Top learnings from evaluating and implementing a DLP Solution


Published on

Presented by Vipin Kumar, Group CIO, Escorts Ltd, at CISO Platform Annual Summit, 2013.

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Top learnings from evaluating and implementing a DLP Solution

  1. 1. Escorts IT – DLP Project Review Executive Summary
  2. 2. Escorts – Brief Background  More than 65 years old premier engineering company of India.  Escorts has four major divisions & Corporate Office • Escorts Agri Machinery . • Escorts Construction Equipment. • Escorts Railway Product. • Escorts Automotive Product.  Major products • Tractors , Implements, Gensets, • Crains, Compactors, Backhoe loaders, • Shockers, Brakes, Auto Components , • Components for Railways like couplers, shockersss etc.  Combined turnover of around Rs.5000 crores.
  3. 3. Data Loss Prevention Three Key Organization Challenges  Where is my confidential data stored? • Data at Rest  Where is my confidential data going? • Data in Motion  How do I fix my data loss problems? • Data Policy Enforcement
  4. 4. DLP- Key Expectations  To address the challenges of securing data in use, data in motion and data at rest.  To protect proprietary and sensitive information against security threats caused by enhanced employee mobility and new communication channels.  To proactively prevent the misuse of data at endpoints (Laptops/Desktops) for unauthorized circulation, both on and off the Escorts network.  E-Mail access control from devices (without DLP Endpoint) outside of the Escorts Network.  Protect data at Email gateway in the cloud.
  5. 5. Data Loss Prevention - a Priority  Compliance  Secured working environment  IPR & Critical information protection  Brand and Reputation Protection  Remediation Cost
  6. 6. Evaluation Process Salient Features  Involved industry leading DLP vendors  15 days of POC at our site for each solution  Evaluation of DLP against defined requirements  Integration feasibility with IRM  Successful Case studies  Strong Product Roadmap  Cost
  7. 7. DLP- SCOPE  Propose to cover the entire user base across all divisions of Escorts including  All end points desktops & laptops  Servers  Gateways  Email solution on the cloud  Integration with Active Directory
  8. 8. Key Implementation Highlights  Presented the project objectives to GMC (Group Management Committee) consisting of CEO’s, CFO’s, Material Heads, R&D heads of all divisions and chaired by Managing Director.  Phased the implementation track wise , across divisions, covering the most critical departments like R&D and Materials first.  Created core user groups, across divisions, for each vertical such that all interrelated core users were part of one track. Eg Procurement and R&D core users were part of one track.  Established a project governance structure to monitor the project progress.
  9. 9. Key Implementation Highlights  Extensive trainings to core users to equip them to rightly classify the data getting generated in their respective departments.  Training to end users on the project objectives, data classification and its impact on their working.  Managing the fears, assumptions of users.  Involved the internal auditors in the project from the very beginning.
  10. 10. Data Classification  Data Classification is the heart of the DLP project.  What is Data Classification ? • It is a scheme by which the organization assigns a level of sensitivity and an owner to each piece of information that it generates , owns and maintains e.g. – Confidential, Internal, Public  Not all information requires same protection  Classification helps in establishing the value of information  Also helps in determining the level of protection required and in selection of appropriate controls
  11. 11. Data Classification  Information Owner: • Individual that has responsibility for making classification and access control decisions for information  Information Custodian: • Individual, organizational unit, or entity acting as caretaker of information on behalf of its owner  Information Security Officer (ISO): • A designated officer responsible for information security management
  12. 12. Key Learning  Never try to implement DLP as a IT project. It will fail miserably. Let Business spearhead the project and do most of the talking.  Availability of dedicated core team.  Involve all stakeholders from end users to senior leadership at every stage of the project.  Handle change management issues of people and processes very intelligently involving stakeholders and dispel all wrong notions and fears of business community.  Set the right expectations among business teams.