How to create an effective DLP policy in your school district

There’s an old saying: “A chain is only as strong as its weakest link.” When you’re talking about your school district’s cloud security, that adage takes on a whole new meaning.

A link to a chain is what a DLP policy is to your cloud environment. And most school districts? Their links are among the weakest. In fact, according to EdWeek Research Center, fewer than one in three districts are taking adequate measures to protect their cloud applications.

This is a startling vulnerability that could jeopardize the safety of your sensitive data and make a mess of your Google and Microsoft domains. Luckily, there’s an easy place to start: your DLP policies – that is, if you have any.

In the spirit of spring cleaning, we’ll guide you through the basics of DLP policies, how they work, and how you can use them to deep clean your school district’s policies in Google and/or Microsoft 365.

What is a DLP policy?

Hold onto your brooms and put away your dust pans – you’re not ready to sweep away your worries quite yet. Before you can create a DLP policy, you need to know what they are and how you can benefit. Let’s break it down.

A data loss prevention policy is basically the lowest common denominator for any effective data loss prevention (DLP) software. You can think of data loss prevention as the process of detecting and preventing a data breach, data leak, or unwanted loss of sensitive information. This could include personally identifiable information, financial information, medical histories, or even academic records.

Simply put, DLP is all about keeping confidential data confidential.

By extension, a policy is easiest to understand as a DLP rule. These rules dictate how your students and staff members can and should be accessing, sharing, and using data in your cloud environment. Given that over 90% of districts are now operating in the cloud, this is a must-have solution for keeping tabs on your data that is stored, accessed, and shared in Google Workspace and/or Microsoft 365.

Still wrapping your mind around DLP policy? Take the case of the Bremerton School District in Washington. Systems Administrator Justin Feltus said in a recent webinar that DLP policies help him identify unseen risks, like unsanctioned apps, in Google Workspace:

“You have millions of files flying around in the cloud, there is no way you can keep track of everything that’s going on and focus on the really critical incidents on your own,” Justin said. “We can see where the risks are and then start training users on why they shouldn’t be doing what they’re doing. Then, you can start putting policies around things — issues that you didn’t even know existed before — and start automating some of that remediation.”

How do DLP policies work?

DLP policies are the backbone of data protection – without them, a DLP tool wouldn’t work. Even when data is at rest your policies are always on, lifting much of the weight off your technology team’s shoulders.

What does that process look like? Here’s the lifecycle of a DLP rule from start to finish:

1. Policy creation: Any worthwhile DLP tool will allow you to create policies based on the criteria most relevant to your district. It’s a good idea to start defining some policies that are relevant to your district with key stakeholders prior to going straight to the technology. For example, working with your business manager to determine what kind of payment information activities are acceptable and by who.
2. Scanning: Your DLP solution will automatically scan your cloud domain for rule violations.
3. Incident occurs: Violations take many shapes and forms, ranging from unauthorized app installation to improper external sharing. A student might accidentally leak sensitive data from their Google Drive, or a staff member may inadvertently attach a file to an external email.
4. Identification: In any case, DLP policies automatically recognize the infraction and mitigate the risk through a set of predetermined actions. This could include suspending the user, quarantining the content, or breaking the file share.
5. Reporting: The solution generates DLP reports of the incident and sends it to your chosen staff member or IT team for investigation.

Generally speaking, policy enforcement is as easy as these five basic steps. At least, it is when you’re using the right DLP software. The best solutions will take policy enforcement to another level with a few advanced capabilities:

• Content and image analysis: Artificial intelligence (AI) scans even image files for sensitive content, such as social security numbers or personally identifiable information.
• Digital fingerprinting: AI identifies the word pattern of a file and creates a fingerprint based on that pattern. This allows your DLP to determine if a user is sharing an outbound file that contains the same fingerprint – a sign of potential data leakage.
• Keyword/Regex detection: Regex – regular expression – allows you to enter a string of text that defines a search pattern. In turn, you can scan for keywords, phrases, or number patterns that might reflect sensitive information.

Reginald Gossett, the Executive Director of Technology at Troup ISD shared in a recent webinar how he convinced his business manager that using cloud DLP software was beneficial for their district:

“We had staff and teachers that were doing things like sending their social security numbers and district credit card numbers via email without any encryption or anything. That was what sold it to my business manager here. When she saw how often credit card information was being emailed by staff members, she was all-in.”

How to create an effective DLP policy

Remember: Your data security is only as strong as your weakest policy. One bad rule could make or break your entire information protection strategy – that’s why creating effective policies is the most important part of the process.

When designing your policies, you need to take a lot of factors into account. Here are a few basic parameters to consider:

• Data that needs to be classified: It’s vital that you think about the many different types of data you’re storing in your cloud environment. Classifying that data by sensitive information type – i.e. how closely each type should be protected – allows you to fine tune your policy enforcement.
• Where sensitive data is stored: Whether it be in cloud storage, email, messaging apps or on student devices, there’s no shortage of places to find sensitive content. Knowing where your data is will help you form a policy around protecting it in those locations.
• Access controls: Determine who should be able to access certain types of sensitive information and who should be disallowed. The permissions of your business department will be different from a teacher, and far different than those of a student.
• Actions to be taken: Based on the sensitivity of the data or type of user, decide how the DLP tool will enforce the policy once a violation occurs.

DLP policy best practices

Now that you know the power of a DLP policy and the capabilities of a cloud security platform, you’re nearly ready to polish up those DLP policies.

But before you do, you’ll need to become familiar with a few best practices. Here are a few ways to make the most of your data protection efforts inside your school district:

Consider your legal ramifications

Believe it or not, your Google/Microsoft domains are online and are therefore regulated by the Children’s Information Protection Act (CIPA). That means you’re expected to keep a close eye on the type of content your students are accessing through school-provided cloud services. If you’re not careful, you could risk becoming CIPA noncompliant.

Allocate clearly defined roles and responsibilities

Specify the responsibilities of all parties involved in monitoring your cloud environment. This will ensure all of your cloud security resources are being used to their full potential and that nothing slips through the cracks.

Automate as much as possible

There’s only so much you can do with manual labor alone. DLP solutions can automate policy enforcement and remediation even when your team is off the clock. By automating tasks, you can rest easier knowing your cloud is protected against risk.

Start simple and adjust rules over time

Here’s a policy tip: Don’t worry about starting from scratch. The best DLP tools will come with an out-of-the-box DLP policy template. You can use this to hit the ground running and tailor the policy template to your requirements as time moves on.

Simply put, protecting data is hard but doing it on your own is even harder. At ManagedMethods, our easy-to-use cloud security platform elevates your security team and takes data loss prevention to another level.