A comprehensive DLP solution that protects data in motion, data at rest and data in user require complex and significant amount of preparation activities. Among these activities, data classification, risk assessment and policy development are the most critical ones and involve both the commitment from senior management and IT security personnel in universities.

1. Risk Assessment

The main purpose for a risk assessment is to identify all types of data within the universities and the associated threats and vulnerabilities. Key stakeholders from different parties should be gathered together to discuss and reach agreements on topics including, but not limited to, the following:

• What data should be protected? E.g. Internal, Confidential, Highly Confidential

• What applications or infrastructure should be covered by DLP?

• What regulatory and legal requirement we need to comply with?

• Who are the authorised personnel that can receive data from us?

• What is the reporting and workflow of DLP solutions?

• What are the expected accuracy rates for different kinds of data? E.g. statistical / conceptual analysis or partial database matching?

2. Data Classification

Data classification helps to categorise data based on the value to universities and add additional controls to limit the access and movements of sensitive data. Proper data classification allows universities to determine the order of protection for different types of data and focus DLP capabilities on information with higher priorities. A typical data classification should include the following:

• Develop a standard or policy for data classification

• Identify data type by departments

• Identify administrator/custodian/users for each data type

• Identify systems maintaining, processing, or storing each data type

• Specify the criteria of how the data will be classified and labelled

• Create an user awareness program

3. Develop Policies, Standards and Procedures

Comprehensive policies, standards, and procedures are the basis for an effective DLP solution. By referencing to established policies, standards, and procedures, the following criteria can be defined for DLP tools to meet:

• Target data classification(s) that require protection from DLP

• What actions are permitted to be performed on such data

• What are the security violations that require DLP to prevent and alert

• What are the handling processes for identified violations

• Whom should be informed when there are security violations identified

Developed policies, standards, and procedures should be reviewed and approved by management of relevant parties before finalisation.

Reference:

http://www.isaca.org/Knowledge-Center/Research/Documents/DLP-WP-14Sept2010-Research.pdf
http://www.ironport.com/pdf/ironport_dlp_booklet.pdf