www.pwc.

com

Auditing
Data Loss Prevention (DLP)
Programs
September 2014

Agenda
1. What is Data Loss Prevention (DLP)?
2. Auditing a DLP Program
3. Key Audit Findings

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 2

What is Data Loss Prevention (DLP)?

Data Loss
Prevention is
more than just a
technology; DLP
consists of
processes and
controls designed
to minimized
sensitive data
loss.

Data Loss Prevention (DLP) is a capability consisting of people,

process, and technology solutions which enable companies to
better manage sensitive data within their environment.
Data-centric controls, focusing on how data is used across the
business and end user processes, reduce risk by providing an
enhanced understanding of the clients sensitive data landscape
and tools to manage that landscape.
Sensitive data loss can be mitigated by using DLP tools designed
to detect data at rest, data in motion, and data in use.

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 3

DLP applied throughout the Data Lifecycle

1. Create
Data is created by people,
processes, and technologies
6. Destroy
Physical data destruction
Secure wipe of data

5. Archive
Data management
Periodic backups

2. Store
Data residing in data repositories
and files throughout the
corporate environment

1. Create

6. Destroy

2. Store

5. Archive

3. Use

4. Share
4. Share
Data traversing the corporate
network

Auditing Data Loss Prevention (DLP) Programs

PwC

Email and personal webmail

Social media
Manual or automated file transfers
Network monitoring
Network filtering

File servers
Databases
Mail files
Document Management Systems

3. Use
Data used at the endpoints
Files saved to the local hard
drive on devices (e.g., laptops,
desktops, or mobile devices)
Files copied to removable media
Copy/paste, hard-copy printing,
screenshots
Email, web and application
communications to tablet or
mobile devices
September 2014
Slide 4

DLP applied throughout the Data Lifecycle

Asset Classification helps
to preemptively identify new
sources of sensitive data

1. Create

6. Destroy

2. Store

5. Archive

3. Use

4. Share

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 5

High-Level DLP Architecture

Firewall

Web Proxy
Network Switch
MTA

Network
Prevent for Web

Network
Prevent for Email

Oracle Database

Network Monitor

Enforce (Management)

File Systems/
Databases

Endpoints
Network
Discover

Auditing Data Loss Prevention (DLP) Programs

PwC

Endpoint
Prevent

September 2014
Slide 6

Auditing DLP
Category

Description

Confidentiality

Preventing unauthorized people from

accessing information while ensuring
authorized people can access information

Integrity

Maintaining and assuring the accuracy

and consistency of data over its life-cycle

Availability

Responding to outages and other events

to maximize uptime and access to data

Operational Processes
& Procedures

Defining and deploying processes

necessary to maintain the environment
in an operational state

Governance & Staffing

Providing an authoritative and effective

reporting structure and ensuring
adequate resources to staff the program

Architecture/
Implementation

Designing and implementing the solution

in a secure way which allows for
measurable objectives to be completed

Auditing Data Loss Prevention (DLP) Programs

PwC

Security

Operations

P
P
P
P
P
P
September 2014
Slide 7

Auditing DLP Confidentiality

The implementation and operation of a DLP Program should
not introduce additional risk into the environment. The DLP
tool contains sensitive data and must be secured
appropriately.

Network

System

Application

Roles

DLP systems which contain sensitive data are segmented from the rest of the corporate
network.
Perimeter firewalls are configured to only allow necessary and secure protocols.

DLP systems are approrpiately locked down; they only contain applications and services
which have been approved/are in line with corporate security standards.
DLP systems have preventative & detective security measure in-place, such as anti-virus
software, to prevent compromise of the system.
The DLP application is regularly updated to contain the latest security patches and
functionality.
The application is configured with supported security controls enabled, such as HTTPS,
limited access to the administrative panel, etc.
Distinct roles are configured and deployed which enforce least privelege and separation
of duties principles.
The Administrator account is disabled; users which require administrator access are
given specific prileges to enable accurate auditing of user actions.

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 8

Auditing DLP Integrity

DLP backend environments typically are designed to prevent unauthorized data changes
by end users via the use of default attributes and custom attributes.
Default attributes consist of detailed information collected from the event itself (e.g.
data matching a policy, user information such as AD ID and/or IP address).
Custom attributes are additional details captured for an identified event (e.g.
attributes which can be pulled from Active Directory or HRIS); the DLP solution relies on
such systems to be complete and accurate as this is the information put into events.
DLP data integrity issues primarily concern reporting. When auditing the integrity of
reports, important questions include:

Where is this report pulling incident details (e.g. from the DLP database, from data warehouse, etc.) ?

Is this report pulling in events from all vectors (in motion, in use, at rest)?

Is the report pulling in all events? How were the filters/sorts configured?

i.e. total incident counts for the period by vector, total incident counts for the period by policy,
compare incident counts by vector, policy and severity against the reports in question

Who has access to create, modify, and view these reports?

What controls are in place to prevent events from being archived or purged from the database (rolebased access)?

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 9

Auditing DLP Availability

Lack of availability can include a loss of functionality for both
the DLP solution itself and the systems it integrates it due
specifically to the implementation and operation of a DLP
solution. When a DLP solution is offline, the risk associated
with data loss is exposed.

Control

Impact

The DLP database and servers are regularly backed up

and stored in a safe location.

In the event of a catastrophic failure, the DLP database

and server can be restored to an operational state within
an acceptable timeframe.

In-line data in motion servers have failover components;

in the event of a catastrophic failure, data in motion
servers are designed to fail open.

If a data in motion DLP server is taken offline, the

failover component can continue to operate. If the
failover component fails as well, the mail traffic and/or
web traffic will continue to operate.

A change management process is in place to

appropriately manage changes to the DLP solution
and/or integrated systems.

Change management processes ensure that any necessary

changes can be quickly backed out in the event of an
issue. This allows both DLP systems and associated
Internet traffic to continue to operate.

Troubleshooting activities are well supported with

sufficient staff and clearly defined processes/escalation
paths.

In the event of an issue which requires troubleshooting,

resources can reliably execute troubleshooting processes
to minimize service interruption.

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 10

Auditing DLP Operational Processes

An effective DLP Program should have
operational processes defined/actively
executed to ensure the return on
investment.
Processes should aim to achieve the
following goals:
Measurable risk reduction

Detection Policy Management &

Optimization
Issue Resolution

Event Processing & Escalation

Efficient & effective Events processing

Maximum uptime
Minimum business impact

Event Owner Identification &

Remediation
Solution Maintenance
Governance & Management
Reporting

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 11

Auditing DLP Governance & Staffing

Is a Data Governance Committee in place to

make key decisions related to identified
security incidents?

Are metrics routinely presented to a Data

Governance Committee to present results and
address potential issues?

Are there designated resources for both

technical operation of the DLP solution as well
as investigation, risk identification, and
remediation activities?

Is there a designated Data Protection Manager

responsible for the key outputs and continued
operations of the DLP solution?

Are third parties used to operate the solution?

If so, are background checks required for third
parties accessing sensitive data?

Have third party risk assessments been

performed for DLP vendors?

Are third parties meeting their contractual

obligations?

Auditing Data Loss Prevention (DLP) Programs

PwC

A governance structure complete with

adequate staffing is necessary for a DLP
Program to function, both in terms of
return on investment and measurable risk
reduction.
DLP is more than just a technology tool it
is a program that must be regularly
operated in order to derive the expected
value which justified the investment.

September 2014
Slide 12

Auditing DLP Architecture/Implementation

Scope & Architecture
Number & type of systems in scope
DLP vectors (at rest, in motion, in use) deployed
How are third parties accessing the environment?
Effectiveness of architecture deployment
Number of high priority use cases in production
% of company assets covered

The DLP Programs

impact should be
measurable
The effectiveness of
the DLP Program,
including quantifiable
risk reduction should
be regularly
communicated to the
Data Governance
Committee.

Return on
Investment
(ROI)

Common metrics to
measure effectiveness
and risk reduction
include:

Auditing Data Loss Prevention (DLP) Programs

PwC

Efficiency
Number of false positives detected
Number of false positives reviewed
Number of data owners identified
Effectiveness
Number of DLP systems operational
Average downtime
Number of business processes analyzed
Number of true incidents generated

Impact
Number of incidents remediated
Rate of reoccurring incidents per data owner
Number of systems which contain sensitive data
Amount of unencrypted sensitive network traffic

September 2014
Slide 13

Auditing DLP Typical Key Findings Observed

Confidentiality

The DLP environment is not segmented from the corporate network.

The DLP systems are running insecure services.

Integrity

Permissions do not prevent unauthorized users from generating reports.

Report data only includes a subset of total events.

Availability

There is no change management process/DLP does not follow the change

management process.
The DLP database/servers are not regularly backed up.

Operational
Processes

Operational processes are not clearly defined/documented.

Processes for the sustainable identification and remediation of DLP Events are
not deployed.

Governance &
Staffing

The DLP Program does not report to a Data Governance Committee.

The DLP Program is not adequately staffed.

Architecture &
Implementation

Metrics are not being routinely generated and presented to the Data
Governance Committee.
DLP Events are not processed in a timely manner.

Auditing Data Loss Prevention (DLP) Programs

PwC

September 2014
Slide 14

 2014 PricewaterhouseCoopers LLP (US). All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delaware
limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network,
each of which is a separate and independent legal entity.
Auditing Data Loss Prevention (DLP) Programs
PwC

September 2014
Slide 15