Asset discovery
Use your DLP suite to help you discover information assets on desktops, file shares and in intranets and extranets.
Asset classification
Leverage the suite to assist you in classifying the information assets discovered. Don't forget to classify the systems on which the assets reside!
Establish implementation team and support structure
You need resouces to design, implement and most importantly tune and respond to "false positives". Establishing a 1-800-DLPFIX number might be a good idea or at least documenting procedures for the help desk to handle common queries and escalate to the DLP team to respond to. Ensure that web based training is developed and that line managers are tasked with re-training personnel that will ping the DLP.
Design
Consider all points of egress USB, CD/dvd burner, webmail, instant messenger, email in the design. Remember you are mostly planning to catch accidental disclosure. Consider where SSL tunnels will terminate.
Consider use of the 1800 number in warning notices that will get turned into block notices.
Implement
Drop in the appliances on the gateway and the software on the desktops. Do a test of each point of egress with a test file, using encrypted and unencrypted webmail etc.
Monitor
Configure the DLP in monitoring mode with all signatures enabled. Do not alert end users at this stage.
Fix Broken Business Processes
By using the DLP solution in monitor mode you will now be able to identify broken businesses processes. For example PII being un-necessarily shuffled around on fileshares or credit card numbers being emailed due to a lack of system interfaces or even systems!
Tune
After you have remediated the business processes to a point where it makes sense to do so, then its time to tune the false positives out
Training
Roll out web based training for all personnel who will be affected prior to end users being alerted by the system.
Alert
Now enable warning messages for end users for each of the selected rules you wish to enforce. A click yes to proceed and a notification to contact the DLP team if there is a valid reason that this action must not be blocked in the future. During this phase the DLP team must be monitoring logs and liasing closely with stakeholders as to their contents. The alert period must be long enough to pick up any month end or FY end business processes such as shuffling of spreadsheets with billing data around.
Enforce
For the rules that are to be enforced, enable them after suitable fanfare and comunication to stakeholders. Use muliple channels such as voicemail, email, flyers and posters to get the message out.
Tune and Respond
There will be incidents discovered, leakage prevented, false positives to tune out and apologise for!
0 comments:
Post a Comment