Today, data is more available, transferable and sensitive than ever. The best way to stop data leaks is to implement a Data Loss Prevention (DLP) solution. DLP enforces an automated corporate policy, which can identify and protect data before it exits your organization
Many tools, including dedicated DLP tools, email servers and general purpose security solutions, offer data loss prevention policy templates. These templates can help you easily create DLP policies that define which organizational content should be protected by a data loss policy. For example, DLP can ensure content identified by the policy is not transmitted to external individuals, modified or deleted.
In this post you will learn:
- What is a data loss prevention policy?
- Why it is important to have a data loss prevention policy
- Best practices for creating a successful DLP policy
- Data loss prevention templates for common enterprise tools:
What is a data loss prevention policy?
Data loss prevention (DLP) safeguards the information of an organization and stops end -users from leaking sensitive data outside the network. Network administrators use DLP tools to track data shared and accessed by end users. DLP tools can protect and classify data, while data loss prevention policies outline how organizations should implement these tools.
DLP software classifies the confidential and essential data of an organization. The software isolates violations of policies, as defined by a predefined policy pack or by the organization. Regulatory compliances such as PCI-DSS, HIPAA or GDPR generally shape these policies. Once the software identifies violations, DLP imposes remediation with encryption, alerts and other measures to stop end users from inadvertently or maliciously exposing the data.
Data loss prevention tools scan endpoint activities, and monitor data in the cloud to safeguard data at rest, in use and in motion. They also filter data streams on organizational networks. An organization can use DLP reporting functions to ensure they adhere to auditing and compliance requirements and to isolate abnormal activity and areas of weakness in their organization. This assists with incident response and forensics.
Why it is important to have a data loss prevention policy
Data security prevents hostile attacks on an organization. Employees have many ways to share and access distributed organization data, making inadvertent data loss a pressing issue.
Employees, business partners, and contractors can also pose a threat to the organization when they steal or accidentally leak company data. Employees may, for example, fall victim to social engineering attacks which highlights the need for ongoing employee cyber education. These kind of threats or insider threats present a large risk to businesses today.
Data storage is now more accessible via remote locations and in cloud services, individuals with ill intent can access the data from poorly protected phones and laptops.
There are three key reasons for having a data loss prevention policy:
Organization policies are guided by mandatory compliance standards specified by governments and industry regulators (such as SOX, HIPAA, PCI DSS). These standards outline how an organization should safeguard personally identifiable information (PII), and other sensitive data.
A DLP policy is the first stage in compliance and helps provide accurate reporting for audits. Typically DLP tools are designed for the requirements of common standards for a particular industry.
2. Intellectual property
Trade secrets or other intangible assets, including organizational strategies and customer lists, might be of greater value than physical assets. Losing this kind of information may create financial and reputational damage, misappropriation, and can result in penalties and legal action.
3. Data visibility
With the growing movement towards digitization, sensitive information is found on devices such as servers, laptops, network shares, cloud storage, databases, and USB drives.
A DLP policy can help organizations learn how stakeholders and end users use sensitive information. An organization can better safeguard its information, when it has visibility over what data exists, where it resides, who uses it, and for what purpose.
Best practices for creating a successful DLP policy
Although no protection is absolute, best practices can help your organization implement a successful data protection policy.
- Identify data that requires protection—see which information requires protection, by classifying, prioritizing, and interpreting data based on its vulnerability and risk factors.
- Understand how to assess vendors—establish a framework with relevant questions to make an informed purchasing decision.
- Specify the roles of all parties involved—outline the role of every individual to prevent data misuse.
- Monitoring data movement—understand how data is used and identify behavior that puts data at risk. Use this knowledge to develop policies that mitigate the risk of data loss and ensure appropriate data use.
- Involve leadership—management buy-in is crucial to the success of DLP. Policies are not worth anything unless they can be applied at an organizational level. Department heads should create a data loss prevention policy that is in keeping with corporate culture.
- Educate the workforce—we tend to view employees as the weak link in data loss prevention, yet executives often don’t prioritize education. Invest is helping users of data and stakeholders understand the policy and its importance.
- Use metrics to determine success—measure DLP success using metrics, including the number of incidents, percentage of false positive, and average time to respond. Data loss prevention metrics will help you see how efficient your policy is, and the return on your investments.
Data loss prevention templates
Data loss prevention policy templates use DLP data identifiers and logical operations (And, Or, Except) to create condition statements. Only data or files that meet a certain condition statement will fall within the confines of a DLP policy.
For example, a DLP policy can specify that a file belongs to the sensitive “employment contracts” category if it meets all of the following criteria:
- Must be a Microsoft Word file (file attribute)
- AND must contain certain legal terms (keywords)
- AND must contain ID numbers (defined by regular expression)
DLP policies on Microsoft Exchange
Microsoft Exchange offers data loss prevention (DLP) policy templates that can help safeguard organizational data stored and transmitted via an Exchange server.
They can help you manage payment card industry data security standard (PCI-DSS), Gramm-Leach-Bliley act (GLBA) data, and United States personally identifiable information (U.S. PII). DLP policies help with the full scope of traditional mail flow rules, and you can add more rules after establishing a DLP policy.
Prerequisites for creating Microsoft Exchange DLP templates:
- Set up the exchange server – see this TechNet article for details.
- Configure the user and administrator accounts and check the transport pipeline (to ensure you can send email to external email clients). For more details read the document here.
- Receive permission from the security team or relevant authorities to create a DLP policy.
- DLP requires an Exchange Enterprise Client Access License (CAL).
- In hybrid environments where certain mailboxes are in on-premises Exchange and some are in Exchange Online, DLP policies are only applied in Exchange Online.
Examples of available DLP templates in Exchange:
|Policy template||Examples of information the template is used to detect and protect|
|PCI Data Security Standard (PCI DSS)||Debit card or credit card numbers|
|U.K. Data Protection Act||National insurance numbers|
|U.S. Health Insurance Act (HIPAA)||Social security numbers and health information|
|Portability and Accountability Act (HIPAA)||U.S. Personally Identifiable Information (PII), for example, social security numbers or driver’s license numbers.|
|France Data Protection Act||Health insurance card number|
|Canada Personal Information Protection Act (PIPA)||Passport numbers and health information|
|Australia Privacy Act||Financial data in Australia, including credit cards, and SWIFT codes|
|Japan Personally Identifiable Information (PII) Data||Driver’s license and passport numbers|
See all templates provided by Exchange server.
How to create a DLP policy from a template using the Exchange Admin Center (EAC):
1. In the EAC, navigate to Compliance Management > Data Loss Prevention, then click Add.
2. The create a New DLP Policy from a Template page appears. Fill in the policy name, description, select the template, and set a status—whether you want to enable the policy or not. The default status is Test Without Notifications.
3. Click Save.
DLP policies in Symantec Data Loss Prevention
Symantec Data Loss Prevention offers policy templates you can use to safeguard organizational data. You can import and export policy rules and exceptions as templates by sharing policies across environments and systems.
|Policy template||Selected example||Example description|
|US Regulatory Enforcement||HIPAA and HITECH (including PHI)||Enforces the US Health Insurance Portability and Accountability Act (HIPAA)|
|General Data Protection Regulation||General Data Protection Regulation (Digital Identity)||Protects personal identifiable information connected to digital identity|
|International Regulatory Enforcement||Caldicott Report||Protects UK patient information|
|Customer and Employee Data Protection||Employee Data Protection||Detects employee data|
|Confidential or Classified Data Protection||Encrypted Data||Detects the use of encryption using different methods|
|Network Security Enforcement||Password Files||Detects password file formats|
|Acceptable Use Enforcement||Restricted Files||Detects file types that may be inappropriate to send out of the company|
|Policy template import and export||Policy template import and export||You can import and export policy templates to and from the Enforce Server. You can share policy templates across environments, archive legacy policies, and version existing policies.|
See all Symantec DLP templates here, organized into the categories above.
To create a DLP policy from a template in Symantec Data Loss Prevention:
- Add a policy from a template. See this help article.
- Choose the template you want to use. The Manage > Policies > Policy List > New Policy – Template List screen lists all policy templates.
- Click Next to configure the policy.
- Choose a Data Profile (if prompted), edit the policy name or description (optional), select a policy group (if necessary), edit the policy rules or exceptions (if necessary).
- Save the policy and export it.
DLP policies in IBM Endpoint Manager (IBM BigFix)
IBM Endpoint Manager, renamed IBM BigFix, is an end-to-end security solution for endpoints which also covers Data Loss Prevention. IBM BigFix’s Core Protection Module (CPM) provides predefined templates:
- GLBA: Gramm-Leach-Billey Act
- SB-1386: US Senate Bill 1386
- HIPAA: Health Insurance Portability and Accountability Act
- PCI-DSS: Payment Card Industry Data Security Standard
- US PII: United States Personally Identifiable Information
Templates are provided as XML files, which you can import to apply the template. BigFix also lets you create your own templates, once you configure DLP data identifiers.
How to import and use a pre-built DLP template in IBM BigFix:
- Navigate to Endpoint Protection > Configurations > Data Protection > DLP Settings Wizard > Template Management.
- On the new screen display type a name for the template, a description, and select data identifiers.
You can add new expressions to search content you want to allow or disallow, create a list of file attributes, and create a keyword list. Each definition should have a logical operator.
- Click Save.
For more details see this support article from IBM.
Complementing DLP with advanced security analytics
DLP solutions are can monitor data flows and secure organizations against known threats. However, attacks and malicious insiders constantly find new ways to compromise systems and steal data, many of which cannot be captured by DLP policy rules. This can be solved by a new type of security tool called User and Event Behavioral Analytics (UEBA).
UEBA tools establish baselines for the behavior of users, applications and network devices. They use machine learning algorithms to identify abnormal activity for an entity or group of entities, without having any predetermined rules or patterns. This complements DLP by alerting about data-related incidents that did not match any DLP policy rule.
For an example of a UEBA system that can protect against data breaches from insider or unknown threats, learn more about Exabeam Advanced Analytics.
- Data Loss Prevention — Policies, Best Practices, and Evaluating DLP Software
- The Massive Data Breach – Reducing “Dwell Time” and the Resulting Damage