So far, in this Data Loss Prevention series, we've discussed:
Now, we're going to talk about some steps that you can take to successfully implement your data loss prevention plan.
1. Identify Key Participants – Assemble those that should be involved internally when you identify data loss. Participants may include IT, HR, and Operations employees. Identify the individuals and meet with them to work out what situations they will need to be involved in.
2. Develop Notification Process – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements such as breach notification laws? Get your compliance people in the loop and have them write the process with you.
3. Fix Broken Business and Weak Processes – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these fixed.
4. Create a Plan for Handling Theft – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that as well.
5. Establish the Response Team and Workflow – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR.
6. Set a Timeline for Incident Resolution – Set goals for making sure incidents are handled in a timely manner:
Now, we're going to talk about some steps that you can take to successfully implement your data loss prevention plan.
1. Identify Key Participants – Assemble those that should be involved internally when you identify data loss. Participants may include IT, HR, and Operations employees. Identify the individuals and meet with them to work out what situations they will need to be involved in.
2. Develop Notification Process – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements such as breach notification laws? Get your compliance people in the loop and have them write the process with you.
3. Fix Broken Business and Weak Processes – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these fixed.
4. Create a Plan for Handling Theft – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that as well.
5. Establish the Response Team and Workflow – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR.
6. Set a Timeline for Incident Resolution – Set goals for making sure incidents are handled in a timely manner:
- First level review of all incidents within x amount of time
- Resolve all high severity incidents within y amount of time
- Close all incidents within z amount of time (resolving incidents within 2 hours).
- Incidents Created
- Incidents Closed
- Open Incidents Status – by age, severity, owner
- A report sorted by the type of data or by policy that was violated
- Summary reports for your CSO or execs
8. Plan Roll-Out Stages – It’s important to plan your roll-out in stages rather than trying to attach the problem all at once.
- Select data and policies to be implemented in stages, e.g. first the customer billing database for PCI violations, then the next set of data and policies for state privacy regulations, then company IP data and policies.
- Roll-out and test your policies in a monitor only mode, to set a baseline. But you have to be prepared for a significant breach to happen. That’s why we advise people to anticipate data loss and prepare for it in advance.
- Decide when you will have the solution notify end users and what you expect of them. Use this for user education about your polices on data handling. You can expect to see the number of incidents drop as users are notified on each violation. Set up your reporting ahead of time so you can track.
Implementing and maintaining a Data Loss Prevention solution should not be painful. Please contact Brian Rosenfelt at 440-449-6800 for more information on this topic, or for more information on our other Cleveland IT services.
Powered by Compendium
Comments for Data Loss Prevention – Part 4 – Steps for a Successful Data Loss Prevention Implementation