DLP Best Practices

CherylF's picture
CherylF
August 10th, 2009

DTE has implemented Vontu for Network, Endpoint, and Discover.  I have a couple of questions for the User Group members regarding your roll out of the product.  

Have you roll-out any of the Acceptable Use rules/policies?

Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?

Any information you could provide us with would greatly be appreciated.

Sincerely,

Cheryl Fierk

Filed under: , ,
+2 (2 votes)
seanpsteele's picture
seanpsteele
14 weeks 1 day ago

Hi Cheryl, I wanted to take a

Hi Cheryl, I wanted to take a crack at your questions:

1. Have you roll-out any of the Acceptable Use rules/policies?

In the DLP implementations I've done, the AU rules/policies haven't been turned on at all, or, if they have been turned on, the number of matches has been set to very high and it's been an audit-only policy. Foul language, improper/inappropriate Web surfing,etc. are so common that they'd likely crowd out all other type of incidents and policy violations.

2. Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?

I recommend the latter initially, to help condition users and to baseline the scope of your problem(s). Then, once users are aware of the ability and functionality, you might begin enabling the prevention/blocking on select user groups within the organizations (i.e., most tech-savvy users, or users handling most sensitive-data, etc.)

Hope this helps!

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
877.610.5625 x219 direct
202.270.8672 mobile
ssteele@infolocktech.com

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
877.610.5625 x219 direct
202.270.8672 mobile
ssteele@infolocktech.com

+2 (2 votes)
CherylF's picture
CherylF
14 weeks 13 hours ago

DLP

Sean,

Thanks for your suggestions.  Can you tell me what you have implemented and any issues you have seen?

+1 (1 vote)
kdub's picture
kdub
7 weeks 5 days ago

DLP Best practices

I'm looking for similar info.   We need to develop implementation policies etc that describe how we intend to use the product within our company.  One of the big issues is oversight.  Think "who's watching the watchers"?  DLP gives the admin access to info they normally would not have and this of course can be abused if no oversight is in place.  Auditors look for this type of check and balance.  Does anybody have any sort of docs or procedures regarding how they've implemented DLP and how it's use is audited?

thx.

0 votes
CherylF's picture
CherylF
7 weeks 1 day ago

DLP Best Practices

We have implemented DLP and we have a member from each of the Organizations assigned to review the incidents from their respective area.  Information Protection and Security is responsible for oversight to ensure that the Privacy Review Team is reviewing their incidents.  We acutally produce metrics and distribute them.

Auditing has not performed an official audit so we do not know if we are missing any controls.

Cheryl

0 votes
aferone@progressive.com's picture
aferone@progressive.com
13 weeks 5 days ago

Have you rolled out Endpoint

Have you rolled out Endpoint and are you blocking users from copying data to removable media or are you just notifying the user that they have potentially violated one of the data leakage policies and that they need to use care?

We are also starting out notifying users with the plans for turning on the blocking after that.  That seems to be the "best practice" approach.

+1 (1 vote)
CherylF's picture
CherylF
7 weeks 1 day ago

Endpoint Rollout

We have just started turning on the rules for endpoint.  Users will begin to be notified when they copy a file to a removable media that violates one of the potential information handling rules.  We are currently testing with SEP to see if we can allow read access to all USB Removable Media as identified by Windows and only allow write access to the four USB drives that are totally encrypted.

We are still in the testing phase.  We also will need to present our solution to Upper Management to ensure this is the direction they would like to head.

Cheryl

0 votes
seanpsteele's picture
seanpsteele
6 days 7 hours ago

Update on Endpoint?

Cheryl, did you have any updates regarding your work on the Endpoint configuration/rollout? I'd like to hear what direction you went.

Thanks,

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
877.610.5625 x219 direct
202.270.8672 mobile
ssteele@infolocktech.com

+1 (1 vote)
CherylF's picture
CherylF
6 days 5 hours ago

Endpoint Update

We are using SEP to do our blocking based on whether or not you are using an encrypted thumb drive.  It doesn't matter what type of file you are copying or whether it breaks one of our DLP rules.  Today we have 28 users set with the blocking policy turned on and todate we have had no issues.  We are adding another 128 users to the SEP policy to see if they come up with anything we didn't think of.  I believe we are on the leading edge of doing this. 

I can let you know as our pilot population increases if we see any additional impact.

Cheryl

0 votes