FEATURE

Data Loss Prevention—Next Steps

Around 2007, it became obvious that the information • Provide recommendations and next steps for
security defenses that were implemented by the vendors, companies and other organizations
government and businesses to prevent data loss
were not totally effective. Malware and malicious For this article, DLP encompasses not only
individuals and organizations were wreaking havoc information technology, but also other methods
for many enterprises by capturing their sensitive data. to protect data and prevent loss. This expanded
These events became known as data breaches. definition is required because management and
data owners need to understand that IT does not
To help shore up deficient cyberdefenses, the provide all the solutions.
security industry decided it was time to protect
information at the data layer. This effort is now Areas to Protect
known as data loss prevention or data loss
From an IT perspective, there are three areas to
protection, DLP for short. This article is intended to:
protect: data at rest, data in motion and data in
• Identify and understand the data and areas of use. Before determining the steps missing from
concern, such as ever-growing, persistent threats an enterprise’s DLP program, it is important to
know where its data are located. Figure 1 contains
• Develop an understanding of DLP, along with the
examples of locations where data exist, along
associated threats and risk
with an indication of the functional areas of where
• Identify causes of data loss so they can be to implement or enhance applicable security and
addressed privacy controls. Items with an asterisk indicate non-
cyber/IT locations.
• Examine the capabilities of current and future DLP
tools and products
Threats and Areas of Risk
• Review DLP best practices to identify missing DLP
There are many types of data. Each type has
program components
associated security and privacy threats and risk
• Review technology and industry trends to be aware that can have a severe impact on an enterprise Larry G. Wlosinski, CISA,
of what is on the horizon if management, employees and supporting CRISC, CISM, CAP, CBCP,
CCSP, CDP, CIPM, CISSP,
ITIL V3, PMP
Figure 1—Informational Areas to Protect Is a senior consultant at
Area of Concern Locations Functional Areas Coalfire with more than
Data at rest • Databases • Physical endpoint security 18 years of experience in
• Local computers • Host device encryption IT security and privacy.
•C ontrolling access ports (e.g., Universal Serial • Mobile device protection (identification and Wlosinski has been a
Bus [USB] drives) authentication) speaker on a variety of
• Intranet/internal websites • Network/Internet storage IT security and privacy
• Internal directory shares • Physical media (storage, data transfer or topics at US government
• Organizational data and email archives archive) and professional
• Mobile devices (e.g., laptop at home or in car) • Disposal and destruction conferences and
• CDs and DVDs* meetings, and he has
• Printed/hard-copy reports* written numerous
• Fax machines*
articles for magazines
• Copiers*
• File cabinets* and newspapers.

ISACA JOURNAL VOL 1 1

©2018 ISACA. All rights reserved. www.isaca.org
 Figure 1—Informational Areas to Protect (cont.)
Area of Concern Locations Functional Areas
Data in motion • Email (organization and personal) • Perimeter security
• Web/Internet • Network monitoring
• File transfers • Internet access control
• Data sharing • Data collection and exchange
• Social media (e.g., Facebook, Twitter, LinkedIn) • Information messaging
• Instant messaging (IM) • Remote access—must use virtual private
• Blogs (Internet and intranet) network (VPN)
• Website postings
• Paper mail with sensitive data (e.g., personally
identifiable information [PII], driver’s license/ID,
social security number [SSN])*
Data in use • Workstation • Privileged user monitoring
• Server • Access/usage monitoring
• Mobile device/endpoint • Data anonymization (i.e., use codes as
substitutes)
• Use of test data
• Data redaction
• Export/save controls

contractors are not aware of them. Addressing the
threats and risk factors is critical to protecting data.
Figure 2 breaks down threats and risk factors
by data type. Examples of each data type show
what documents, repositories and media need to
be protected. It is important that everyone in the
enterprise understands this so that every person can
be part of the solution, not the problem.

Figure 2—Data Types at Risk

Data Types Examples Threat(s) Risk Factor(s)
Intellectual Patent portfolio development and • Competitors • Loss of company advantage
property management materials such as: • Foreign governments to competitors
• Invention disclosures • Discontent employees • Brand damage
• Unpublished patent applications
• Invention presentations
• Related communications
• Formulas
Legal Memos, communications, • Competitors • Litigation
documents presentations and notes • Weak posture in a court
pertaining to: of law
• Litigation
• Pre-litigation
• Internal investigations
• Corporate governance
• Internal legal presentations
• Contracts
Strategic • Strategic plans • Competitors • Weaker market position to
planning • Sales plans competitors
•R  esearch for mergers and • Erosion of shareholder
acquisitions value
•U  nreleased merger or acquisition
information
•D  rafts of press releases or other
announcements
• Pending patents
• New designs
• Information about purchasing
power

ISACA JOURNAL VOL 1 2

©2018 ISACA. All rights reserved. www.isaca.org
 Figure 2—Data Types at Risk (cont.)
Data Types Examples Threat(s) Risk Factor(s)
Sales • Price/cost lists • Competitors • Insider trading
information • Target customer lists • Employee discontent • Competing companies
• Sales volume and projections going after an enterprise’s
• Revenue potential market with lower prices
• Discount ratios • Regulatory fines or
• Business-to-business orders sanctions
• Vendor data

Customer data • Customer lists • Competitors • Loss of customers

• Customer pricing • Competitors leveraging the
• Customer volumes information against the
• Customer sales quotations enterprise
• Internal spending habits • Significant cost to notify
• Contact details affected parties
• User preferences
• Customer profiles
• Payment statuses
• Contact history
• Account balances
• Purchase or transaction history
• Payment or contract terms
Marketing • Marketing and business road maps • Competitors • Loss of market share
• Business plans • Competing companies
• Business forecasts going after an enterprise’s
• Competitive data market with lower prices
• Product designs
Operations • Process and procedure • Competitors • Competitors retooling or
advantages changing their processes to
• Productivity and efficiency be like an enterprise and be
strategies more competitive
Finance • Pre-earnings releases • Competitors • Loss of competitive
• Bank statements advantage
• Financial statements
• Periodic company performance
filings
• Payroll and equity data
Human • Recruiting lists • Competitors • Loss of key talent
resources • Organization reporting structure • Internal dissension
• Salaries
• Job titles and responsibilities
Personal • Bank or financial account numbers • Criminals • Employee and family well-
and statements • Criminal organizations being
• Health records and other personal
health information (PHI)
• Credit card numbers
• Vehicle registration numbers
• Associated demographics
• Preferences
PII • Full names • Criminals • Impersonation
• Birthdays • Criminal organizations • Fraud
• Birthplaces • Loss of savings
• Biometric data • Drop in credit standing
• Social security numbers (SSNs)
• National identification numbers
• Passport numbers
• Driver’s license numbers
• Passwords

ISACA JOURNAL VOL 1 3

©2018 ISACA. All rights reserved. www.isaca.org
 Figure 2—Data Types at Risk (cont.)
Data Types Examples Threat(s) Risk Factor(s)
Government/ •A
 gency data (e.g., law • Criminal organizations • Increased risk to citizens
country data enforcement and border • Foreign countries • Increased risk to the country
protection) • Insiders at large
•P
 rogram design data (e.g., space
programs)
•C
 itizen data (e.g., criminal
investigations)
•C
 ybersecurity program data (e.g.,
Internet Protocol [IP] addresses,
scan results)
•N
 etwork infrastructure sector data
(e.g., power companies, toxic data
storage)
Information • Network diagrams • Hackers • Loss of confidentiality
technology • Configuration files (networks, • Malware • Loss of integrity
systems, applications and • Discontent among • Loss of data availability
databases) employees • Damage to company
• Wireless access keys mission and standing
• Encrypted files (e.g., .zip, .pdf, .xls)
• Files with names such as
“Passwords”
• Outlook offline files (e.g., PST,
MSG)
• Software source code
• Spreadsheets with IP addresses

Causes of Data Loss Figure 4 lists examples of capabilities that exist

in DLP products. To stay a step ahead of malware
Another step necessary to protecting data is and malicious individuals, it is critical to watch
understanding the reasons for data loss or theft. for and implement DLP product changes and
Figure 3 lists causes of data loss, broken down upgrades. Doing so will improve defenses, reduce
by potential area of weakness: people, process the likelihood of data breaches and minimize any
and technology. This list can also be viewed as impact if one does occur.
organizational vulnerabilities. Enterprises that have
not implemented countermeasures to combat
causes and vulnerabilities should do so immediately.
TO STAY A STEP AHEAD
Addressing these potential vulnerabilities will help to
reduce the level of risk.
OF MALWARE AND
MALICIOUS INDIVIDUALS,
DLP Product Capabilities
IT IS CRITICAL TO WATCH
Enterprises that have not considered obtaining
a DLP automated measure for monitoring and
FOR AND IMPLEMENT DLP
protecting their cyberenvironment data need to PRODUCT CHANGES AND
do so. However, it is important to be aware that
vendor offerings and product capabilities vary.
UPGRADES.
Some automated protective measures can be
implemented at the network perimeter. Some require
new programs to be installed on the computing Best Practices for DLP Planning and
devices and storage devices. Additionally, not all Preparation
vendors provide the same product capabilities and
When preparing to implement a DLP program in an
features. In some cases, they can be complicated
enterprise, the following best practices are critical
and may require technical staff to implement and
to success and following them will reduce the
maintain them.
likelihood of a data breach:1, 2, 3, 4, 5

ISACA JOURNAL VOL 1 4

©2018 ISACA. All rights reserved. www.isaca.org
 Figure 3—Weaknesses and Causes of Data Loss
Area of
Causes of Data Loss
Weakness
People Unintentional:
(insider threat) • Lack of awareness, inadequate awareness programs
• Lack of skills and training in technologies, which can lead to unintentional or accidental misuse
• Lack of users’ responsibility and/or accountability for their actions
• Not understanding the risk to the enterprise and one’s job
• Leaving sensitive data on an unattended printer
• Emailing sensitive data without encryption
• Sharing work devices without supervision

Intentional:
• Exposing or stealing data due to discontent
• Exposing or stealing data due to being blackmailed
• Printing and copying sensitive data
• Selling company data/information
• Having one’s own agenda during employment or when leaving the company (e.g., malicious intent,
hacking, fraud)
• Breaching trust among developers
• Misusing or sharing passwords
• Using unauthorized programs on corporate computers
• Copying data to a remote personal computer (to support work effort)
Process Poor oversight:
• Lacking governance on the use, retention and protection of data (to include government
compliance and company policy violations)
• Leaving data unguarded (e.g., in an unsupervised office or area)
• Not assessing how sensitive data are shared with third parties
• Not implementing or enforcing least privilege for system and file access
• Responding insufficiently to physical intrusions or cyberintrusions
• Not conducting information risk assessments to determine the threats and business impacts of
data exposure

Negligence:
• Categorizing sensitive data improperly
• Lacking or not properly defining a data retention policy
• Lacking data transmission procedures
• Lacking data usage monitoring
• Transmitting sensitive data unintentionally
• Not closing accounts after their expected use has expired (e.g., service accounts)
Technology Unintentional:
• Loss or theft of an employee laptop or mobile device
• Data at rest stored without encryption (e.g., laptop, database, removable media)
• Obtaining or inheriting data from another system
• Having technical controls that do not measure or evaluate the level of attack persistence
• Exploitation of weaknesses in a database development environment
• Having unnecessary services on the computer that can be exploited
• Processing production data in the development environment

Tool limitation:
• Not performing regular software updates and patching (includes not only the operating system, but
administrator tools and commercial-off-the-shelf [COTS] software)
• Remote access tools not being flexible enough to support the enterprise, thereby forcing
employees to use thumb drives and personal computing devices
• Not using content-aware DLP tools (e.g., email tools that automatically perform data encryption)
• Faults in vendor products (software and/or hardware)

Design or implementation problems:

• Lack of flexibility in remote connectivity
• Lack of secure communication platforms
• Inappropriate access rights to applications with sensitive data
• Lack of secure transmission links between the enterprise and a third party
• Poor system programming and/or design
• Poor policy and/or execution (e.g., overzealous implementations)

Intentional:
• Compromising IT protective measures
• Using digital cameras to capture images of printed or displayed data

ISACA JOURNAL VOL 1 5

©2018 ISACA. All rights reserved. www.isaca.org
 Figure 4—Protecting With DLP Products
Area of Concern Examples of Product Capabilities
Data at rest • Tag assets based on data classification/sensitivity.
• Scan storage technology (e.g., Windows file servers, Unix file servers, network storage,
SharePoint files).
• Provide HTTPS-based services.
• Scan local drives (e.g., desktops, laptops, virtual machines).
• Analyze data in a cloud storage system.
• Perform forensic analysis to track leaked documents.
• Report on sensitive document printing.
• Send alerts to the central management server if there is a policy violation.
• Locate unencrypted sensitive data (e.g., credit or debit card numbers).
• Perform dynamic watermarking of sensitive documents at the time of creation.
• Perform data proximity analysis to prevent the possibility of fraud.
• Implement digital fingerprinting to mark files so they can be tracked.
Data in motion • Enforce company DLP policies.
• Detect file movement.
•B lock undesired traffic by file types (e.g., computer-aided design/computer-aided manufacturing
[CAD/CAM] files).
• Monitor instant messaging (IM) traffic.
• Automatically encrypt network traffic.
• Scan incoming and outgoing file transfers.
• Monitor unsecure communication protocols (e.g., Telnet).
• Monitor HTTP protocol communications and attachments.
• Monitor Secure Sockets Layer (SSL)-based data.
• Scan email (e.g., PHI, credit and debit card numbers, intellectual property).
• Report on uploads to email and file-sharing services.
• Report on (e.g., via real-time alerts or logging) USB and removable storage use.
Data in use • Monitor, block and quarantine email (e.g., corporate, smartphones, tablets).
• Monitor web mail (e.g., MSN, Gmail, Hotmail, Opera, Lotus Notes).
• Provide the user with a violation warning (e.g., when copying and pasting sensitive information).
• Scan social media (e.g., Facebook).
• Scan internal blogs.
• Scan files being printed.
• Provide alerts when files are copied to removable media.
• Monitor website posting.
• Watch for files being written to CD/DVD.
• Perform automatic encryption.
• Observe user interaction with data.
• Perform ad hoc user monitoring and searches when needed.
• Watch for cold boot attacks.
• Enforce mobile device controls.
•D isplay customizable messaging to deter users from stealing data. (The message can be a warning
banner or it can lock the computer if a reply is not received.)
• Support mobile device management (MDM) systems.
• Support identity access management (IAM) systems.
• Analyze behavior (using artificial intelligence to detect data exfiltration).

•M
 anagement approval—Obtain support from top
executives, system owners and stakeholders. This
includes identifying and involving representatives
from all departments to obtain buy-in.
•D
 ata comprehension—Develop an understanding
of the data. To accomplish this:
– Define the enterprise’s critical and sensitive data
elements. Definitions should include exposure
condition severity (i.e., low, medium and high).
– Determine the DLP requirements. This includes
understanding where the data originate,
the value of the data, where they reside,
enterprise obligations for protecting the data,
who is accessing them and where the data are
going. It is important to be aware that there is
strict regulatory legislation coming into force
in the European Union (EU) (i.e., the General
Data Protection Regulation [GDPR]),6 where a
breach could cause a large fine or a portion of
an enterprise’s annual revenue and may affect
enterprises outside of the EU). Other countries
have also implemented data protection and
privacy legislation that readers may need to
become familiar with (e.g., Australia’s Data Privacy
Laws7 and the United Kingdom’s Data Protection
Act).8 Additionally, in the United States, the state of
California has expanded its privacy laws.9

ISACA JOURNAL VOL 1 6

©2018 ISACA. All rights reserved. www.isaca.org
 – Conduct a gap and risk analysis, and then
determine the steps necessary to protect the data.
– Design and/or update the enterprise’s security
architecture (hardware and software).
•R
 ecords management—Identify the data owner
or custodian who should be responsible for
managing the data throughout their life cycle, which
includes data in use, in motion and at rest. Records
management not only concerns data backups,
archives and retention, but also data destruction.
This best practice is especially important regarding
the types of data discussed in figure 2.
•C
 ost-benefit analysis (CBA)—Perform a
cost-benefit analysis of the DLP tools under
consideration. This will help to understand the cost
of ownership of DLP solutions/tools. The analysis
should cover both implementation and operational
costs.
• DLP
 strategy—Define a data protection strategy
that can function as a business case. The strategy
objectives should cover the following, at a
minimum:
– Prevent the intentional or unintentional
disclosure of sensitive data at rest, in use and in
motion to unauthorized parties.
– Maintain adequate security and simultaneously
provide data usability.
– Protect customer data, brand reputation (if
applicable) and company secrets.
– Protect PII, intellectual property and other
information as described in figure 2.
– Reduce the enterprise’s risk and the cost of
compliance. Consider government oversight
requirements regarding financial, personal and
health data.
– Establish security, privacy and compliance
measures.
– Consider having a security partner to protect web
and mobile applications from critical data loss.
• Risk assessment—Conduct a risk assessment
that involves a cross-departmental team that can
create meaningful policies and procedures and
effective oversight requirements.
• Policies and processes—Establish DLP egress
policies and policy management processes
that cover:
– How to securely send sensitive data to third
parties
– Whether employees may send sensitive data to
their home computers and personal email
– How to handle data that are considered sensitive
and that require data protection controls
– A response plan for data leakage events, which
includes how to deal with those who break policy
©2018 ISACA. All rights reserved. www.isaca.org
• Awareness and training—Establish the enterprise’s
awareness and role-based training program. Areas
to cover include:
– Educating business units on business, security
and privacy risk
– Educating staff on what is sensitive and the risk
associated with breaking the rules/policies
– Explaining to everyone the policies on proper use
of email, the Internet and security tools (e.g., file
encryption)
– Explaining applicable local, state and federal/
country laws
– Training key staff on personal responsibilities
and complying with information security and
data protection policies
IT IS CRITICAL FOR AN
ENTERPRISE TO STAY
ON TOP OF TRENDS AND
AHEAD OF THOSE WHO
MAY TRY TO OBTAIN
THEIR DATA.
Best Practices for DLP Implementation
When implementing a DLP program and/or
deploying DLP tools, the best practices listed in
figure 5 should be used to minimize vulnerabilities.
Not implementing these best practices can cause
setbacks and problems.
Other DLP Recommendations
Sometimes, organizational program implementation
policies display bad security practices and
contribute to vulnerabilities that allow for data loss.
Figure 6 presents some of those bad practices and
recommendations on how to handle them.
Technology and Industry Trends
Information-security-related organizations (e.g.,
McAfee, Symantec, RSA, Verizon, Ponemon,
Fortinet, Gartner) have begun to study malicious
cyberactivities, conduct surveys and report trends.
Some experts have predicted the future of DLP
technology to help professionals address threats.10
It is critical for an enterprise to stay on top of trends
and ahead of those who may try to obtain their data.
It is always better to be prepared than to react to the
consequences of data loss.
ISACA JOURNAL VOL 1 7
 Figure 5—Best Practices for Addressing Concerns
Concern DLP Implementation Best Practices
People • Do not leave sensitive data unattended.
• Do not permit copying of sensitive data onto removable media.
• Provide view-only access to sensitive information.
• Incorporate data protection clauses in contracts.
Management • Implement a data management life cycle to organize data and manage their storage and use.
• Regularly update data risk profiles to be aware of new threats.
• Identify potential places where sensitive information might leak.
• Standardize the endpoints to make deployment more manageable.
• Document DLP incidents.
• Periodically audit the enterprise for compliance.
Deployment •D eploy DLP in waves for quick-wins (e.g., address the highest areas of risk first, implement
compliance policies in one phase, install standardized devices).
• Break decision-making and the implementation of solutions into phases.
•S tart with a minimal base to handle false-positives, help identify the critical or sensitive data, and
fine-tune DLP policies.
• Test the implementation in a small, controlled unit before going full scale.
• Implement document-level security (e.g., encrypt data before transport and storage in a cloud).
•R epeat the discovery and fine-tuning process to protect the information, and establish controls that
are understood by stakeholders and system users.
IT-restrictive • Do not allow unauthorized devices in the network.
controls • Block wireless communication.
• Block files containing personal identity information.
• Disable all CD/DVD burners from writing.
• Make all USB removable storage devices read-only, except authorized devices.
• Make authorization and access controls multilayered.
•P erform DLP discovery scanning at a desired frequency (or on demand) to audit and maintain
awareness of the security status.
Product • Check the DLP product to see if it supports the enterprise’s data formats.
Selection • Scan data stores for sensitive information and, if necessary, take remedial action.
•U se the DLP tool to automatically find unencrypted sensitive data, encrypt the information, and
remove the information or perform another remediation according to the enterprise’s policies.
• Select a product that provides reports on incidents of DLP policy violations.

Figure 6—Recommendations to Address Bad Practices

Bad Practice
Implementing data shares (e.g.,
SharePoint) with no thought for least
privilege
Implementing an internal search
engine that crawls the entire company
network for data with no restrictions
Implementing an email data retention
policy that is too short just to manage
space and associated costs
Risk/Result Recommendation
Anyone in the organization can obtain Implement least privilege for every
the data and use them for their own data share.
gains.
Everyone in the company can access Obtain information about what should
and distribute the possibly sensitive or not appear in the search engine
private data. results and apply appropriate filters.
Employees and support contractors Obtain more storage space. The cloud
can lose valuable information about was designed to scale when needed.
their contacts, supporting documents,
deliverables, history, etc. This is an
example of internal data loss.

ISACA JOURNAL VOL 1 8

©2018 ISACA. All rights reserved. www.isaca.org
 Figure 6—Recommendations to Address Bad Practices (cont.)
Bad Practice Risk/Result
Having an intranet search engine that Retrieved results will include anything
does not have accurate filtering or that has one character in common.
presentation limitations Sensitive data and PII may be part of
the retrieval.
Not cleaning up the results of a search The engine will provide a lot
engine of nonapplicable information.
Additionally, data storage
requirements will continue to grow
without end. Aside from polluting the
well, search engine performance is
affected. In this case, bad data are
retained for an unknown period.
Not following best practices The DLP program can fail. Critical
data can be lost, resulting in response
costs and possibly fines and/or the
loss of market position.
Recommendation
Put restrictions on the search. If
anything can be part of the results,
then the user will obtain many
irrelevant links and the search will
take longer.
Implement a periodic cleanup
process so that data management
can be employed. This is important
because old results will include not
only bad, but also corrupted data.
Data corruption can contribute to
application failure.
Implement DLP best practices as
described in this article.

DLP Technology DLP Industry

The following trends in technology can be expected to Malicious intent and product deficiencies are driving
drive the creation of more and more DLP products: some organizations to implement, obtain and
improve their DLP products. Predictions about the
• Algorithms—Improved algorithms for recognizing
DLP industry include:
sensitive data such as PII, PHI and nonpublic/
private data will become more prominent.

• Behavior products—New products will be based

on automated human behavior identification MULTILAYER
and management. Some cybersecurity solutions
can find internal organizational threats based on
ENCRYPTION KEY
behavioral changes within the network. MANAGEMENT
• Encryption—Enhanced encryption processes TECHNOLOGY WILL BE
will combine consistently changing algorithms.
Multilayer encryption key management technology
NEEDED TO OUTWIT
will be needed to outwit cybercriminals. CYBERCRIMINALS.
• Data manipulation—At-rest and in-motion
security issues will be addressed by shredding,
randomizing and placing sensitive data in globally
• Vendor changes—Larger companies will acquire
diverse storage locations.
best-in-class cloud DLP companies and integrate
• Authentication—Entering a password will no the technology into their existing products. Other
longer be the primary way to access data. Instead, vendors will expand their own DLP capabilities.
access will involve knowing who someone is when
• DLP professionals—There will be an increase in
they log in. Multiple layers of authentication will be
the need for cybersecurity professionals who can
required.
implement DLP policies and tools. Medium and
small enterprises will be affected the most if they
cannot afford full-time DLP professionals.

ISACA JOURNAL VOL 1 9

©2018 ISACA. All rights reserved. www.isaca.org

• DLP as a service—To leverage data protection as
a service, IT teams can offload the management
aspect to vendors so that they can focus on
growing the business rather than managing the
storage. Small enterprises will gravitate to these
managed services.
• Outsourcing—There will be an increase in the
outsourcing of vulnerability and penetration
testing to better identify points of weakness in the
enterprise architecture and device configurations.
• Awareness—Enterprises will develop awareness
and role-based training programs (if they do not
already have them in place) that have greater
depth and more content to cover DLP concerns.
Conclusion
The next steps to a successful DLP program are the
enterprise’s to decide. They include:
• Developing an understanding of what data are
sensitive and where to find them
• Being aware of the threats and associated risk to
data loss
• Identifying the causes of data loss (i.e., internal
vulnerabilities) to implement measures to prevent
them
©2018 ISACA. All rights reserved. www.isaca.org
• Understanding DLP product differences and
selection criteria to better evaluate vendor tools
and techniques
• Determining the best practices to follow when
developing and implementing a DLP program
• Understanding areas of bad data-handling
practices that are critical to address now
• Determining what and where to implement or
improve a program (via technology improvements
and changes in activities)
• Identifying information that can be used to develop
a data protection awareness training program
As billions of devices are launched into circulation, it
will be even easier for those with malicious intent to
breach networks. Protecting data-sensitive systems
is vital. This article can help enterprises harden their
cyber and procedural defenses during preparation,
deployment, awareness and training, and planning
for the future.
As long as there is human involvement, the areas
of concern will continue to evolve. It is essential to
maintain vigilance to avoid and eliminate weakness
in cyber and work environments.
Endnotes
1 Yamasani, L.; Data Leak Prevention: Best
Practices, April 2015, http://m.isaca.org/
chapters8/Silicon-Valley/Members/Documents/
Monthly%20Meetings/2015%20-%20April%20
Meeting%20%20-%20DLP%20-%20Lokesh%20
Yamasani.pdf
2 Hall, S.; “Data Loss Prevention (DLP):
Keeping Sensitive Data Safe From Leaks,”
eSecurity Planet, 10 April 2017,
https://www.esecurityplanet.com/network-
security/data-loss-prevention-dlp.html
3 Garg, R.; “10 Considerations for Implementing
a Data Loss Prevention (DLP) Solution,”
Zecurion, 20 January 2017, http://zecurion.
com/2017/01/30/10-considerations-for-
implementing-a-data-loss-prevention-dlp-
solution/
ISACA JOURNAL VOL 1 10
 4 Ernst & Young, Data Loss Prevention, October
2011, www.ey.com/Publication/vwLUAssets/
EY_Data_Loss_Prevention/$FILE/EY_Data_Loss_
Prevention.pdf
5 IDG Enterprise, Five DLP Tips From Security
Executives, http://resources.idgenterprise.com/
original/AST-0079952_SymantecFINAL.pdf
6 European Commission, “Reform of EU Data
Protection Rules,” http://ec.europa.eu/justice/
data-protection/reform/index_en.htm
7 Electronic Frontiers Australia, “Data Protection
Laws/Privacy Acts,” 21 January 2006,
https://www.efa.org.au/Issues/Privacy/
privacy.html
©2018 ISACA. All rights reserved. www.isaca.org
8 L
 egislation.gov.uk, “Data Protection Act 1998,”
www.legislation.gov.uk/ukpga/1998/29/
contents
9 State of California Department of Justice,
“Privacy Enforcement and Protection,” USA,
https://oag.ca.gov/privacy
10 Lord, N.; “Experts on the Data Loss Prevention
(DLP) Market in 2016 and Beyond,” Digital
Guardian, 27 July 2017, https://digitalguardian.
com/blog/experts-data-loss-prevention-dlp-
market-2016-beyond
ISACA JOURNAL VOL 1 11