Why Should Your Company Have a Data Loss Prevention Plan?
Why Should Your Company Have a Data Loss Prevention Plan? Brian Rosenfelt • What is Data Loss Prevention (DLP)? • How Data Loss Prevention Technologies Work • Choosing a Data Loss Prevention Solution • Steps for a Successful Data Loss Prevention Plan Implementation T E C H N O L O G Y P A R T N E R SShare this e-book www.skodaminotti.com | 440.449.6800 | 6685 Beta Drive Mayfield Village, C H 44143L T E OH N O O G Y P A R T N E R S
01IntroductionData loss events happen at businesses large and small - a lot more often than many of us realize. Although some are targetedand malicious, many of these events are caused by highly trusted employees who accidentally leak intellectual property anddata into commonly-used, untrusted zones (personal email addresses, USB drives, etc).It’s important to not wait until a breach occurs to implement data leakage solutions. Without a comprehensive securitystructure to your network, you may not even know if security breaches are occuring. We want to help you understand howyour company should be protecting its most important information.The topics covered in this e-book include: • What is Data Loss Prevention (DLP)? • How Data Loss Prevention Technologies Work • Choosing a Data Loss Prevention Solution • Steps for a Successful Data Loss Prevention Plan ImplementationIf you are interested in learning more about data loss prevention, and the solutions that are available to protect your company’sdata, I invite you to continue reading this e-book.About the AuthorBrian Rosenfelt, Technology Consultant - Skoda Minotti Technology PartnersBrian is a principal with Skoda Minotti Technology Partners. He has16 years of IT experience. Prior to joining the firm, he founded ComputerTroubleshooters Independence, after a successful career as a controller, CFO andperations executive in various industries.Brian graduated from the University of Maryland’s Smith School of Businessand holds an active CPA certificate. He also holds several telecommunicationcertifications, including being a Certified 3CX Consultant and FtOCC (Fonality TrixboxOpen Communication Certification) from Fonality. He is a member of the AmericanInstitute and Ohio Society of Certified Public Accountants, the Society for HumanResource Management and the Northeast Ohio Software Association. He alsospends time volunteering with Cleveland Social Venture Partners and the JewishCommunity Federation.Share this e-book T E C H N O L O G Y P A R T N E R S
02What is Data Loss Prevention (DLP)?To understand the importance of data loss prevention for your company, I think it’s important that you first understand whatdata loss prevention is and the different kinds of data your company needs to protect.Data loss prevention is a buzz word that’s quickly growing in popularity in the information technology world. Put simply, dataloss prevention refers to systems and procedures that enable organizations to reduce the corporate risk of the unintentinaldisclosure of confidential data. It may seem like a simple concept, but the leakage of your company’s intellectual propertyand/or confidential data could cost you in the ways of financial loss and fines brand damage, and more.To help you understand how you can protect it, you need to know where your data lives. There are three kinds of data and thisshould help you understand each of them:1. Data at Rest - To understand this concept, you can ask yourself, “Where is my confidential data stored?” This can be any data that is stored on file servers, databases, backup drives, mail servers, etc.2. Data in Motion - Here, you can ask yourself, “Where is my confidential data going?” This can be any data that is moving throughout the network (especially from inside the network to outside the network via the Internet).3. Data in Use - To best understand this concept, ask yourself, “What individual devices have access to confidential data?” This can be any data that resides on end-user devices such as workstations, laptops, tablets, Smartphones, external drives and other mobile devices.It’s important to understand that a good data loss prevention solution will provide monitoring and protection for all threecategories of data. “It may seem like a simple concept, but the leakage of your company’s intellectual property and/or confidential data could cost you in the ways of financial loss and fines, brand damage and more.”Share this e-book T E C H N O L O G Y P A R T N E R S
03How Data Loss Prevention Technologies Work So, we’ve talked about what data loss prevention is. And, maybe your company does need help implementing a plan. But, you want to better understand exactly how it works before you implement a plan of your own. We can help you with that. Remember the three kinds of data we discussed earlier? 1. Data in Motion 2. Data at Rest 3. Data in Use And, also remember, that we also mentioned a good DLP solution would protect all three types. Here’s how an effective data loss prevention solution works to protect each type of data:First, the solution must be able to monitor the network to ensure that “Data in Motion” is protected against unauthorizedtransfers. One example is employees emailing sensitive files to themselves using public webmail services like Gmail, Yahoo,AOL, etc.Second, the solution should be able to monitor all file storage locations “Data at Rest” and ensure users aren’t manipulatingthat data in a way that violates the data loss prevention policy. For example, preventing employees from copying data from afile share to a USB drive.Finally, the solution should have an “agent” component that can be installed to protect the “Data in Use” on end user devices,such as workstations and laptops to ensure that policies aren’t violated, even when those devices are outside of the corporatenetwork.Above all, the most important piece to a functional data loss prevention plan comes in educating the employees of yourorganization, so that they know and understand that they are responsible for ensuring its ‘health and safety’. Helping them tounderstand this concept, and explaining the ways your policy will work to do just that, can be instrumental to your data lossprevention plan’s success.Share this e-book T E C H N O L O G Y P A R T N E R S
04Choosing a Data Loss Prevention SolutionIf you didn’t know you need a data loss prevention plan before - youdo now. Let’s give you a few more reasons why you should have one.The obvious reason - To protect against intentional and unintentionaldata leakage. Above that, going through the process of creating adata loss prevention plan and policy gives your company intelligenceas to where and how your data really is being stored, moved andused. Lastly, implementing a solution can help identify areas forprocess improvement (e.g. a developer sending source code to a home computer to work with because they didn’t have theresources they need in your office).Here are a handful of questions that you can ask your provider when choosing your data loss prevention solution:Where does the product look for data across your network? Does it find sensitive data just traveling your network, on yourdatabase and file servers, or does it look at data on local desktops?Can the data loss prevention agents accomplish other security-related things on the endpoints? Some vendors can turn offUSB connectors to block someone with a thumb drive from walking away with all of your customer data in their pocket. Otherscan control which applications can and can’t be run on your workstations, laptops or even tablets.What protocols can be blocked or analyzed? Just protocols involving email (SMTP, POP and IMAP)? What about file transfertechnologies or instant messaging?How hard is it to create – and then change – the data loss prevention rules? A DLP tool is only as good as its ability to haverules updated easily over time. Can your IT staff (or outsourced provider) easily update rules as new threats are identified orcompany policies updated?What happens when a rule is broken? Can you figure out who violated the policy, where the offending information is stored,and what kinds of automated responses can be sent? Does the product come with pre-defined templates to make all of thiseasier?Is the content analysis portion a separate or integrated piece of the product? In some cases, such as McAfee’s data lossprevention solution, you are going to need several different products to be installed to enable a complete solution.What kinds of reports are available, and are they easy to understand? Does the product offer any real-time reportingcapabilities, and how flexible are these reports?Share this e-book T E C H N O L O G Y P A R T N E R S
05Steps for a Successful Data Loss Prevention Plan ImplementationSo, you’ve decided to implement a data loss prevention plan.Once you have the systems in place to begin monitoring the datawithin your organization, here are some steps that you can take,internally, to implement a successful DLP solution:1. Identify Key Participants – Assemble those that should be involved internally when you identify data loss. Participants may include IT, HR, and operations employees. Identify the individuals and meet with them to work out what situations they will need to be involved in.2. Develop a Notification Process – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements, such as breach notification laws? Get your compliance people in the loop and have them write the process with you.3. Fix Broken Business and Weak Processes – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these fixed.4. Create a Plan for Handling Theft – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that, as well.5. Establish the Response Team and Workflow – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR.6. Set a Timeline for Incident Resolution – Set goals for making sure incidents are handled in a timely manner. • First level review of all incidents within x amount of time • Resolve all high severity incidents within y amount of time • Close all incidents within z amount of time (resolving incidents within 2 hours)Share this e-book T E C H N O L O G Y P A R T N E R S
06 Steps for a Successful Data Loss Prevention Plan Implementation (cont.) 7. Establish Reporting and Automate – How are you going to track things? Decide what reports you’ll need to have and who should get them. Set up scheduled reports so that you know what is happening and that your team is resolving incidents within your timeline. Reports for: • Incidents Created • Incidents Closed • Open Incidents Status – by age, severity, owner • A report sorted by the type of data or by policy that was violated • Summary reports for your CSO or execs 8. Plan Roll-Out Stages – It’s important to plan your roll-out in stages rather than trying to attach the problem all at once. • Select data and policies to be implemented in stages, e.g. first the customer billing database for PCI violations, then the next set of data and policies for state privacy regulations, then company IP data and policies. • Roll-out and test your policies in a monitor only mode, to set a baseline. But you have to be prepared for a sig- nificant breach to happen. That’s why we advise people to anticipate data loss and prepare for it in advance. • Decide when you will have the solution notify end users and what you expect of them. Use this for user educa- tion about your polices on data handling. You can expect to see the number of incidents drop as users are notified on each violation. Set up your reporting ahead of time so you can track. For a no-risk analysis of your company’s data, or to simply meet and discuss your company’s data loss prevention needs, give our Technology Partners group a call at 440-449-6800.Share this e-book T E C H N O L O G Y P A R T N E R S