Professional Documents
Culture Documents
com
Auditing
Data Loss Prevention (DLP)
Programs
September 2014
Agenda
1. What is Data Loss Prevention (DLP)?
2. Auditing a DLP Program
3. Key Audit Findings
September 2014
Slide 2
September 2014
Slide 3
5. Archive
Data management
Periodic backups
2. Store
Data residing in data repositories
and files throughout the
corporate environment
1. Create
6. Destroy
2. Store
5. Archive
3. Use
4. Share
4. Share
Data traversing the corporate
network
File servers
Databases
Mail files
Document Management Systems
3. Use
Data used at the endpoints
Files saved to the local hard
drive on devices (e.g., laptops,
desktops, or mobile devices)
Files copied to removable media
Copy/paste, hard-copy printing,
screenshots
Email, web and application
communications to tablet or
mobile devices
September 2014
Slide 4
1. Create
6. Destroy
2. Store
5. Archive
3. Use
4. Share
September 2014
Slide 5
Web Proxy
Network Switch
MTA
Network
Prevent for Web
Network
Prevent for Email
Oracle Database
Network Monitor
Enforce (Management)
File Systems/
Databases
Endpoints
Network
Discover
Endpoint
Prevent
September 2014
Slide 6
Auditing DLP
Category
Description
Confidentiality
Integrity
Availability
Operational Processes
& Procedures
Architecture/
Implementation
Security
Operations
P
P
P
P
P
P
September 2014
Slide 7
Network
System
Application
Roles
DLP systems which contain sensitive data are segmented from the rest of the corporate
network.
Perimeter firewalls are configured to only allow necessary and secure protocols.
DLP systems are approrpiately locked down; they only contain applications and services
which have been approved/are in line with corporate security standards.
DLP systems have preventative & detective security measure in-place, such as anti-virus
software, to prevent compromise of the system.
The DLP application is regularly updated to contain the latest security patches and
functionality.
The application is configured with supported security controls enabled, such as HTTPS,
limited access to the administrative panel, etc.
Distinct roles are configured and deployed which enforce least privelege and separation
of duties principles.
The Administrator account is disabled; users which require administrator access are
given specific prileges to enable accurate auditing of user actions.
September 2014
Slide 8
Where is this report pulling incident details (e.g. from the DLP database, from data warehouse, etc.) ?
Is this report pulling in events from all vectors (in motion, in use, at rest)?
Is the report pulling in all events? How were the filters/sorts configured?
i.e. total incident counts for the period by vector, total incident counts for the period by policy,
compare incident counts by vector, policy and severity against the reports in question
What controls are in place to prevent events from being archived or purged from the database (rolebased access)?
September 2014
Slide 9
Control
Impact
September 2014
Slide 10
September 2014
Slide 11
September 2014
Slide 12
Return on
Investment
(ROI)
Common metrics to
measure effectiveness
and risk reduction
include:
Efficiency
Number of false positives detected
Number of false positives reviewed
Number of data owners identified
Effectiveness
Number of DLP systems operational
Average downtime
Number of business processes analyzed
Number of true incidents generated
Impact
Number of incidents remediated
Rate of reoccurring incidents per data owner
Number of systems which contain sensitive data
Amount of unencrypted sensitive network traffic
September 2014
Slide 13
Integrity
Availability
Operational
Processes
Governance &
Staffing
Architecture &
Implementation
Metrics are not being routinely generated and presented to the Data
Governance Committee.
DLP Events are not processed in a timely manner.
September 2014
Slide 14
2014 PricewaterhouseCoopers LLP (US). All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delaware
limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network,
each of which is a separate and independent legal entity.
Auditing Data Loss Prevention (DLP) Programs
PwC
September 2014
Slide 15