Think Before You DLP – A Parental Advisory

Data Loss Prevention tools are great solutions. They detect what’s flowing out of your boundaries examining sex, drugs, rock & roll and even IP across any and all protocols (except for sneakernet). They can crawl the LAN searching unstructured data sources for credit card information, social security numbers, pornography, salary information and termination lists. DLP can be the greatest thing since sliced bread but you had best plan for what you will find.

Most security engineers and even many CISOs get that glazed over look in their eyes when they hear of all the wonderful things that a DLP solution can do. Plug it in and the problems just go away. What they fail to understand or foresee is the Pandora’s Box they not only opened but completely unhinge.  What you really need to understand is how deep does the business want you to go?

If you go too deep, experience tells me that you will not be seen as the savior you fashion yourself to be but an enemy of the state. The bodies you discover may eventually lead to your own undoing. Here are some tips (10 only although there are more) on ensuring the proper depth and the structure you need to have in place prior to and during a DLP solution rollout:

1.       Determine the risk appetite of the company. Let them know that you are going to enable all filters for 1 week across all protocols and share this information only with senior members of Legal, Compliance, Privacy, HR, Internal Audit and the CIO. 

a.       Have the vendor run the solution for 1 week prior to purchase.

b.      Brace them for what they may find. (I have found pornography, white supremacist activity, the buying and selling of AK47s, unsavory videos, credit cards flowing with impunity outside of the company along side of intellectual property, salary information, malware, adulterous activity, plots within plots within plans to subvert something or someone, social security numbers and corporate business plans, businesses being run off corporate servers; you get the idea. 

2.       Establish policies ahead of the time to expand your coverage – (ensure you have air cover).

3.       Get your awareness plan updated and prepare to re-execute.

4.       Ensure your data classification policies and procedures are up to date and plan to communicate these.

a.       Determine how you will consolidate the 20 copies you find of the same file containing intellectual property.

b.      Determine where you will store the reduce number of copies.

c.       Determine who owns the information.

d.      Determine access rules and rights.

e.      Determine any regulatory requirements over the discovered information including potential eDiscovery / Legal Hold issues.

5.       Determine if the company wants to announce the use of such tools as deterrence or if they want to hide their usage (there are companies who believe that it is big brother to announce usage and not big brother by using them without announcement (go figure)).

6.       Make sure all participating organizations know their roles and responsibilities – they will most likely need to define this but HR will need to determine what level of sanctions they may wish to employ; Legal will need to determine what they want to investigate and what they do not (they will also need to determine if they are going to disclose a discovered breach ….); Compliance, Privacy, IT and Security will need to determine the impact to their controls (or lack thereof) creating a punch list of countermeasures and finding out why the ones they have deployed are not working – and what the impact is to your regulatory, statutory and standards-based compliance programs; Internal Audit will need to be informed since they may be asked how they have missed this over the years and they will then refocus their efforts.  Ensure you have solid investigations protocols, procedures including chain of custody and rules of evidence (and actually a team (whether insourced or outsourced) at the ready.

7.       Be prepared to present a well defined governance model for this whole process or enhance the one you already have. Ensure you know how you will pursue who you will pursue without violating any internal codes, statutes or regulations.

8.       Be prepared to potentially throttle back on the depth of your discoveries.  Sometimes the real truth is not desired. Sometimes only the illusion of due diligence is required.

9.       Establish a protocol for how you will handle the information that is found; where it will be stored; if it will be destroyed; and who has the authority to do so.

10.   Get ready to field questions such as:

a.       Are you trying to get me fired?

b.      How could you allow this to happen?

c.       How long has this been going on?

                                                               i.      Why are we just finding out about this now?

d.      Who has access to this information?

e.      Who have you told about this?

f.        Why did you deploy this and did I sign off on this?

g.       What is our liability?

h.    What are out competitors doing?

i.      Are you sure you are not trying to get me fired?

If you prepare prior to deployment, you may just avoid violating corporate Parental Advisories.

www.treadstone71.com

Tweets by jsbardin