A lot of documentation has gone into the development and implementation of the DLP hardware and policies. However, I have found very little on the topic of remediation once the hardware and policies have been correctly implemented. It appears we have a hole: Without an effective remediation process the program is pointless. The topic deserves some more attention.
I would like to start a discussion on the best practices for remediating DLP violations specifically email monitor violations. Essentially, once we have found an employee who violated policy, how do we ensure he/she does not repeat the violation?
I’ll start the discussion with our current process.
At my organization we rely heavily on the involvement of the direct manger. The manager is alerted of a violation and asked to work with the sender to prevent future occurrence. Closure is dependent on receipt of confirmation from the manager that the sender has been “remediated”. What that remediation entails is mostly left up to the manager. After the incident is closed no further action is taken. There are some further escalations if the sender were to become a repeat.
We consider the golden statistic for effectiveness to be the number of users who continually generate violations: so called repeat offenders. My hope is to hear new ideas that may help decrease this number.