Today, data is more available, more transferable, and more sensitive than ever. The best way to stop data leaks is to implement a Data Loss Prevention (DLP) solution. DLP enforces an automated corporate policy, which can identify and protect data before it exits your organization.
Many tools, including dedicated DLP tools, email servers, and general-purpose security solutions, offer DLP policy templates. These templates can help you easily create DLP policies that define which organizational content should be protected by a data loss policy. For example, DLP can ensure that content identified by the policy is not transmitted to external individuals, modified, or deleted.
In this post you will learn:
- What is a DLP policy?
- Why it is important to have a DLP policy
- Best practices for creating a successful DLP policy
- DLP policy templates for common enterprise tools:
What is a DLP policy?
Data loss prevention (DLP) safeguards the information of an organization and stops end users from leaking sensitive data outside the network. Network administrators use DLP tools to track data shared and accessed by end users. DLP tools can protect and classify data, while DLP policies outline how organizations should implement these tools.
DLP software classifies the confidential and essential data of an organization. The software isolates violations of policies, as defined by a predefined policy pack or by the organization. Regulatory compliances such as PCI DSS, HIPAA, or GDPR generally shape these policies. Once the software identifies violations, DLP remediates with encryption, alerts, and other measures to stop end users from inadvertently or maliciously exposing the data.
Data loss prevention tools scan endpoint activities, and monitor data in the cloud to safeguard data at rest, in use, and in motion. They also filter data streams on organizational networks. An organization can use DLP reporting functions to ensure they adhere to auditing and compliance requirements, and to isolate abnormal activity and areas of weakness in their organization. This helps with incident response and forensics.
Why it is important to have a DLP policy
Data security prevents hostile attacks on an organization. But employees have many ways to share and access distributed organizational data, making inadvertent data loss a pressing concern.
Employees, business partners, contractors, and other third parties can also pose a threat to the organization when they steal or accidentally leak company data. For example, employees may fall victim to social engineering attacks, which highlights the need for ongoing employee security awareness training. These insider threats present a large risk to businesses today.
Data storage is now more accessible via remote locations and cloud services. Malicious actors can access the data from poorly secured phones and laptops.
There are three key reasons for having a data loss prevention policy:
1. Compliance
Company policies are guided by mandatory compliance standards specified by governments and industry regulators, such as SOX, HIPAA, and PCI DSS. These standards outline how an organization should safeguard personally identifiable information (PII) and other sensitive data.
A DLP policy is the first stage in compliance, and helps provide accurate reporting for audits. Typically, DLP tools are designed for the requirements of a particular industry’s common standards.
2. Intellectual property
Trade secrets and other intangible assets, including organizational strategies and customer lists, might be of greater value than physical assets. Losing this kind of information may result in financial and reputational damage, misappropriation, criminal penalties, and legal action.
3. Data visibility
With the growing movement towards digitization, sensitive information is found on devices such as servers, laptops, network shares, cloud storage, databases, USB drives, and mobile devices.
A DLP policy can help organizations learn how stakeholders and end users use sensitive information. An organization can better safeguard its information when it has visibility over what data exists, where it resides, who uses it, and for what purpose.
Best practices for creating a successful DLP policy
Although no protection is absolute, best practices can help your organization implement a successful data protection policy.
- Identify data that requires protection — See which information requires protection, by classifying, prioritizing, and interpreting data based on its vulnerability and risk factors.
- Understand how to assess vendors —Establish a framework with relevant questions to make an informed purchasing decision.
- Specify the roles of all parties involved — Outline the role of each individual to prevent data misuse.
- Monitoring data movement — Understand how data is used, and identify behavior that puts data at risk. Use this knowledge to develop policies that mitigate the risk of data loss and ensure appropriate data use.
- Involve leadership — Management buy-in is crucial to the success of DLP. Policies are not worth anything unless they can be applied at an organizational level. Department heads should create a data loss prevention policy that is in keeping with corporate culture.
- Educate the workforce — We tend to view employees as the weak link in data loss prevention, yet executives often don’t prioritize security training. Invest in helping stakeholders and users of data to understand the policy and its importance.
- Use metrics to determine success — Measure DLP success using metrics, including the number of incidents, percentage of false positives, and average time to respond. Data loss prevention metrics will help you see how efficient your policy is, and the return on your investments.
DLP policy templates for common enterprise tools
Data loss prevention policy templates use DLP data identifiers and logical operators (AND, OR, NOT) to create condition statements. Only data or files that meet a certain condition statement will fall within the confines of a DLP policy.
For example, a DLP policy can specify that a file belongs to the sensitive “employment contracts” category if it meets all of the following criteria:
- Must be a Microsoft Word file (file attribute)
- AND must contain certain legal terms (keywords)
- AND must contain ID numbers (defined by regular expression)
DLP policies on Microsoft Exchange
Microsoft Exchange offers DLP policy templates that can help safeguard organizational data stored and transmitted via an Exchange server.
They can help you manage PCI DSS and GLBA data, and US PII. DLP policies help with the full scope of traditional mail flow rules, and you can add more rules after establishing a DLP policy.
Prerequisites for creating Microsoft Exchange DLP templates:
- Set up the Exchange server
- Configure the user and administrator accounts, and check the transport pipeline to ensure you can send emails to external email clients. For more details read this document.
- Receive permission from the security team or relevant authorities to create a DLP policy.
- DLP requires an Exchange Enterprise Client Access License (CAL).
- In hybrid environments where certain mailboxes are in on-premises Exchange and some are in Exchange Online, DLP policies are only applied in Exchange Online.
Examples of available DLP templates in Exchange:
| Policy template | Examples of information the template is used to detect and protect |
| PCI Data Security Standard (PCI DSS) | Debit card or credit card numbers |
| U.K. Data Protection Act | National insurance numbers |
| U.S. Health Insurance Act (HIPAA) | Social security numbers and health information |
| Portability and Accountability Act (HIPAA) | U.S. Personally Identifiable Information (PII), for example, social security numbers or driver’s license numbers. |
| France Data Protection Act | Health insurance card number |
| Canada Personal Information Protection Act (PIPA) | Passport numbers and health information |
| Australia Privacy Act | Financial data in Australia, including credit cards, and SWIFT codes |
| Japan Personally Identifiable Information (PII) Data | Driver’s license and passport numbers |
See all templates provided by Exchange server.
How to create a DLP policy from a template using the Exchange Admin Center (EAC):
1. In the EAC, navigate to Compliance Management > Data Loss Prevention, then click Add.
Source: Microsoft
2. The Create a New DLP Policy from a Template page appears. Fill in the policy name and description, select the template, and set a status — whether you want to enable the policy or not. The default status is Test Without Notifications.
3. Click Save.
DLP policies in Symantec Data Loss Prevention
Symantec Data Loss Prevention offers policy templates you can use to safeguard organizational data. You can import and export policy rules and exceptions as templates by sharing policies across environments and systems.
| Policy template | Selected example | Example description |
| US Regulatory Enforcement | HIPAA and HITECH (including PHI) | Enforces the US Health Insurance Portability and Accountability Act (HIPAA) |
| General Data Protection Regulation | General Data Protection Regulation (Digital Identity) | Protects personal identifiable information connected to digital identity |
| International Regulatory Enforcement | Caldicott Report | Protects UK patient information |
| Customer and Employee Data Protection | Employee Data Protection | Detects employee data |
| Confidential or Classified Data Protection | Encrypted Data | Detects the use of encryption using different methods |
| Network Security Enforcement | Password Files | Detects password file formats |
| Acceptable Use Enforcement | Restricted Files | Detects file types that may be inappropriate to send out of the company |
| Policy template import and export | Policy template import and export | You can import and export policy templates to and from the Enforce Server. You can share policy templates across environments, archive legacy policies, and version existing policies. |
See all Symantec DLP templates here, organized into the categories above.
To create a DLP policy from a template in Symantec Data Loss Prevention:
- Add a policy from a template. See this help article.
- Choose the template you want to use. The Manage > Policies > Policy List > New Policy – Template List screen lists all policy templates.
- Click Next to configure the policy.
- Choose a data profile (if prompted), edit the policy name or description (optional), select a policy group (if necessary), and edit the policy rules or exceptions (if necessary).
- Save the policy and export it.
DLP policies in IBM BigFix
IBM BigFix is an end-to-end security solution for endpoints that also covers Data Loss Prevention. IBM BigFix’s Core Protection Module (CPM) provides predefined templates:
- GLBA: Gramm-Leach-Billey Act
- SB-1386: US Senate Bill 1386
- HIPAA: Health Insurance Portability and Accountability Act
- PCI DSS: Payment Card Industry Data Security Standard
- US PII: United States Personally Identifiable Information
Templates are provided as XML files, which you can import to apply the template. BigFix also lets you create your own templates, once you configure DLP data identifiers.
How to import and use a pre-built DLP template in IBM BigFix:
- Navigate to Endpoint Protection > Configurations > Data Protection > DLP Settings Wizard > Template Management.
- On the new screen display, type a name for the template, enter a description, and select data identifiers.
You can add new expressions to search content you want to allow or disallow, create a list of file attributes, and create a keyword list. Each definition should have a logical operator. - Click Save.
For more details see this support article from IBM.
Complementing DLP with advanced security analytics
DLP solutions can monitor data flows and secure organizations against known threats. However, attacks and malicious insiders constantly find new ways to compromise systems and steal data, many of which cannot be captured by DLP policy rules. This can be solved by a new type of security tool called User and Entity Behavior Analytics (UEBA).
UEBA tools establish baselines for the behavior of users, applications, and network devices. They use machine learning algorithms to identify abnormal activity for an entity or group of entities, without having any predetermined rules or patterns. This complements DLP by alerting about data-related incidents that did not match any DLP policy rule.
For an example of a UEBA system that can protect against data breaches from insider or unknown threats, learn more about Exabeam Advanced Analytics.
Want to learn more about DLP?
Have a look at these articles:
- What is DLP and How to Implement it in Your Organization?
- Data Loss Prevention Tools
- Security Breaches: What You Need to Know
Similar Posts
What is DLP? Data Loss Prevention for Critical Business Information
Data Loss Prevention Solutions: Making Your Choice
Understanding Cloud DLP: Key Features and Best Practices
Recent Posts
What’s New in Exabeam Product Development – March 2024
Take TDIR to a Whole New Level: Achieving Security Operations Excellence
Generative AI is Reshaping Cybersecurity. Is Your Organization Prepared?
Stay Informed
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!