Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned. April 2013

Similar documents
Modernizing compliance: Moving from value protection to value creation

Implementing Analytics in Internal Audit. Jordan Lloyd Senior Manager Ravindra Singh Manager

Managing FTI Data Compliance. Addressing Publication 1075

Data Standards in Oil & Gas

Evergreen Solutions Shatter the mold. With Evergreen

Creating a Risk Intelligent Enterprise: Risk sensing

Accelerating application management services automation Time to break out the bots?

DevSecOps Embedded Security Within the Hyper Agile Speed of DevOps

HR Benchmarks for Modern Times

Securing Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing

Managing Complex Programs Using Predictive Modeling and Simulation. October 7, 2014

Creating a Risk Intelligent Enterprise: Risk governance

HR Metrics and Model for Modern Times

Outsourcing banking processes: The question is no longer if, but how to effectively manage extended enterprises

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Enterprise compliance Acting on today s risks to avoid tomorrow s crises

Extended Enterprise Risk Management

Adopting automation in internal audit Using robotic process automation and cognitive intelligence to fortify the third line of defense

Those who cannot learn from history are doomed to repeat it. - George Santayana

Realize and Sustain the Value of Your Micro Focus Implementation

Welcome to the postmodern era for public sector ERP

Aligning Resources to Performance and Strategy: The Imperative for the "New Normal"

Federal CFO Insights Real solutions to win the fight against improper payments and fraud, waste and abuse

Three dimensions of application management services automation After determining why automation is needed, consider the questions of what, how, and

Connectors Making shared services work at the core of the business rather than on the outskirts

Unlock your digital marketing potential

Understanding employee engagement after a corporate acquisition A global communications company. EngagePath client spotlight

Thinking logically about Logical Separation Part of the Wired for Winning series on M&A IT topics

Transforming HR to Meet New Business Priorities

Enterprise Risk Management in Health Care

ISACA San Francisco Chapter

Talent Strategy. Building Competitive Advantage with Talent

Information Management Strategy

Mid-market technology trends: Leveraging disruption to drive value The Dbriefs Private Companies series Anthony Stephan, Principal, Deloitte

Deloitte Shared Services Conference 2018 Extended lab 4: Internal controls managing risk in the age of digitalisation Ani Sen Gupta and Edward

Budgetary Resource Risk Management Unliquidated Obligations (ULOs) - Recovery and Prevention September 2014

Carving The Path For Cloud Transition

Leveraging Collaboration to Assess ICD-10 Readiness and Reduce ICD-10 Operational and Financial Risks

The Role of the Board in Strategy & Risk. NACD National Conference Power Breakfast October 15, 2012

Five Steps to Predictive Analytics

Oracle Cloud ERP - Oil and Gas Industry Enabler for Digital Finance Transformation

2017 Deloitte Renewable Energy Seminar Innovating for tomorrow November 13-15, 2017

Deloitte Accelerated Value: SaaS innovation for the digital core. Extending the potential of core systems, addressing tomorrow s needs

Social Analytics in Media & Entertainment The three-minute guide

Outsourcing transparency evolution

How and Where Organizations are Investing to Help Close Employee Skills Gaps. Corporate Learning Benchmarks & Trends

Operational Risk Management (#DOpsRisk) Solutions suite

Cost transparency Helping finance create business value

Deloitte s High-Impact HR Operating Model: Business HR. Deloitte Consulting LLP

Machine intelligence ascending

CMMI-SVC V1.3 CMMI for Services Version 1.3 Quick Reference Guide

Innovating Performance Management Series Part 1: How Cisco is Activating Team Excellence with Data Stacia Sherman Garr Vice President, Bersin by

Innovating Performance Management Series Part 1: How Cisco is Activating Team Excellence with Data Stacia Sherman Garr Vice President, Bersin by

A View from the C-Suite: The Value Proposition of Shared and Global Business Services The Conference Board 20th Annual Global Business and Shared

CGEIT Certification Job Practice

Minimizing fraud exposure with effective ERP segregation of duties controls

Internal Audit innovation Structured methods to unlock new value

Streamline your business processes for far-reaching results. EY s Business Process Management Services practice

Reimagining IT: Leading technology organizations into the future The Dbriefs Technology Executives series

Global Trade Advisory Trade Automation Innovation

Turning Data into Insights Information Management with Deloitte and Informatica

Internal Audit and Technology Sustainable Analytics

Partnering with the business to create a successful self-service analytics framework

Managed analytics The three-minute guide

Implementing a corporate legal process outsourcing solution. Key considerations before embarking on the legal service delivery transformation journey

Understanding RPA ROI

Building a Business Case for Talent Analytics

Insurance Accounting & Systems Association (IASA): NY/NJ Chapter Spring 2014

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

Enterprise intelligence in modern shipping

Infrastructure services delivery planning for M&A: An ounce of prevention Part of the heart of M&A series on M&A technology topics

Outsourcing Transparency Evolution: Creating Value Across the Third-Party Extended Enterprise

Managing tax Balancing current challenge with future promise The EYE, Amsterdam, 30 November 1 December 2016

Think logically about logical separation

Practical Suggestions/Tips for an Effective BSA/AML Compliance Function

Everywhere Analytics Bringing Insights to Executive Officers 2016/05/19

Outsourcing fails when no one connects the pieces

CMMI-DEV V1.3 CMMI for Development Version 1.3 Quick Reference Guide

Enterprise. Service. Transformation. Deloitte driving your digital service excellence with ServiceNow

How to Get the Most Out of Your Guidewire Platform With Shared Services

Transformation in the Internal Audit Function Neil White October 5, 2017

Rich Mobile Content. by DigitalMIX. Dynamically publish content without changing a single line of code

4/26. Analytics Strategy

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Solve for now. Build for next. The Deloitte Audit

High-Impact Succession Management Revealed

Business Risk Intelligence

Evolving Performance Management Series (Part 6)

Talent Management in Growth Markets: India

Create Experiences. Build Customers. Drive Sales.

How to build construction management processes

Predictive Project Analytics 2.0 Keep your project on target with Deloitte s data-driven insights. Risk Advisory

People analytics: Actionable insights are the new mandate The Dbriefs HR Executives series

High-Impact Succession Management The Performance Model: Key Drivers and Talent Outcomes Andrea Derler, Ph.D., Research Manager, Leadership &

Contents An Introductory Overview of ITIL Service Lifecycle: concept and overview...3 I. Service strategy...6 The 4 P's of ITIL Service

Auditing Agile projects Your grandfather s audit won t work here!

Deloitte Discovery Advisory Enabling an agile response to discovery, investigatory, and regulatory requests

Talent Management in Growth Markets: China

Modernizing Compliance: Evolving From a Foundational Program to a Value-Creating Strategic Partner

Actionable enterprise architecture management

Transcription:

Avoiding Data Loss Prevention (DLP) Pitfalls A Discussion of Lessons Learned April 2013

Speaking With You Today Dan Frank Principal Deloitte & Touche LLP danfrank@deloitte.com (312) 486-2541 (office) (312) 401-0125 (cell) Charles Keane National Security Architect Symantec Charles_Keane@symantec.com (617) 571-7170 1 DLP Pitfalls A discussion of lessons learned

Agenda Deloitte and Symantec Alliance Overview Top 10 DLP Challenges, Root Causes Summary As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 2 DLP Pitfalls A discussion of lessons learned

Alliance Overview Global leaders with a demonstrated track-record of achievements and leading practices Leading risk consulting practice Client-specific, pragmatic advisory services Ability to provide strategic and technical responses to core business challenges Leading security software provider Global intelligence network Sophisticated and mature enterprise security tools and technologies Our alliance brings together two of the leading security and privacy software and professional services organizations in the world, helping organizations solve constantly evolving complex security and privacy related business challenges. 3 DLP Pitfalls A discussion of lessons learned

# 10 Where do I start? Lack of understanding of current environment, data loss risks, and associated risk mitigation priorities A tendency to boil the ocean when approaching data loss initiatives makes the solution seem overwhelming Perception that DLP is a one time technical project instead of a program Understand your risks first Prioritize your deployment strategy based on riskiest areas (e.g. data types, business units, business functions, end points, repositories) Build a multi-year road-map for your DLP program that focuses on quick wins as well as incremental business value and advanced functionality. 4 DLP Pitfalls A discussion of lessons learned

# 9 Understanding the Total Cost of Ownership of a DLP Program Failure to evaluate vendor marketing promises Misunderstanding of infrastructure costs and employee resource requirements Poor planning of level of effort associated with policy creation, workflow/remediation, and testing and tuning Conduct vendor evaluations and proof of concepts against specific business and technical requirements. Trust but verify. Create a high-level solution architecture to assist with estimating infrastructure costs Estimate resource requirements for both initial deployment as well as ongoing operations and maintenance 5 DLP Pitfalls A discussion of lessons learned

# 8 Getting Past the Basics Utilizing Advanced Features (*Only 30-40% of Symantec s DLP customers currently use advanced features) Concern with impeding legitimate business processes Lack of understanding of the legitimate/illegitimate business use Un-defined processes for business use case analysis Policies defined based on content vs. contextual analysis Lack of sufficient testing and tuning of policies over time before full scale deployment Lack of workflow and associated roles and responsibilities, SLA s, etc. to help the business recover information efficiently A sound understanding of the business and associated use cases is critical to enabling advanced features Policies should be carefully configured based on business use case analysis and sufficiently tested and tuned prior to being enabled Operational procedures and workflow for recovery of blocked/quarantined/encrypted information much be established to help prevent prolonged business interruption 6 DLP Pitfalls A discussion of lessons learned

# 7 Inability to move from data at rest ( DAR ) identification to DAR remediation Policies aren t fully tested and tuned before DAR scans take place No ownership information or other metadata is present in files No formal workflow process in place to interface with end users DAR scans should not be your first priority, baselines should be established over time to develop mature policies Lead DAR scans with Data Insight ( DI ), allow the tool to collect several months of usage patterns to establish ownership information Use information found in DLP and DI scans to establish formal workflow 7 DLP Pitfalls A discussion of lessons learned

# 6 Frustration with the speed at which the DLP solution becomes functional Lack of a DLP strategy to provide a clear vision and direction for the solution Poorly defined requirements Big Bang implementation approach Clearly and transparently articulate the DLP program s vision and strategy to stakeholders Well defined requirements along with a phased implementation plan are important Utilize POCs, pilots, and phased implementation approaches 8 DLP Pitfalls A discussion of lessons learned

# 5 Deploying DLP Globally Global privacy laws and labor unions can present varying, sometimes conflicting requirements which can restrict DLP monitoring Complaints as a result of DLP monitoring from end users arising from cultural differences Proper messaging and approvals not vetted beforehand Analyze and document legal and regulatory requirements related to employee monitoring (e.g. Germany, Netherlands) Create a regulatory/labor union communications and approval strategy and plan Allow ample time for socialization and approval of the solution with regulatory authorities/labor unions 9 DLP Pitfalls A discussion of lessons learned

# 4 Stakeholders may not understand the value that the solution is offering Poorly or un-defined DLP metrics and effectiveness criteria Lack of operational processes to collect and report DLP metrics Stakeholder expectation gaps related to functionality and timelines It is important to define metrics and effectiveness criteria, along with an initial baseline from which you can measure future progress Establish operational processes to periodically collect and report on DLP metrics to stakeholders Involve stakeholders early on and remain as transparent as possible throughout 10 DLP Pitfalls A discussion of lessons learned

# 3 Same old Same Old Business Behavior Doesn t Change Lack of operational processes and resources to perform business process re-engineering Lack of organizational policies and associated training and on-going communications to establish and reinforce expectations Poorly or undefined disciplinary measures and enforcement Lack of secure alternatives (e.g. secure e-mail, secure FTP, secure storage locations) Establish operational processes and a team to work with the business on secure alternatives for their business process Establish organizational security policies and reinforce the policies with training and on-going awareness campaigns Establish disciplinary processes and integrate data protection goals into employee performance evaluations/appraisals Provide users secure alternatives to accomplish their activities, otherwise unsecure workarounds will be developed 11 DLP Pitfalls A discussion of lessons learned

# 2 Unmanageable Incident Queues Poorly or un-defined incident severity levels and response workflows/ procedures Policies defined too broadly and without knowledge off legitimate business use Lack of sufficient testing and tuning of policies over time before full scale deployment Lack of a phased approach Insufficient resource allocation for incident response and remediation Lack of training of incident response team Define criteria for categorizing incidents by severity so that resources can be allocated based on business risk Formally document incident response procedures Spend the time required to understand your business so that policies can ignore legitimate business transactions/use Spend the time required to test and tune policies before fully deploying Don t boil the ocean - start out slow with a small number of polices Allocate requisite resources and conduct formal training 12 DLP Pitfalls A discussion of lessons learned

# 1 Business Community / End User Outcry Lack of policies to clearly set employee expectations Lack of communication related to solution/program Lack of business involvement in requirements and scope definition Lack of secure alternatives (e.g. secure e- mail, secure storage locations, etc.) Lack of operational processes to reduce business interruption time Set expectations through policy Reinforce expectations through training and awareness mechanisms Engage the business in solution requirements and scope Establish secure alternatives to enable people to do the right thing Establish operational processes and resources to respond to events efficiently to limit business interruption time 13 DLP Pitfalls A discussion of lessons learned

A Holistic DLP Program In our joint experience an effective DLP solution/program should be approached broadly, focusing not just on the technology, but also upon the people and processes needed to support and interface with the DLP solution. I. Governance DLP strategy DLP requirements Organizational structure Policies and procedures Training and awareness Metrics, monitoring, and reporting II. Process Business process analysis Incident response workflows Incident response plan Tuning and adjustment Policy change management Help desk procedures Business process re-engineering III. Security Integration Integration with enterprise security tools and systems IAM SEM DLP GRC Infrastructure Top down Integrates people, process, and technology Aligns DLP solution with business drivers and value IV. System Implementation Hardware and software Egress points Storage repositories End points Policy configuration Access configuration WAN WWW WAN VPN Network DR Data warehouse Business Analytics Customer Portal Outsourced Development Enterprise e - mail Disk storage Production Data Staging File Server Back up tape Back up disk Applications Files Storage 14 DLP Pitfalls A discussion of lessons learned

In Summary Transparent communication with stakeholders and business community Tight coordination and integration with the business Well defined requirements aligned with business goals Considerations Toward an Effective DLP Program A well thought out and defined strategy and road-map/plan Allocating resources to supporting processes Benefits of Our Joint Approach Helps prevent costly re-work Demonstrates business value through quick wins Helps to prevent business community and end-user outcry Enables the use of advanced system capabilities Achieving and building upon quick wins Maintains stakeholder support Improves incident response capabilities 15 DLP Pitfalls A discussion of lessons learned

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. Member of Deloitte Touche Tohmatsu Limited

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback