This document discusses implementing a data loss prevention (DLP) system using a step-by-step approach involving metrics, risk management, and maturity levels. It recommends defining metrics to measure the DLP program's goals and objectives, assessing risks, and improving processes over time. Key aspects include creating an asset inventory, establishing governance, training, and incident response processes, and monitoring DLP controls and metrics like the number of data leakage incidents. The overall framework presented allows an organization to develop a comprehensive DLP system through measurement, management of risks, and continual adaptation and improvement.

1. Metrics, Risk Management & DLP
a step by step approach
Rob Kloots
Vice-President ISSA-NL (2009)
Webmaster ISSA-BE (2009+10)
Owner CSF b.v. - GRC Consulting
Rob.Kloots@csf.nl

2. Agenda
• Do we have a Data Loss Problem?
• What can we do?
• Compliance Security Framework
• Risk Management
• DLP
2

3. Firefighting DLP incidents DLP
• DLP more then a Gartner-hype
• DLP key to GRC
• DLP incidents are a given fact of operations
• If or When?
3

4. Adopt, Adapt, Improve
• Firefighting
===========
• Maturity level
• What Measures?
• Learning Management System
Adopt
o Metrics,
o Measures, and
o Markerpoints.
Improve Adapt
4

5. Maturitylevels
• Predefined business process
• Clear goals/performance requirements
• Quantitative/qualitative measures
Quantitatively
Managed
Defined
Managed
Performed
Incomplete
5

6. Compliance Security Framework
• A Compliance Security Framework should allow for team-effort
for both
• Mgt (2) and operators(3) to enter into a learning system
• with respect to Compliance & Risk based security measures (1).
1
CSF
2 3
6

7. Metrics - 1
• Metrics are simply a standard or system of measurement
• Metric - A quantitative measure of the degree to which a
system, component, or process possesses a given attribute [2].
A calculated or composite indicator based upon two or more
measures. A quantified measure of the degree to which a
system, component, or process possesses a given attribute [3].
7

8. Metrics - 2
• Characteristics & Classification
• Process metrics
– CSFs, KGIs and KPIs
• Asset related vulnerability metrics
– What value has Data, when static, dynamic, owned, stored, lost
• Monetary value of Reputation
– ? Market Capitalisation
– ! Value of assets in Euro
– ! Total asset value at Risk
8

9. Measures
• Measure - To ascertain or appraise by comparing to a
standard [1]. A standard or unit of measurement; the extent,
dimensions, capacity, etc., of anything, especially as
determined by a standard; an act or process of measuring; a
result of measurement [3]. A related term is Measurement -
The act or process of measuring. A figure, extent, or amount
obtained by measuring [1]. The act or process of measuring
something. Also a result, such as a figure expressing the
extent or value that is obtained by measuring [3].
9

10. Achieveable Markerpoints
• How to set
• Where to use
• Purpose
10

11. Risk Management - 1
Qualitative
Quantitative
RM
mechanics
Mgt info
11

12. Risk Management - 2
12

13. Risk Management - 3
Threat Materialisation
DLP MEASURES
13

14. Risk Management - 4
Management Review
Risk
Treatment
Corrective / Plans for
Preventative Program / Project
Action / Action
14

15. Data Loss Prevention System
• 1. Introduction to the DLPS 10%
• 2. Creating the Asset Inventory 8%
• 3. Establishing DLP Risk Management process 8%
• 4. Establish a Continual Improvement process 10%
• 5. Developing Documentation 5%
• 6. Establishing a Legal Registry process 8%
• 7. Establishing a Compliance Management process 5%
• 8. Establishing an Audit process 10%
• 9. Establishing a Governance process 10%
• 10. Establishing DLP testing process 8%
• 11. Establishing the Incident Response process 8%
• 12. Establishing Training & Awareness process 10%
15

16. DLP metrics program:
• 1. Define the metrics program goal(s) and objectives
• 2. Decide which metrics to generate
• 3. Develop strategies for generating the metrics
• 4. Establish benchmarks and targets
• 5. Determine how the metrics will be reported
• 6. Create an action plan and act on it, and
• 7. Establish a formal program review/refinement cycle
16

17. DLP Controls
SANS Critical Security Controls
• 1: Inventory of Authorized and Unauthorized Devices
• 2: Inventory of Authorized and Unauthorized Software
• 3: Secure Configurations for Hardware and Software on Laptops,
WorkstationsCritical, and Servers
• 4: Secure Configurations for Network Devices such as Firewalls, Routers,
and Switches
Control 15 Metric
• 5: Boundary Defense
• 6: Maintenance, Monitoring, and Analysis of Audit Logs
Control 15Test
• 7: Application Software Security
• 8: Controlled Use of Administrative Privileges
• 9: Controlled Access Based on Need to Know
• 10: Continuous Vulnerability Assessment and Remediation
• 11: Account Monitoring and Control
• 12: Malware Defenses
• 13: Limitation and Control of Network Ports, Protocols, and Services
• 14: Wireless Device Control
• 15: Data Loss Prevention
17

18. DLP metrics
• Incident Management
o Mean-Time to Incident Discovery
o Number of Data Leakage Incidents
o Mean-Time Between Security Incidents
o Mean-Time to Incident Recovery
• Vulnerability Management
• Patch Management
• Application Security
• Configuration Management
• Financial Metrics
18

19. Questions, please!
19