Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Top learnings from evaluating and implementing a DLP Solution


Published on

Presented by Vipin Kumar, Group CIO, Escorts Ltd, at CISO Platform Annual Summit, 2013.

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

Top learnings from evaluating and implementing a DLP Solution

  1. 1. Escorts IT – DLP Project Review Executive Summary
  2. 2. Escorts – Brief Background  More than 65 years old premier engineering company of India.  Escorts has four major divisions & Corporate Office • Escorts Agri Machinery . • Escorts Construction Equipment. • Escorts Railway Product. • Escorts Automotive Product.  Major products • Tractors , Implements, Gensets, • Crains, Compactors, Backhoe loaders, • Shockers, Brakes, Auto Components , • Components for Railways like couplers, shockersss etc.  Combined turnover of around Rs.5000 crores.
  3. 3. Data Loss Prevention Three Key Organization Challenges  Where is my confidential data stored? • Data at Rest  Where is my confidential data going? • Data in Motion  How do I fix my data loss problems? • Data Policy Enforcement
  4. 4. DLP- Key Expectations  To address the challenges of securing data in use, data in motion and data at rest.  To protect proprietary and sensitive information against security threats caused by enhanced employee mobility and new communication channels.  To proactively prevent the misuse of data at endpoints (Laptops/Desktops) for unauthorized circulation, both on and off the Escorts network.  E-Mail access control from devices (without DLP Endpoint) outside of the Escorts Network.  Protect data at Email gateway in the cloud.
  5. 5. Data Loss Prevention - a Priority  Compliance  Secured working environment  IPR & Critical information protection  Brand and Reputation Protection  Remediation Cost
  6. 6. Evaluation Process Salient Features  Involved industry leading DLP vendors  15 days of POC at our site for each solution  Evaluation of DLP against defined requirements  Integration feasibility with IRM  Successful Case studies  Strong Product Roadmap  Cost
  7. 7. DLP- SCOPE  Propose to cover the entire user base across all divisions of Escorts including  All end points desktops & laptops  Servers  Gateways  Email solution on the cloud  Integration with Active Directory
  8. 8. Key Implementation Highlights  Presented the project objectives to GMC (Group Management Committee) consisting of CEO’s, CFO’s, Material Heads, R&D heads of all divisions and chaired by Managing Director.  Phased the implementation track wise , across divisions, covering the most critical departments like R&D and Materials first.  Created core user groups, across divisions, for each vertical such that all interrelated core users were part of one track. Eg Procurement and R&D core users were part of one track.  Established a project governance structure to monitor the project progress.
  9. 9. Key Implementation Highlights  Extensive trainings to core users to equip them to rightly classify the data getting generated in their respective departments.  Training to end users on the project objectives, data classification and its impact on their working.  Managing the fears, assumptions of users.  Involved the internal auditors in the project from the very beginning.
  10. 10. Data Classification  Data Classification is the heart of the DLP project.  What is Data Classification ? • It is a scheme by which the organization assigns a level of sensitivity and an owner to each piece of information that it generates , owns and maintains e.g. – Confidential, Internal, Public  Not all information requires same protection  Classification helps in establishing the value of information  Also helps in determining the level of protection required and in selection of appropriate controls
  11. 11. Data Classification  Information Owner: • Individual that has responsibility for making classification and access control decisions for information  Information Custodian: • Individual, organizational unit, or entity acting as caretaker of information on behalf of its owner  Information Security Officer (ISO): • A designated officer responsible for information security management
  12. 12. Key Learning  Never try to implement DLP as a IT project. It will fail miserably. Let Business spearhead the project and do most of the talking.  Availability of dedicated core team.  Involve all stakeholders from end users to senior leadership at every stage of the project.  Handle change management issues of people and processes very intelligently involving stakeholders and dispel all wrong notions and fears of business community.  Set the right expectations among business teams.