Use this 7 step data loss prevention checklist to help plan and tackle your DLP strategy
This data loss prevention checklist is meant to provide a framework for ensuring that your organization’s sensitive data is secured from improper access—both internal and external.
But, you may first be wondering: what is data loss prevention? Data loss prevention (or DLP, as it is commonly abbreviated to) is simply a strategy and process for ensuring that information stored by your organization is not improperly or unintentionally exposed.
The most important data to secure is that which is regulated by federal, state, and/or local laws. This type of data broadly includes personally identifiable information related to minors, and employee and customer credit and financial information.
Companies will also want to secure proprietary information, such as intellectual property, financial information, growth and strategy plans, etc. to retain competitive advantage.
Many B2B-focused software and SaaS applications on the market provide at least some level of DLP controls natively. But using these provided tools alone creates an incoherent (and risky) data security environment. They also don’t fully protect your organization’s data infrastructure. There are many data loss prevention tools available on the market today that help information security teams manage comprehensive data loss prevention methods across all digital data assets, including hardware, software, the cloud, and everywhere in between.
Step 1. Inventory: Analyze & Categorize
The first step in creating a comprehensive DLP plan is determining where all your organization’s data is located, and how much of it is sensitive information. You’ll also want to analyze your current security posture in each of these locations to determine how data is being managed and protected, and where security gaps may exist.
Common locations for organizational data include:
- On-premise / network storage
- Cloud / SaaS application storage
- Hardware storage, including laptops and desktops, mobile devices, external hard drives, etc.
Once you have a handle on where all your data resides, you’ll want to categorize it. Common data type categories include:
- Personally Identifiable Information (PII)
- Payment Card Information (PCI)
- Customer Information
- Intellectual Property / Proprietary Information
- General Internal-Only Information
- Public Use / Domain Information
As an example, PII includes information such as social security numbers, names, addresses, etc. that can be used to commit identity fraud. On the other end of the spectrum, much of sales and marketing information is created with the intent of being public-facing. This type of information would need less restrictive controls.
Step 2. Regulatory Compliance Establishes DLP Baseline
The level of regulatory compliance that your DLP plan will have to adhere to depends on the nature of your organization. Healthcare companies, for example, need to comply with HIPAA regulations. Companies that process credit cards are required to comply with PCI-DSS. Organizations that work with children, such as K-12 schools and districts, need to comply with regulations like FERPA and COPPA.
Compliance also depends on where you are located, as state and local regulations may add a layer of requirements to your compliance DLP planning.
Regulatory compliance should be just the baseline of your data loss prevention structure. Because regulations don’t cover the more nuanced data protection needs of your organization, such as intellectual property, growth strategy, and other assets that represent competitive advantage.
Step 3. Business Information Data Loss Prevention
After you’ve laid the DLP groundwork to ensure you’re compliant with legal regulations, it’s time to take a look at your business data. Business information that you need to secure from improper use might include:
- Strategic planning and competitive research and positioning
- Financial reports and information
- Intellectual property and proprietary information, processes, etc.
- Additional prospect, customer, and employee information that may not be covered by data protection regulations
Step 4. Internal Processes & Vendor Selection
Now that you have a handle on what the entirety of your information inventory looks like, what your regulatory compliance obligations are, and what information you need to secure for business reasons it’s time to put processes in place to manage it all.
People tend to think about DLP policies in terms of setting them up in their data loss prevention software. But we’re not quite there yet. Here we’re thinking in terms of a company policy that directs the human behavior element of data loss prevention.
What uses of each type of information category is acceptable, and what is not allowed? Some examples might include:
- Detailed company funding information can only be accessed by the executive team, and cannot be shared outside the organization
- Proprietary product code cannot be accessed outside of the “tier 1” engineering team
- Any files and folders labeled “Confidential” cannot be shared outside of the organization
- SaaS applications must be sanctioned by the information security department prior to use
Your DLP policy planning should also include requirements for vendor, supply chain, and/or partner security requirements. This is an often overlooked area of a DLP strategy, but there are plenty of examples of malicious attacks in one area impacting client or partner organizations throughout the supply chain. To use the cliche, your data loss security strategy is only as strong as the weakest link. The many operational benefits of an interconnected vendor system also exposes unique cybersecurity challenges that must be addressed in any solid DLP plan.
Documenting these policies prior to going into your software helps in three ways. It helps you and/or your planning team organize your policies plan in a structured way. Second, it provides a formal document that can be incorporated into the employee handbook and shared with employees for training purposes. And third, it helps the software implementation team efficiently and coherently set up each of these policies in the DLP software.
Step 5. Building Automated DLP Rules & Policies
OK, so now comes the fun part! Now that you’ve categorized your data and you have processes and policies in place, you’ll want to get as much DLP policy management automated as possible. This means using a DLP platform to set up rules and policies that govern everyday use and behavior in your organization.
There are many, many data loss prevention software and solution providers available on the market. The best one for your organization is highly dependent on your specific IT infrastructure and unique needs.
But the basics are about the same. Any good DLP platform will allow you to set up rules that govern how a specific type of file or folder or software can’t be used. Then, there are policies to put in place that tell the platform what to do if that rule is broken. Policies can do things like send notifications and alerts, revoke sharing, quarantine, delete, suspend a user account, unsanction an application, etc.
Most experts agree that it’s best to start with a light touch here, and then incrementally restrict over time. This approach, of course, also depends on the nature of your business and how strictly regulated your industry is. If you are operating in a highly regulated industry, such as healthcare, you’ll likely want to approach it from the other direction by being as restrictive as possible, and slowing opening access if needed.
Step 6. Educating The Team
Studies show that educating employees on the importance of data loss prevention and company policies surrounding the matter significantly improves an organization’s security stance. They also show that continual reinforcement, rather than a one-time training event, is the most effective way to improve the inherent human element behind data loss.
This is an area where documented data loss prevention policies and processes (created in step four) are helpful. It provides everyone with the information they need to understand their personal responsibilities when it comes to company data security. It also outlines what is acceptable behavior and what is not.
Your DLP platform can be helpful as well. Most solutions provide the functionality to send the offending employee a notification email when they have done something that violates a DLP rule. Setting up these types of emails helps automate continual reinforcement of company data security policies and is beneficial to employees as well.
Step 7. Monitor & Strengthen
Data loss prevention should not be treated as a “set it and forget it” project. Particularly for the first several months to a year after the first implementation, you should closely monitor the efficacy of your processes and automations to ensure they’re working as expected, and to identify gaps.
Your DLP platform will be key in this area. Investing in a platform that monitors your environment 24/7 means that you and your team can focus on other projects or tasks while the technology does the redundant work. Set up automated audit and risk reports, so that you gain quick and easy visibility into your data loss risks and can adjust as required.
Using This Data Loss Prevention Checklist
The specifics of how to prevent data loss in your organization depends on a variety of factors—including the type of hardware and software you use, and the level of data complexity in your organization. Therefore, it’s impossible to create a data loss prevention checklist that will apply to every organization. But hopefully this checklist gives you a solid framework for planning and tackling your data loss prevention strategy.
It’s important to note that if your team uses cloud applications, such as G Suite, Office 365, Slack, Dropbox, etc. and you’re relying on firewalls to protect your data from loss, chances are high that your data is exposed. As discussed in step one, there are many locations where data may be located, and each of these locations represent a potential for loss. Many information security professionals don’t fully realize the unique challenges of securing data in the cloud as compared to other locations, such as in on-premise servers and employees’ desktops.
The unique challenges of securing your organization’s sensitive information in the cloud are important, but not insurmountable!
Sign up for a free cloud data loss prevention risk assessment today, and we’ll help you determine where you have DLP risks in your cloud environment in a matter of hours.