Practical implementation and management of data loss prevention or protection (DLP) solutions or a portfolio of solutions should follow a logical process to ensure the holistic protection of information resources. Strategies intended to protect information resources should span the 3 generic domains of people, processes and technologies.
Understand the Business Layout
Implementers and managers of DLP solutions first need to understand the business layout of the institution requiring protection, which entails understanding the organization’s information strategy. An information strategy highlights the organization’s valuable or business-critical information and how the organization intends to use said information to add value. Further to identifying the organization’s critical information, protectors need to understand how the information flows between the various units of the organization, including external parties. The various technologies that process information should be identified, and protection profiles should be defined for each technology class. The COBIT 5 Goals Cascade can help translate the organization’s information goals into a technical protective profile.
Develop a Culture of Information Ownership
Every piece of information within the organization should be traceable to a business owner who is responsible and accountable for its usage and protection. Practically speaking, the information owner is normally a business unit head or someone senior enough to decide the usage of information resources. Ideally, information owners do not have the technical expertise to implement security measures; they normally rely on system owners (i.e., individuals responsible for the computers that house the information) and custodians (i.e., individuals with hands on expertise of data management to ensure resources are protected).
Implement Protective Measures
To ensure a holistic approach, guardians of information resources should avoid a one-solution or silver bullet approach as information exists in multiple states. The various aspects of information, including the people, the processes and the technology, need to be aligned in a manner that supports the achievement of organizational objectives. The defense-in-depth (DiD) model (figure 1) provides a practical approach to this endeavor.
Figure 1—Defense in Depth
COBIT 5 Enablers (figure 2) also provides practical support to this effort by identifying key components of the information ecosystem.
Figure 2—COBIT 5 Enablers
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.
Keep the Momentum Going
The protection of information resources is a living, active process requiring continuous monitoring and improvement. A good understanding of the organization’s information strategy enables respective guardians to develop and maintain a risk management program that ensures the continued protection of information resources.
Read Christopher Nanchengwa’s recent Journal article:
“The Four Questions for Successful DLP Implementation,” ISACA Journal, volume 1, 2019.