As stated in a previous post, effective Data Loss Prevention will be an important component of an overall Risk Management Framework. The Risk Management framework should include the following:
- Risk Assessment
- Policy, Standards, and Procedure Framework
- Incident Response Plan
- Security Awareness Training
- Enforcement of the above using Data Loss Prevention technologies
Failure to account for any of the above can increase the likeliness of a DLP tool turning into shelfware. The number one question each of my clients have surrounding a DLP technology is “How do I use it?” The answer to that question will be based on the risks in your environment, and thus a Risk Assessment should be completed. At a minimum the Risk Assessment should identify data types and their associated classification as well as the data flow within your environment. This will allow you to move forward to the next phase of policy development.
Next I’ll talk about how to incorporate a DLP tool into your Risk Assessment as well as Policy Development.