
1. IDENTIFY EXTENDED TEAM – Assemble those that should be involved internally when you identify data loss. In larger organizations, in addition to your InfoSec team, you might have: IT, Security, Compliance, HR, Legal, CSO/CISO. Identify the individuals and meet with them to work out what situations they will need to be involved in.
2. DEVELOP BREACH NOTIFICATION PROCESS – Do you have processes ready if a regulated data breach occurs? Who will be notified? Is your legal or compliance team ready to meet requirements such as breach notification laws? Get your compliance people in the loop and have them write the process with you. Consider what you would have done if you were one of companies whose data was lost by Epsilon.
3. FIX BROKEN BUSINESS PROCESSES (E.G. AUTOMATED TRANSFERS) – Assume that you will find broken business processes, like automated file transfers to partners in clear text over the internet instead of encrypted or over private line. You’ll spend time getting these fixed. Often the Info Security team needs a champion advocate to get other parts of IT to drop what they’re doing and get these changes made. Arrange this ahead of time.
4. CREATE PLAN FOR HANDLING INSIDER THEFT – Talk with HR to establish a process if you uncover insider theft. Give HR a heads up and involve them in the roll-out. The insider may be at a senior level, so consider that as well. At Code Green Networks we’ve seen executive level data theft–do not assume anything.
5. ESTABLISH THE INCIDENT TEAM AND WORKFLOW – Map out your incident handling and resolution process, as a flowchart. Who will be on the incident handling team? In larger organizations you might have: First level reviewer (making sure the incident is properly classified with the right severity-typical in large enterprises), IT, Security, Compliance, HR. Identify the individuals in your extended team.
6. SET SLAs FOR INCIDENT RESOLUTION – Set goals for making sure incidents are handled in a timely manner. We’ve had folks establish SLAs for:
- First level review of all incidents within x amount of time
- Resolve all high severity incidents within y amount of time
- Close all incidents within z amount of time (resolving incidents within 2 hours).
7. ESTABLISH REPORTING AND AUTOMATE – How are you going to track things? Decide what reports you’ll need to have and who should get them. Set up scheduled reports so that you know what is happening and that your team is resolving incidents within your SLA goals. Reports for:
- Incidents Created
- Incidents Closed
- Open Incidents Status – by age, severity, owner
- A report sorted by the type of data or by policy that was violated
- Summary reports for your CSO or execs
8. PLAN ROLL-OUT STAGES – It’s important to plan your roll-out in stages rather than trying to boil the ocean.
- Select data and policies to be implemented in stages, e.g. first the customer billing database for PCI violations, then the next set of data and policies for state privacy regulations, then company IP data and policies.
- Roll-out and test your policies in a monitor only mode, to set a baseline. But you have to be prepared for a significant breach to happen. At Code Green Networks we have seen many DLP assessments and POCs uncover significant data loss and come to a screeching halt as the customer scrambles to figure out how to handle it. That’s why we advise people to anticipate data loss and prepare for it in advance.
- Decide when you will have the solution notify end users and what you expect of them. Use this for user education about your polices on data handling. You can expect to see the number of incidents drop as users are notified on each violation. Set up your reporting ahead of time so you can track.
Implementing and maintaining a Data Loss Prevention solution should not be painful. Please contact us for more information on how to go about successfully protecting your organization’s sensitive data, or click here to take a test drive of Code Green Network TrueDLP solution.