Whitepaper

Building Your DLP

Strategy & Process
 Building Your DLP Strategy & Process

Contents
Introduction
3 DLP Planning: Organize Your Project for Success
3 DLP Planning: Clarify User Profiles
4 DLP Implementation: Phases of a Successful Project
5 Phase 1: Define Success & Freeze Project Scope
5 Phase 2: Identify Critical DLP User Profiles
5 Phase 3: Identify Sensitive Information & Business Requirements
5 Phase 4: Design & Manage DLP Policies
5 Phase 5: Fine-Tune Policies and Incident Management
6 Phase 6: Implement Awareness & Training Programs
6 Phase 7: Manage the Project & Track Progress

www.forcepoint.com 2
 Building Your DLP Strategy & Process

INTRODUCTION DLP PLANNING: ORGANIZE YOUR PROJECT FOR SUCCESS

Forcepoint works with its clients around the world to develop Because DLP affects so many functions within an organization,
effective strategies and processes for implementing data loss you’ll need to clarify roles and responsibilities across the
prevention (DLP) programs. Our extensive experience and technical workstreams detailed below.
expertise in this area of data security has led to our continuous
industry leadership and product innovation to stop malicious or
inadvertent data leakage. This guide provides you the key points you
Building consensus about these
need to understand as you organize your DLP project, define key workstreams at the outset will make
user profiles that affect your DLP strategy and roll out your DLP
program at every phase of deployment.
it easier for your organization to
implement and manage your DLP
As you read, keep in mind these must-dos:
strategy.
Determine goals and objectives for your DLP program up front.
Program Management — This team ensures that the work effort
As with all change initiatives, DLP programs should help achieve
achieves the goals stated by the steering committee.
strategic business objectives and provide benefits in return for the
Responsibilities include:
costs incurred. Clear and measurable goals and objectives at the
outset will ensure that the program is focused on protecting the • Set and review objectives
data that is most important to the organization.
• Oversee management of project scope and cost

Address all aspects of People, Process and Product. As

1
highlighted throughout this document, DLP revolves around the PROJECT LEADERSHIP
• Program Management
people, the processes and the technology products you use. It’s
• Steering Committee
critical to identify clear roles and responsibilities for individuals,
create effective processes to detect and respond to incidents and
configure your tools accurately to identify and prevent data loss.

2
PROJECT MANAGEMENT
Establish ample executive support and participation. Active • Quality Management
involvement from business and operating units across your • Project Management Office
organization will create more user acceptance of the transition
toward a more secure environment. It will also ensure that
business input is provided at key stages — which is paramount for

3
a successful DLP program. PROJECT TEAM
• Change Management
• Functional Workstream
Define sensitive data. Implementing DLP technology and controls • Solution Workstream
universally across an organization can have an adverse and • Infrastructure Workstream
costly impact on the business. By defining sensitive data up front
and aligning the program to protect their most sensitive data,
organizations can ensure that resources are deployed to manage Steering Committee — This committee should be headed by the
the most important risks. Chief Information Security Officer (CISO) or Chief Information
Officer (CIO) and include all important stakeholders in the project.
Responsibilities include:
Reinforce awareness for end users. In their day-to-day work, end
users are mostly confronted by the limitations imposed by DLP. • Own and oversee implementation of the project’s
Without an awareness of the reasons behind additional security underlying strategies
measures, employees will be more likely to seek work-arounds
• Define the project’s connection to the enterprise’s overall
to bypass controls. Increased awareness also helps users take
business plans and direction
responsibility for classifying and protecting critical information
and assets. • Provide and interpret policy

• Ensure participation of relevant business functions in

Formally define and monitor the effectiveness of DLP controls. the project
Once implemented, the DLP controls and their effectiveness in
• Remove internal and external barriers to achieving the
protecting your data assets should be monitored closely to drive a
project’s goals
cycle of constant improvement.
• Review progress at set intervals to ensure alignment with the
overall strategic vision

3

Quality Management — Responsibilities include:
• Assess and review project requirements and activities for
quality planning and controls
• Ensure adherence to project timelines
Project Management Office — Responsibilities include:
• Derive and manage the project plan
• Dynamically allocate and direct resources to ensure product
deliverables, timeline and budget
• Review project progress and coordinate with business
functions as required
Change Management — Responsibilities include:
• Control changes to the project plan
• Adapt and implement effective new operational changes
required to make the project successful
In many organizations, a single person carries out both the
Functional and Solution workstreams:
Functional Workstream — To ensure its success, your DLP project
needs representatives from relevant business functions within the
organization who understand those critical business processes that
deal with sensitive data. Primary responsibilities are:
• Understand business requirements from each
business function
• Identify and document sensitive data from each
business function
• Develop workflows for DLP policy creation and modification,
and for incident management and remediation
Solution Workstream — These project members devise effective
incident management and remediation frameworks, as well as
structure metrics that allow stakeholders to understand progress
made on the project, risks addressed by the strategy, the efficiency
of incident management and so on. They should have deep technical
knowledge of the DLP solution. Other responsibilities include:
• Analyze methods to detect sensitive data types
• Recommend best practices for data management
• Develop DLP policies based on business requirements
• Identify best practices for installation, administration and
operation of the DLP solution
• Conduct training for business teams
www.forcepoint.com
Building Your DLP Strategy & Process
Infrastructure Workstream — This function addresses technical
deliverables relating to DLP system readiness, management,
maintenance and support. They configure policies and perform
operational tasks on the DLP solution itself.
Other responsibilities include:
• Conduct technical trainings
• Manage technical issues
• Meet with operations team
• Generate reports
• Interact with vendor support team
• Create technical documentation
DLP PLANNING: CLARIFY USER PROFILES
For a DLP roll-out to be effective, it needs clearly defined roles for
key participants, from line-of-business personnel to technical DLP
specialists to end users.
Understanding up front what the
different roles are and what each
of them does will help ensure the
success of your DLP program.
Business Function Lead
This person should be knowledgeable about the critical business
processes and data used within the business function that will be
addressed by the DLP project. This individual will be involved in data
identification and classification and DLP policy approval. After the
project is complete, this member will continue to offer feedback on
critical business processes and the data generated from them.
DLP Consultant — Functional & Solution Workstreams
The person in this role will perform the functions stated under the
Functional and Solution workstreams in the prior section. Often, it
is a good choice to appoint the IT, security or risk specialist already
responsible for the business function, as this person will need to
combine understanding of business processes with knowledge
of the DLP solution. They should also have basic IT knowledge
covering file directories, databases, directory paths, network
credentials and related topics, and they will benefit from quality
and security audit certifications (e.g. for ISO 27001) as well. When
the project is complete, the DLP Consultant will continue to adapt
DLP policies as needed, working in concert with the DLP Product
Administrator.
DLP Product Administrator — Infrastructure Workstream
This team member — usually from the IT Security organization —
must be capable of installing, administrating and supporting the
DLP solution itself, which will require them to have completed DLP
product training and to possess relevant IT knowledge. After the
project is complete, this person will continue to write new policies
and modify existing ones in the DLP product’s management console
as instructed by the DLP Consultant.
4
 Building Your DLP Strategy & Process

Business Function Incident Manager
This member’s role is to interpret, analyze, manage and remediate
DLP incidents as they arise. In practice, this means reading
reports generated by the DLP solution and determining whether a
non-conforming incident merits further investigation or escalation
to the Critical Incident Manager or other management. In carrying
out this role, the Incident Manager must be familiar with the critical
business processes of their business function, as well as have
detailed knowledge of the organization’s incident management
and remediation framework. During the project, they will also
review and comment on policies, workflows and metrics and
assist with end-user training.
Phase 3: Identify Sensitive Information & Business Requirements
Even though it relies on advanced technology, DLP is ultimately a
business strategy meant to reduce risks for your organization.
That’s why it’s so important for DLP project stakeholders to hold
discussions with Business Function Leads and Business Function
Incident Managers about which information is critical for each
business function and what the operational requirements are for
implementing DLP.

Critical Incident Manager

This person — likely the CISO, chief risk officer or DLP strategy
owner — must make the final decision on mitigation actions
whenever a case of data leakage occurs. They will also manage any
such incidents arising from the actions of the Business Function
Lead, and the Business Function Incident Manager and other
high-profile users. This member should have a strong background
in security or risk operations, along with solid knowledge of the
critical business processes of the organization.

End Users
During the project, the team should recruit personnel who are
interested in being pilot users to provide feedback on DLP issues
specific to each business function, and to participate in user
acceptance testing (UAT). These pilot users should use the software
applications and have the access privileges of typical end users.

DLP IMPLEMENTATION: PHASES OF A SUCCESSFUL PROJECT

You should enter into your DLP project with a commitment to using
best practices that align People, Process and Product to achieve
effective outcomes. As represented by the diagram, the ongoing
challenge of data loss prevention implies a multiphase cycle,
where the successful outcome of your current project feeds into
the initiation of the next project — perhaps by extending the DLP
program to other business units. This section provides you with
details for each phase.
Phase 1: Define Success & Freeze Project Scope
For a DLP project to work, it needs be built on well-defined criteria
for success that will demonstrate value to stakeholders across the
organization. Too many organizations make the mistake of trying
to address data security needs of the entire enterprise through a
DLP project, but then struggle to demonstrate value. While DLP
should indeed connect to broader security objectives — for example
your approach to stopping insider threats — your specific DLP
project should be tightly defined, with objectives that can actually
be measured and achieved. That’s how you win buy-in across the
organization, which is critical for long-term success.
Phase 2: Identify Critical DLP User Profiles
For your DLP strategy to be effective, the user profiles from the
previous section of this paper need to be assigned to staff members
who understand their responsibilities and have the resources they
need to carry them out.
Business stakeholders should share what they already know about
the sensitive data that needs to be protected for their business
function. To prevent scope creep, stakeholders might be asked
to identify their top N types of sensitive information, where N is a
number that fits within the agreed-upon scope for the DLP project.
When Forcepoint engages with clients on planning DLP projects,
we share sample data classification worksheets, templates
and questionnaires to streamline the process. Ask if your DLP
technology provider offers similar tools.
Phase 4: Design & Manage DLP Policies
During this phase, the team reviews data highlighted from every
business function in Phase 3, engages the DLP Consultant and
then derives policies to effectively identify that data. Your DLP
tool will provide various data identifiers such as patterns, regular
expressions, keywords, dictionaries, file attributes, fingerprints and
machine learning algorithms. Once these data identifiers have been
reviewed, you then must decide which of the identifiers needs to
be used to identify the data accurately. Then you can configure DLP
policies (initially in monitoring mode), capture them in a policy log
and obtain approvals from relevant stakeholders. You should also
define appropriate change management controls for raising and
approving change requests.

www.forcepoint.com 5

Policy Management Process
It’s important to have a policy management process to ensure that
new policies are created and managed effectively. That process
should go something like this:
1. End User identifies that new sensitive data has been created,
or that existing data has become sensitive.
2. Business Function Lead confirms that a new data leakage
policy is needed and then sends the requirement for that
policy to the DLP Consultant.
3. DLP Consultant translates the requirement into a new DLP
policy based on the established framework, updates the DLP
policy log and status files and sends the updated files to the
DLP Product Administrator.
4. DLP Product Administrator writes the new DLP policies into
the DLP solution’s management console.
The procedure for modifying an existing policy works much the
same, except that it’s initiated when an end user or Business
Function Incident Manager determines that an existing policy is
ineffective.
Phase 5: Fine-Tune Policies and Incident Management
This phase is crucial for creating an effective policy framework
and configuring DLP policies in enforcement mode. It starts with
understanding why DLP incidents occur, because not every data
leak is either intentional or malicious. Leaks fall into four main
types, and each is best addressed by a different strategy:
Accidental Leak: At least 60% incidents arise from employee
ignorance, when someone is unaware of the risks of sharing critical
information. The remedy is employee education.
Malicious Outsider: These arise when systems are infected with
malware and attempt to exfiltrate data. The remediation strategy is
to detect and remediate, identifying machines that are affected and
then cleaning those machines.
DATA LEAK SOURCE REMEDIATION STRATEGY
EMPLOYEE
ACCIDENTAL
EDUCATION
MALICIOUS DETECT AND
OUTSIDER
REMEDIATE
INTENTIONAL VISIBILITY
(NON-MALICIOUS)
RISKY USER
MALICIOUS BEHAVIOR
INSIDER PROFILING
www.forcepoint.com
Building Your DLP Strategy & Process
Intentional Non-Malicious: Unexamined business processes can
foster intentional employee behaviors that are inadvertently risky
from a data loss perspective. Your DLP project will bring visibility to
these processes, opening the door to productive discussions with
relevant leaders about improving business processes or fine-tuning
DLP policies to accommodate those that have an acceptable level
of risk.
Malicious Insider: These occur when employees try to steal
information or do harm to the organization by leaking it. These
incidents can be detected only if your DLP solution provides the
insight needed for profiling risky user behaviors, as Forcepoint’s
Insider Threat Data Protection solution does. It is critical that
your organization have defined processes to deal with such
high-risk incidents.
With a clear understanding of these type of leaks, your project team
should identify stakeholders with responsibility for security, risk,
compliance, legal affairs, human resources and so on who need
to take part in incident management and remediation processes,
then create the workflows — including escalation mechanisms —
relevant for those functions.
Phase 6: Implement Awareness & Training Programs Awareness
Your DLP solution can be used as a great tool to spread awareness
about your organization’s data security policies, and to understand
high-risk users who violate DLP policies because of ignorance.
Options for raising awareness include:
• Display pop-ups to end users when they are about to
violate policy
• Send notification emails to end users (and optionally
managers) after they have violated policy
• Allow users to enter a justification message before
performing an action which may violate policy
These awareness options can significantly reduce incidents
triggered by end user negligence.
Training
It’s very important that a proper training program is in place for
different DLP user profiles. Training should be given at regular
intervals, with the following modules suggested for different types
of users:
• Incident Management & Reporting Training — Targeted for
personnel that will access the reporting system to check
alerts generated by the DLP solution. This training is relevant
for Business Function Leads, Business Function Incident
Managers, Critical Incident Managers and, optionally, DLP
Product Administrators.
• System Admin & Maintenance Training — Targeted for the
IT personnel that will be responsible for maintaining the
DLP solution from a technical perspective. DLP Product
Administrators must attend this training before performing
the responsibilities of that role.
6
 Building Your DLP Strategy & Process

• Data Classification & Policy Training — Targeted for Monthly Reports to Senior Management
personnel that will be creating new policies and modifying
Top policy category violations
existing ones. This training is relevant for Business Function
Leads, DLP Consultants, DLP Product Administrators and, Top users and business processes that violate policies
optionally, Business Function Incident Managers.
Reports with sample incidents highlighting business risks for
• End User Training — It’s very important to keep end users each business function
aware of the processes that they must follow to make the DLP
Policy violations per channel or application (USB, email, etc.)
strategy successful for your organization. This training should
be offered through online modules at least once per quarter. Risk reduction reports, based on the number of incidents
per week
Phase 7: Manage the Project & Track Progress
To ensure that your project is successful — and that stakeholders
understand its importance for the organization — It’s critical
By grouping incidents specific to each
to use meaningful metrics that track how the DLP project is business, you can help stakeholders
being executed.
understand the relevant risks that
For instance, you want to know whether sensitive data is being the DLP solution and the overall DLP
copied to removable media such as DVDs or USB sticks. Your DLP
solution monitors that activity and protects you from it, but it also
strategy are identifying and preventing
keeps track of how often that type of activity happens — and who for them.
attempts it. Over time, you will be able to see metrics for whether
your DLP project, tied to an awareness program, is effective in It’s vital that you inform stakeholders about how the strategy
reducing that risk. reduces business risks so that they, in turn, will lead their teams to
adopt more risk-averse behavior to maintain data security.
We recommend that you use at least the following
reporting metrics: When you have achieved that, you’ll know your DLP program
is a success.
Weekly Reports to Business Function Leads and Business
Function Incident Managers

Top 10 endpoints/users violating the policy for each

business function

Top policy category violations

Policy violations per channel or application (USB, email, etc.)

Incident reports

Incident status reports

Incident trend reports

CONTACT ABOUT FORCEPOINT

www.forcepoint.com/contact © 2017 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon
Company. All other trademarks used in this document are the property of their respective owners.
[WHITEPAPER_BUILDING_DLP_PROCESS_ENA4] 200045.021317

www.forcepoint.com 7