Data loss prevention (DLP) includes a broad range of practices design to prevent, or identify and resolve, instances of your sensitive data “leaking” outside the boundaries of the system.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
Your entire security program is built on the premise that sensitive data sits within a perimeter of security that restricts access to authorised and appropriate personnel. This perimeter is protected through Access Control and the Vulnerability Management Program. Those protections only apply within that perimeter so it’s important to ensure all sensitive data remains within that.
DLP practices are often covered in the Acceptable Use Policy. Many of these practices rely on all employees to maintain sensitive assets appropriately within the perimeter. In addition to those, the following areas should be considered for effective DLP. The important thing to consider in DLP is that it includes the risks of deliberate and accidental leakage. It’s impossible to eliminate the risk of data leakage, so the purpose of focus in this area is to reduce the risk to a sufficient, tolerable level, and complementing that with response plans recognising that the preventive practices aren’t perfect. This is covered by Security Incident Response plans or procedures.
User devices accumulate sensitive data. In email accounts, documents and local applications with downloaded data. DLP should consider restricting what devices are used for business purposes, applying security to prevent unauthorised usage, and remote-wipe and encryption controls to secure that local data in the event that devices are lost, stolen or compromised.
Cloud services make it easy to collect, process, and share data, which is a benefit to many business goals, but also a risk of data leakage. Vendor risk management controls and data governance are important to protect data across these services and determine what data is appropriate to use in each. Each software product may have a varying level of security protections and access setup, which risks data being shared with the wrong people, ie. leaked outside the boundaries of the system. It may also be appropriate to block certain solutions that are a high risk of data leakage.
Emails and messaging
Emails and other workplace messaging applications carry their own risks around accidental or deliberate data leakage. A common error is where the wrong person is addressed and sent sensitive contents. These communication systems are also an opportunity for deliberate leakage outside of the system boundaries for employees that see a personal gain in using sensitive data for unauthorised purposes. DLP controls can include warnings for contents sent outside of the organisation, automated monitoring and alerts for suspicious communications, and blocking attachments.
Systematically blocking or applying policy restrictions on websites are often considered more in relation to anti-malware practices. However, there’s also a DLP aspect to these practices. Content filtering and limiting website access can prevent data from being solicited or shared outside of the organisation inappropriately. This can include unapproved sites that allow data to be uploaded and then bypass the boundaries of the system protections over that data.
Removable media can lead to deliberate or accidental data leakage. It can provide an easy way to duplicate large amounts of sensitive data outside of the boundaries of the system. When removable media is lost that can expose it to an unauthorised audience. Systematically blocking removable media is a common practice to achieve both DLP and anti-malware security objectives.
In addition to these specific practices, there are organisational controls like Security Awareness Training and the Acceptable Use Policy that strengthen accountability and secure behaviours across your company. These DLP practices often go hand-in-hand with Anti-malware Practices based on the overlap in information assets, and the types of practices that mitigate the respective security risks.
If you're wondering what this looks like "on paper" - get in touch with our team <email@example.com>. We're happy to share examples, software solutions, and guide you through how this may look for your business.
The CDR Perspective
DLP is one of the 24 requirements for the CDR. Data loss and leakage prevention mechanisms are implemented to prevent data leaving the CDR data environment, including, but not limited to:
(a) blocking access to unapproved cloud computing services; and
(b) logging and monitoring the recipient, file size, and frequency of outbound emails; and
(c) email filtering and blocking methods that block emails with CDR data in text and attachments; and
(d) blocking data write access to portable storage media.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.