feed the policy to a DLP solution. In this case, we will also need to define how the solution will respond to a DLP policy violation. We will create a policy for notifications, in which we’ll define who should be notified of the event, what should be in the notification, and which communication medium will send the alert. Solutions that include remediation will provide instructions for their DLP policies, as the response will depend on the capabilities of the software.
The Importance of A DLP Policy
Due to a significant increase in data breaches, the past decade has seen a number of regulations for the protection of information. These regulations are protected by the laws of the entities that create, maintain and protect them. In some cases, as with the GDPR, it’s a government body. In other cases, as with the PCI DSS, it’s a body of credit card companies.
You should strive to set up you DLP policies for compliance with the regulations that apply to your organization. There are many regulations, and not all of them apply to all companies. If you’re not a merchant, and you don’t process credit card information, you won’t need to comply with the Payment Card Industry Data Security Standard (PCI DSS).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is more relevant to the healthcare industry, and the Family Educational Rights and Privacy Act (FERPA) protects the records of students. However, everyone should strive to adhere to the EU General Data Protection Regulation (GDPR), which protects the sensitive information of European citizens.
You should also strive to create DLP policies that clearly identify your trade secrets, proprietary information, business strategies, and digital assets. Loss of your intellectual property can lead to financial, reputational, and motivational damages. Keep it secure with a DLP policy. Analyze how data is used and accessed, and note any abnormal activities, which could indicate a threat.
To summarize, DLP policies can help you:
- Maintain compliance
- Protect your intellectual property and assets
- Regain data visibility
Best Practices for Creating DLP Policies
Stage I—Identify Content, Roles and Privileges
- Classify and prioritize content based on its level of importance. For example, sensitive and financial information is of the highest priority, because that kind of data loss will result in financial and reputational damages. Your website content is important, but if you have a backup system, it’ll be easily created without much loss.
- Define an authorization system for roles. For example, the CEO should be able to gain access to any and all company content. The new temp, however, doesn’t need access to any data and systems but those that directly impact their work.
- Identify access points for privileges. For example, a system administrator or a high level executive might need 24/7 access to all systems, from any device, and from any location. A work-from-home employee, however, could be restricted to two endpoints—a pre-approved smartphone and laptop.
This stage is completely up to you. Try to create DLP policies that are clear, concise, and cover all of your DLP needs. The entire organization, integrated third-party entities, and any solution you introduce into the network should be in line with the DLP policies.
Stage II—Define Event Notifications
- Choose an event responder, to whom DLP notifications will be sent in case of a data event.
- Customize event notifications, so it provides your responders with all the necessary information about the ongoing event.
- Define the medium of communication, which will deliver the event notification to your event responder of choice.
Keep in mind that this stage will work differently with different DLP solution, and different technologies. The notification configurations available for your Microsoft Exchange server will be different from the notifications available for an endpoint DLP.
Stage II—Outline Remediation Responses
- Assess your response teams, including their availability and skillsets
- Assess your DLP solution, including their automated policy remediation capabilities, if they have any.
- Using the information you collected, define which DLP events should be under the responsibility of your team, and which events should be under the responsibility of the DLP solution of your choice.
- If your DLP solution offers automated, and policy-based, DLP remediation, create a policy that defines, in detail, how and when the solution should respond, including the type of applied remediation, such as quarantine, block and encryption.
- Set up reports to receive notifications of when and how the automated remediation was handled.
It’s a Wrap!
Hopefully, by the end of this article, you’ve learned the fundamental concepts of a DLP policy.
Here is a bulleted summary of the main principles discussed in this article, for your convenience:
- Data Loss Prevention (DLP) is a set of practices and technological tools that protect information.
- A Data Loss Prevention (DLP) policy is a document that outlines the process of protecting information, including which data is more important, what activity is permitted by which user, and from which location.
- A Data Loss Prevention (DLP) solution can automate many DLP tasks through the use of DLP policies. You feed the policy to the system, and the system uses it to monitor and analyze activities that relate to data usage.
- DLP solutions provide different response capabilities for notifications and remediation.
And here’s one last piece of vital information before we part ways—creating DLP policies can be a time-consuming task. If you want to save time, use a DLP policy template. Remember to modify the template so it follows compliance regulations and fits the needs of your digital ecosystem. Best of luck with protecting your information.