Nageswaran Kumaresan, CISA, CRISC
Recent high-profile data leakages, compliance breaches and court battles to protect intellectual property show the challenges corporate management faces when it comes to preventing information losses and leakages. Data loss or breaches occur accidently (e.g., sending an email with confidential data to a wrong person), unknowingly (e.g., storing sensitive personal data without encryption) or intentionally (e.g., deliberately leaking information for personal gain). A typical corporate dilemma is the struggle between maintaining an open innovative environment by sharing more data while simultaneously preventing data loss or leakage. Though traditional layered security provided protection—especially from external threats—content-centric data loss prevention (DLP) technologies create another security layer, primarily focusing on protecting corporate data.
The implementation of DLP solutions should be approached holistically, and the success of DLP technologies depends on adequate planning, effective operation processes and monitoring mechanisms, and overall governance structure. DLP technology has the capability to enforce data restrictions to access, change and transfer. It provides powerful capabilities to monitor or track all forms of data within/to/from the corporate network. A poorly designed system, ineffective operational policies and improper processes can negatively affect the business and the innovative environment.
Understanding the organization-specific risk and how a solution such as DLP can help mitigate it should be considered during the planning phase. As DLP handles sensitive corporate and personal data, the involvement of appropriate business, IT, compliance and human resources personnel is paramount for implementation success. A phased implementation and thorough testing on small target groups can provide learning opportunities and help to reduce false-positive triggers. Defining the right policies and enforcing an effective reviewing and reporting mechanism are also critical factors to success. DLP should be considered as a part of a broader security landscape, and corporate policies and procedures should be progressively aligned to shape the corporate data handling culture to get the greater benefit.
Read Nageswaran Kumaresan’s recent Journal article:
“Key Considerations in Protecting Sensitive Data Leakage Using Data Loss Prevention Tools,” ISACA Journal, volume 1, 2014.