dark mode light mode Search
Search
The Latest
View All
Share 0
Tweet 0
Pin it 0
share this

Plan for data loss prevention (DLP)

In the Cloud
woman in blue long sleeve shirt using macbook pro

Many organizations choose to implement DLP to comply with various governmental or industry regulations.

For example, the European Union’s General Data Protection Regulation (GDPR), or the Health Insurance Portability and Accountability Act (HIPAA), or the California Consumer Privacy Act (CCPA)

They also implement data loss prevention to protect their intellectual property.

Identify stakeholders

  • identify the regulations, laws, and industry standards your organization is subject to
  • identify the categories of sensitive items to be protected
  • identify the business processes they’re used in
  • identify the risky behavior that should be limited
  • prioritize which data should be protected first, based on the sensitivity of the items and risk involved
  • outline the DLP policy match event review and remediation process

In general, these needs tend to be 85% regulatory and compliance protection, and 15% intellectual property protection.

Here are some suggestions on roles to include in your planning process:

  • IT
  • Regulatory and compliance officers
  • Chief risk officer
  • Legal officers
  • Security and compliance officers
  • Business owners for the data items
  • Business users

Describe the categories of sensitive information to protect

For example, DLP defines these categories:

  • Custom
  • Financial
  • Medical and health information
  • Privacy


Set implementation plan

  • a map of your starting state, desired end state, and the steps to get from one to the other
  • a plan for how you’ll address discovery of sensitive items
  • a plan for developing policies and the order in which policies you’ll implement them
  • a plan for how you’ll address any prerequisites
  • a plan for how you’ll simulate policies before implementing them for enforcement
  • a plan for how you’ll train your end users
  • a plan for how you’ll tune your policies
  • a plan for how you’ll review and update your data loss prevention strategy based on changing regulatory, legal, industry standard, or intellectual property protection and business needs

Map out path from start to desired end state

Sensitive item discovery

To learn more, see Know your data.

Policy planning

What laws, regulations, and industry standards must your organization comply with?

Example Your organization is subject to U.K. financial regulations.

What sensitive items must your organization protect from leakage?

Example To get started quickly, you might pick the preconfigured U.K. Financial Data policy template, which includes the Credit Card NumberEU Debit Card Number, and SWIFT Code sensitive information types.

Where are the sensitive items and what business processes are they involved in?

DLP policies can be applied to the following locations:

  • On-premises repositories
  • Exchange online email
  • SharePoint sites
  • OneDrive accounts
  • Teams chat and channel messages
  • Windows 10, 11 and macOS Devices
  • Microsoft Defender for Cloud Apps

Example Your organization’s internal auditors are tracking a set of credit card numbers. They keep a spreadsheet of them in a secure SharePoint site. Several of the employees make copies and save them to their work OneDrive site, which is synced to their Windows 10 device. One of these employees pastes a list of 14 credit card numbers into an email and tries to send it to the outside auditors for review. In this case, you’d want to apply the policy to the secure SharePoint site, all the internal auditors OneDrive accounts, their Windows 10 devices, and Exchange email.

What is your organization’s tolerance for leakage?

Example Your organization’s security group and legal team both feel that there should be no sharing of credit card numbers with anyone outside the org. They insist on zero leakage. However, as part of their regular review of credit card number activity, the internal auditors must share some credit card numbers with third-party auditors. If your DLP policy prohibits all sharing of credit card numbers outside the org, there will be a significant business process disruption and added cost to mitigate the disruption in order for the internal auditors to complete their tracking. This extra cost is unacceptable to the executive leadership. To resolve this issue, there needs to be an internal conversation to decide an acceptable level of leakage. Once that is decided, the policy can provide exceptions for certain individuals to share the information, or, it can be applied in audit-only mode.

Policy deployment

  1. Run the policy in simulation mode, without Policy Tips
  2. Run the policy in simulation mode with notifications and Policy Tips
  3. Start full policy enforcement

End-user training

Review DLP requirements and update strategy

Contoso Bank is in a highly regulated industry and has many different types of sensitive items in many different locations.

Contoso:

  • knows which types of sensitive information are top priority
  • must minimize business disruption as policies are rolled out
  • has involved business process owners
  • has IT resources and can hire experts to help plan, design, and deploy
  • has a premier support contract with Microsoft

approach

  • Take time to understand what regulations they must comply with and how they’re going to comply.
  • Take time to understand the “better together” value of the Microsoft Purview Information Protection stack
  • Develop a sensitivity labeling scheme for prioritized items and apply it
  • Design and code policies, deploy them in simulation mode, and train users
  • Repeat and refine policies

TailSpin Toys doesn’t know what sensitive data they have or where it is, and they have little to no resource depth. They use Teams, OneDrive, and Exchange extensively.

approach

  • Start with simple policies on the prioritized locations.
  • Monitor what gets identified
  • Apply sensitivity labels accordingly
  • Refine policies and train users

Fabrikam is a small startup. They want to protect their intellectual property and must move quickly. They’re willing to dedicate some resources, but can’t afford to hire outside experts.

Other considerations:

  • Sensitive items are all in Microsoft 365 OneDrive / SharePoint
  • Adoption of OneDrive and SharePoint is slow. Many employees still use DropBox and Google drive to store and share items
  • Employees value speed of work over data protection discipline
  • All 18 employees have new Windows devices

approach

  • Take advantage of the default DLP policy in Teams
  • Use the “restricted by default” setting for SharePoint items
  • Deploy policies that prevent external sharing
  • Deploy policies to prioritized locations
  • Deploy policies to Windows devices
  • Block uploads to cloud storage solutions other than OneDrive

Ref.

Total
0
Shares
Share 0
Tweet 0
Pin it 0
In the Cloud 5 posts
inthecloudglobal.com
Leave a Reply

Your email address will not be published. Required fields are marked *