A 7 Step Framework for Developing and Deploying DLP Strategy

1. The CISO’s Guide to Data Loss
Prevention
A 7 Step Framework for Developing and Deploying DLP Strategy

2. Welcome to The CISO’s Guide to Data Loss
Prevention – the definitive guide to developing and
deploying data loss prevention strategy.
2

3. Background
 Data Loss Prevention (DLP) has always been a concern for
businesses
 In earlier days, the focus was on protecting physical documents
from loss or theft
 The proliferation of data and digital communication
channels has made the criminal’s job easier
 A DLP program can be a manageable, progressive
process if organizations follow a phased approach

4. In the words of Gartner Research VP Anton Chuvakin:
4
“Deployment of a DLP tool should go from one
tactical success to another (a "quick-wins"
approach) to avoid outright failure due to
complexity and organizational politics.”

5. A 7 Step Framework for Developing and Deploying Data
Loss Prevention Strategy
There are a number of fundamental activities that must occur
when initiating a data loss prevention program. This framework
provides general guidelines that your DLP strategy should follow.
These requirements can also be used to help choose the right
DLP solution for your organization.
5

6. 1. Prioritize Data
 Determine which data would cause the biggest problem
if stolen.
 Data loss prevention should start with the most valuable
or sensitive data that is most likely to be targeted by
attackers.
 Manufacturing companies might choose to prioritize
intellectual property such as design documents in their
DLP efforts.
 Retailers and financial service companies should
obviously rank PCI data highly.

7. 2. Categorize (classify) the data
 A simple, scalable approach is to classify by context.
 Applying persistent classification tags to the data allows
organizations to track its use.
 Content inspection, which examines data to identify regular
expressions representative of social security and credit card
numbers or keywords, is also useful and often comes with pre-
configured rules for PCI, PII and other standards.
7

8. 3. Understand when data is at risk
 Network-based security controls may provide protection when data is at
rest, inside the firewall.
 However, for data distributed to user devices, or shared with partners,
customers and the supply chain, different risks are present.
• In these cases, data is often at highest risk on endpoints or at the moment it is
put into motion.
• Examples include attaching data to an email or moving it to a removable storage
device.
 A robust data loss prevention program must account for the mobility of
data and all moments when data is put at risk.
8

9. 4. Monitor all data movement
 Understanding how data is used and identifying
existing behavior that puts data at risk are critically
important.
 Without this knowledge, organizations cannot
develop appropriate policies that mitigate risk of
data loss while allowing appropriate data use.
 Not all data movement represents data loss –
organizations should monitor all data movement to
gain visibility into what’s happening to their
sensitive data and determine the scope of their
risks.
9

10. 5. Communicate and develop controls
10
 Monitoring will provide insights into how data is put at
risk.
 Work with business line managers to understand why
this is happening and create controls for reducing data
risk.
 Target the most common risky behaviors while
generating support from line managers.
 Develop more granular, fine-tuned controls to mitigate
specific risks as the data loss prevention program
matures.

11. 6. Train employees and provide continuous guidance
11
 User training can often mitigate the risk of accidental data loss
by insiders.
 Employees often don’t recognize that their actions can result in
data loss, and will self-correct when educated.
 Prompting employees of data use that may violate company
policy or simply increase risk.
 Advanced DLP solutions offer user prompting to inform
employees of data use that may violate company policy or simply
increase risk (in addition to controls to outright block risky data
activity).

12. 7. Roll Out
12
 Some organizations will repeat these steps with an expanded data
set or extend data identification and classification to enable
more fine-tuned data controls.
 By starting with a focused effort to secure a subset of your most
critical data, DLP is simpler to implement and manage.
 A successful pilot will also provide lessons for expanding the
program.
 Over time, a larger percentage of your sensitive information will
be included, with minimal disruption to business processes.

13. Additional DLP Resources
13
Is your DLP program up to snuff? Use our Data Protection Vendor
Evaluation Toolkit to find out:
Get the Data Protection Vendor Evaluation Toolkit
For more on data loss prevention and the fundamentals of data
security, check out our Data Protection 101 Series:
Data Protection 101