Assessment tool: Data loss prevention – Are you successfully managing your data loss prevention tools?

 

Data loss prevention (DLP) tools protect data in use, data in motion and data at rest through a centralized management framework. But the implementation of a DLP system does not absolve organizations of all other security efforts – employees need to follow safe data management practices in order for them to be effective.

This tool will help you determine how effective your data management practices are, helping you to highlight any gaps so that you can build a stronger data loss protection program.

Note: this tool is intended to guide decisions and stimulate focused conversations about risk management. For a complete assessment of your needs, please contact your Bell representative for the latest information on our offerings and sample consultation scenarios. You can also request to be contacted by a Bell representative by clicking here.

Management controls

Sound data management practices demand sound enterprise-wide policy and standards.

  1. How are data management practices applied in your organization?
    1. On an ad hoc basis
    2. Varies by individual
    3. By department
    4. Across the enterprise
  2. Describe your organization's data classification policy:
    __________________________________________________________________
    __________________________________________________________________
  3. Do you audit adherence to these policies across the organization?
    1. Yes, on a schedule with third-party auditors
    2. Yes, on a schedule but only with internal auditors
    3. Yes, but it has not been formalized or scheduled
    4. No
  4. Do you have a formally approved ‘acceptable use' network (Internet) policy for employees, contractors, partners and suppliers?
    1. Yes
    2. We have one, but it has not been formalized
    3. No
  5. Are you required to manage data leakage as a matter of regulatory compliance?
    1. Yes
    2. No
  6. List those compliance regulations that currently affect your data protection policies:
    ___________________________________________________________________
    ___________________________________________________________________
  7. Who in your organization has the responsibility for applying and enforcing classification and information handling policy defined and assigned?
  8. Are sanctions for mishandling of data clearly defined?
    1. Yes
    2. Disciplinary action is defined, but it's too weak
    3. Disciplinary action is sufficient, but handled on a case by case basis
    4. Disciplinary action is seldom sufficient and is handled on a case by case basis
    5. We don't have a policy in place

Operational controls

Knowing where data assets are and how well they are classified is a major element in data loss prevention.

  1. Describe your process for assessing and documenting the sensitivity of different types of data according to the approved classification system:
    __________________________________________________________________
    __________________________________________________________________
  2. Do you posses a map of your data holdings and can you say with certainty that you know where different types of data are stored and the networks they utilize?
    1. Yes
    2. Not as such, but we can quickly access that information
    3. No
  3. How often does your organization audit the information map for compliance with classification and handling policies?
    1. Every quarter
    2. At least once a year
    3. Once every two or three years
    4. Occasionally but unscheduled
    5. Never
  4. Do you have a response plan and assigned resources in the event that leakage is detected? Check all that apply.
    1. We have a response plan
    2. We have designated resources
    3. We have access control emergency procedures
    4. We have forensic procedures
    5. Business continuity will not be affected when our plan is put into action
    6. Not as such, but we can come up with one as needed
    7. None of the above
  5. Has staff been trained on your classification policy and associated handling requirements?
    1. Yes, almost without exception
    2. To a reasonable extent, though there is room for improvement
    3. They have been educated, but adoption is weak
    4. Education is weak and few practice safe data handling
    5. No

Technical controls

Task-specific DLP tools can greatly mitigate the risk of data loss. How does your organization measure up?

  1. What perimeter security tools do you have in place to prevent data leakage?
  2. What internal network security tools do you have in place to prevent data leakage?
  3. What elements do these tools cover? Check all that apply.
    1. Outbound email, Web and webmail
    2. Bulk file transfer utilities and protocols
    3. Instant messaging
    4. Peer-to-peer applications
    5. Unauthorized database queries from partner, client, guest accounts
    6. Unusual file-system activity (IE, large volumes of copying)
    7. Peripheral devices (such as USB devices)
    8. Unauthorized devices on the network
  4. How do network and data access controls enforce permissions?
    1. On an individual basis
    2. We have different levels of authorization based loosely on seniority/job function
    3. Managers are the gatekeepers
    4. We monitor and log access, but don't control
    5. There is little control in place
  5. Does your organization compartmentalize assets at different levels of sensitivity with network zoning?
    1. Yes
    2. To some extent
    3. No – zoning is used but not for data management
    4. No – we have a single network separated from the internet by a firewall.
  6. Describe how you currently monitor for unapproved network connections such as rogue ISP connections in branch offices or rogue wireless access points:

For more information on creating and implementing a security roadmap, contact your Bell representative today or click here to have a Bell representative contact you.