Establishing a Data Loss Prevention Policy Within Your Organization
Learn how to develop a data loss prevention strategy - including best practices and policies - in this week's Data Protection 101, our series on the fundamentals of information security.
A data loss prevention policy defines how organizations can share and protect data. It guides how data can be used in decision making without it being exposed to anyone who should not have access to it.
Data loss prevention is broadly defined as technology or processes that:
- Identifies confidential data
- Tracks data usage
- Prevents unauthorized access to data
Data loss prevention tools include software products that can classify and protect data. The data loss prevention policy guides how those tools work.
Why You Need a Data Loss Prevention Policy
Much of data security involves preventing malicious attacks on an organization’s networks. Employees have more ways to access and share organizational data than in the past due to the distributed nature of modern computing. This makes accidental data loss a serious problem.
Data storage is available in the cloud and remote locations. As the number of employees working from remote locations continues to increase, so too does frequency of access to sensitive data from laptops and mobile devices that may be vulnerable.
Data collection and use are coming under increased regulatory scrutiny. There are three main reasons for establishing a data loss prevention policy:
- Compliance: Governments have various levels of regulation of how organizations collect and secure personally identifiable information. A data loss prevention policy is an important part of complying with data regulation and reporting information in compliance audits.
- Intellectual property: Proprietary information and trade secrets are the types of information that needs to be protected from unauthorized access.
- Data visibility: Organizations can gain valuable insights by monitoring how stakeholders access and interact with data.
The Definitive Guide to DLP: Hybrid Work Edition
Best Practices for Establishing a Data Loss Prevention Policy
A data loss prevention policy can help organizations prevent unauthorized data access and protect themselves from the potential damage. While no protection will be bulletproof, there are best practices that can help establish a successful data protection policy:
- Identify the data that the policy is primarily meant to protect. Most often data is classified according to its vulnerability and risk factors. Taking the time to understand data and classify it can lead to greater organizational insights.
- Establish criteria for evaluating data loss prevention vendors. Choosing data loss prevention solutions can be daunting. But creating an evaluation framework with the right questions can help lead to an educated purchasing decision.
- Clearly define the roles of people who will be involved with data loss prevention. This is not just about who will monitor data usage and make the rules. Segregating responsibilities helps prevent misuse.
- Keep it simple at first. Choose a specific type of data or risk to address. The goal is to secure the most critical data and get a measurable win early, then build upon that.
- Get buy-in from organization leadership. Each department or unit head has a role in shaping a data loss prevention policy that aligns with corporate culture. This is a strategy that affects all departments and functions.
- Educate everyone in the organization about how and why the data loss prevention policy is in place. Many executives see employees as the weakest link in data loss prevention yet do not see security education as a priority.
- Document the data loss prevention processes carefully. A written policy should focus on the data being protected.
- Set and share metrics for success. Data loss prevention metrics will determine the return on investment of policies and solutions. They can also help determine efficiency.
- Anticipate workarounds to limits. If email rules prevent large files from being attached, will employees find other ways to transfer files? Examine workflows to make sure data loss prevention policies does not get in the way of employees legitimately doing their jobs.
- Assess how much data is needed. Determine what kind of data is needed and why. Do not save unnecessary data. Nonexistent data cannot be lost.
- Monitor data usage before blocking it. Set up data loss prevention tools to report sensitive data loss first. Make sure any rules that block data transfer will not disrupt workflow.
Using Data Loss Prevention Policy Templates
Data loss prevention products often include policy templates. These are presets rules that can guide the software on how to identify vulnerable data, and there is usually some level of customization available. Some policy templates are designed for specific regulatory environments. Templates are extremely helpful for setting up data loss prevention software.
But implementing policy templates is not a substitute for establishing a data loss prevention policy. Organizations need to understand what data is being collected and stored. The best data loss prevention policies are crafted based on an organization’s unique security environment and then communicated to all employees.
Common Inclusions in Data Loss Prevention Policies
There are a number of data privacy laws already in effect, not to mention the host of pending legal requirements and potential laws being penned across the globe. A typical DLP policy contains three elements:
- Location: Where said policy will be enforced
Example: A DLP Policy is setup to detect information protected by GDPR. The location would be wherever personal information is stored.
- Condition: Essentially, the parameters the policy searches for to prevent data loss
Conditions can include:
- Data not being used the way it was agreed upon by the user
- Older data that needs to be deleted to remain in compliance
- Personal data being stored in a different, unsecured location
- Action: If a situation meets the set conditions, an action is taken to prevent loss
Actions correspond to the condition. For instance, data could be deleted if it is found to violate GDPR regulations, or personal data could be blocked when it is found store in an unverified environment.
More Resources on DLP
- Data Loss Prevention (SANS Institute)
- The Gamification Of Data Loss Prevention: Educating And Enabling Employees With DLP (Digital Guardian)
- What Type Of Data Loss Prevention Is Right For Your Organization? Choosing Between Endpoint DLP And Network DLP (Digital Guardian)