Monday, November 14, 2016

Successfully implement DLP

Define focus area
First and the most important step is to define your focus area. Depending on the size of the organization, DLP implementations could take up to six months to one year easily. You can't start deploying DLP in the whole organization at once. The approach should be to start with limited scope and then gradually expand to the whole organization. 
Examples of focus are monitoring and protecting email communication between company's executives and board members or it could also be a certain department such as HR or Finance. After selecting your focus area held meetings with the team members of your focus area and gather information such as what types of important information (from their point of view) they hold and where it resides. Also what keywords are generally used in their documents. Keywords are important as they will be used in the later stage to TAG the documents. 

Perform risk assessment 
Risk assessment at this point will provide deeper understanding of the risks, costs, and potential sources of data loss. The more you know about the sources of data loss more accurately you would be able to translate this information into rules.

Classify your data
If you haven't already defined data classifications for your organization, following classification scheme can be used as it is or with some modifications according to your environment.
  • Protected: Information is not shared with anyone.
  • Restricted: Information is shared only with selected members of the organization.
  • Confidential: Information is shared between selected departments or partners.
  • Internal: Information can be shared within the whole organzation and to partners.
  • Public: Information can be shared with anyone.
Identify information flows
Once you have defined a classification scheme for your organization, the next step is to identify information flows. You need to know the source and destination of the information you want to protect when it is shared within the organization or to external partners or customers. At this point basically you are identifying the normal flow of the information. For example the payroll information should only be shared among selected members of the payroll department. This information should not be shared with any one else in the organization or outside it. Another example could be that financial audit reports should only be shared between members of the finance department and audit department or external auditor.

Tag/Label documents
After identifying the information flows, all documents should be labeled according to the classification scheme. This is the core on which your DLP rules work. There are two methods you can adopt in your organization as a combination or standalone. First one is to manually add tags in your documents. For example you can write protected, confidential, or internal keywords in the document headers or for Microsoft documents you can add the tag value in document properties. This approach is very accurate however the difficult part is that you have to enforce this practice in your organization, educate your users, and make sure every one follows this practice by conducting audits.
The second approach is based on keywords. In step one of the implementation plan, I mentioned that after defining your focus area you should held meetings with the team members and collect different keywords normally used in their. You can then use these keywords to the discover documents on the user machine and tag them accordingly. Normally all host DLP's have a discovery feature that you can use to discover and tag documents.

Define Policies
Clearly write all set of protection policies. This might be a legal or compliance requirement but more importantly clearly written policies will help your IT team to translate them into DLP rules easily and effectively.

Implement policies in DLP
In this step translate all protection policies into DLP rules. At first your rules should not block any communication rather they should be configured only to monitor the events. Based on these events you can fine tune your rules and then once you are sure that it will not interrupt the normal information flows you  can set your rules to block any activity that should not be allowed.


No comments:

Post a Comment