DLP Best Practices
Updated: 20 Jul 2010 | 10 comments
DTE has implemented Vontu for Network, Endpoint, and Discover. I have a couple of questions for the User Group members regarding your roll out of the product.
Have you roll-out any of the Acceptable Use rules/policies?
Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?
Any information you could provide us with would greatly be appreciated.
Sincerely,
Cheryl Fierk
discussion Filed Under:
Group Ownership:
Comments
Hi Cheryl, I wanted to take a
Hi Cheryl, I wanted to take a crack at your questions:
1. Have you roll-out any of the Acceptable Use rules/policies?
In the DLP implementations I've done, the AU rules/policies haven't been turned on at all, or, if they have been turned on, the number of matches has been set to very high and it's been an audit-only policy. Foul language, improper/inappropriate Web surfing,etc. are so common that they'd likely crowd out all other type of incidents and policy violations.
2. Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?
I recommend the latter initially, to help condition users and to baseline the scope of your problem(s). Then, once users are aware of the ability and functionality, you might begin enabling the prevention/blocking on select user groups within the organizations (i.e., most tech-savvy users, or users handling most sensitive-data, etc.)
Hope this helps!
--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
877.610.5625 x219 direct
202.270.8672 mobile
ssteele@infolocktech.com
DLP
Sean,
Thanks for your suggestions. Can you tell me what you have implemented and any issues you have seen?
DLP Best practices
I'm looking for similar info. We need to develop implementation policies etc that describe how we intend to use the product within our company. One of the big issues is oversight. Think "who's watching the watchers"? DLP gives the admin access to info they normally would not have and this of course can be abused if no oversight is in place. Auditors look for this type of check and balance. Does anybody have any sort of docs or procedures regarding how they've implemented DLP and how it's use is audited?
thx.
DLP Best Practices
We have implemented DLP and we have a member from each of the Organizations assigned to review the incidents from their respective area. Information Protection and Security is responsible for oversight to ensure that the Privacy Review Team is reviewing their incidents. We acutally produce metrics and distribute them.
Auditing has not performed an official audit so we do not know if we are missing any controls.
Cheryl
Have you rolled out Endpoint
Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?
We are also starting out notifying users with the plans for turning on the blocking after that. That seems to be the "best practice" approach.
Endpoint Rollout
We have just started turning on the rules for endpoint. Users will begin to be notified when they copy a file to a removable media that violates one of the potential information handling rules. We are currently testing with SEP to see if we can allow read access to all USB Removable Media as identified by Windows and only allow write access to the four USB drives that are totally encrypted.
We are still in the testing phase. We also will need to present our solution to Upper Management to ensure this is the direction they would like to head.
Cheryl
Update on Endpoint?
Cheryl, did you have any updates regarding your work on the Endpoint configuration/rollout? I'd like to hear what direction you went.
Thanks,
Endpoint Update
We are using SEP to do our blocking based on whether or not you are using an encrypted thumb drive. It doesn't matter what type of file you are copying or whether it breaks one of our DLP rules. Today we have 28 users set with the blocking policy turned on and todate we have had no issues. We are adding another 128 users to the SEP policy to see if they come up with anything we didn't think of. I believe we are on the leading edge of doing this.
I can let you know as our pilot population increases if we see any additional impact.
Cheryl
How's things with your pilot now?
Just curious!
Thanks for any updates.
I want to create a compliance
Problem is that when users add any other domain in to, cc or bcc field along with domain name from the whitelist, the message got delivered.
Problem is that we can make compliance for every domain name of e-mail in internet, the stem will by extremely slow.
Can Vontu make this?
Regards
Anton
Would you like to reply?
Login or Register to post your comment.