This paper describes how we implement our inherent Data leakage prevention program that enables your organisation prospective compliance from implementation day.
Time Series Foundation Models - current state and future directions
IDLPP Data Leakage Prevention Strategy
1. Inherent Data Leakage
Prevention Program (IDLPP)
By
Ben Oguntala
Solutions Director
www.dataprotectionofficer.com
Ben.oguntala@dataprotectionofficer.com
07812039867
1
2. Introduction
We take standard data leakage prevention and convert
them into automated processes that are linked up as
part of your organisation’s Data Leakage Prevention
strategy.
Management Business processes End devices Network systems Comms Suppliers
IDLPP in IDLPP activated IDLPP activated & IDLPP baseline IDLPP provisions
IDLPP automated
management & automated in automated within on all comms on all suppliers
business processes
decisions end devices the network systems contracts
Re-uses incumbent Activated and Compatible with Embedded within
technology automated the DLP strategy the organisation 2
3. What is the Data Leakage Strategy?
The Data Leakage strategy
DLP policy & DLP baseline & DLP Risk
procedures enforcement monitoring management
• All assets that • All assets will • Integration of • To ensure that
are considered in have DLP IDLPP to your once the
scope will have a baseline or current standard is set
DLP policy. adopt a hybrid monitoring there is
feature. solution. continuous risk
assessment in
place.
3
4. IDLPP overview
DMZ tier Middle tier Database tier
Data
Intranet
Extranet
Business processes
Data
IDLPP in ingress and egress traffic
IDLPP is embedded with each aspect of your network to ensure holistic approach
4
5. IDLPP features
IDLPP product features
Data loss prevention
Firewall
DMZ tier Middle tier Database tier Intranet
Anti-spam
Data
Host IPS
Anti-malware
Encryption
Device control
Extranet
Network access control
Web filtering
Servers
Desktop
Compliance Data
Application control
Laptops
5
6. Integration of IDLPP into management
decisions.
Management
Business process will include DLP into
their considerations.
IDLPP features (2)
Business processes
Servers, workstations, Laptops and
Mobiles will all have IDLPP embedded
End devices
Network systems like Switches, Routers, firewalls,
IPS, IDS will have an element of IDLPP
Network systems
IDLPP policies and procedures will be applied to
comms devices e.g. Email, printers and mobiles
Comms
IDLPP will be included in contracts with suppliers
and self audit capability to report on compliance
6
Suppliers
7. 3rd parties and extranets
3rd party hosting
facility
Customer intranet
Supplier
Extranet
Extranet
Internet
- IDLPP will allow you to audit 3rd party suppliers on an ongoing basis.
- Via contract, IDLPP will be able to extend from customer intranet to their suppliers and 3rd
party hosting facilities. 7
8. Applicable
standards
Several
Data FSA Data Data seal Regulatory
PCI DSS SOX 404 ISO27001
Protection Act security (DMA)
requirements
Policies, procedures & baselines
Network Change Security Data Data
Compliance
security mgmt mgmt security security
Business Project Compliance 3rd party Change
process Data security
cycle security mgmt
security Access
Data Privacy End point End point
Data control impact
security security security
security assessment
3rd party
3rdparty security Access Access
3rd party security 3rd party control control
security security
End Data
End security Access Security
point End point control mgmt
point security security
security Change
mgmt Monitor
Monitor Change mgmt
Monitor 8
9. IDLPP change management
Data
FSA Data Data seal
PCI DSS SOX 404 ISO27001 Protection
security (DMA)
Act
Project/Change Each requires operational risk Currently manual and
assessment assessments on an ongoing basis. not cohesive
Each requires supplier audits & pre- Costly to carry out
3rd party audits
engagement and in flight visits, uncoordinated
Compliance Each requires a compliance Disparate views and
reporting operation and reporting framework tools
Management
Notification Each requires a supplier to
requirements to be
requirements reporting incidents
notified
9
10. IDLPP for Laptops
• OS Security build specification
• Hardware security baseline
• Remote wipe enabled
Build • Registration on Asset register
Access
Hard control
disk
• Fettered ingress and egress traffic
• Auto lock down of all unauthorised connectivity
• Authorised USB access only
connectivity • secure connectivity
USB
devices • Encryption policy enforcement
• Data encryption in transit and stationary
• Access control ( 2 factor authentication)
connectivity • Remote wipe functionality
Data • Hard disk encryption
10
12. Is the network segregated card holder data
adequately secured?
PCI DSS
Are there risk management processes, change
control and Governance in the organisation?
SOX 404
Are there policies and procedures that ensures
adequate engagement exists between
management & business units as well as
ISO27001
procedures to support the policies.
How much information Assets do I have and
with whom am I sharing them.
Data
What sort of privacy impact assessments are
carried out for projects & changes?
Protection Act
Are there adequate Governance, risk
management and adequate security for FSA
related confidential & financial information
security
FSA Data
about clients?
Does the company have adequate data security
controls in place to cater for customer data
Key questions from regulations
(DMA)
they are handling?
Data seal
12
13. IDLPP Gap analysis
Countermeasures &
Key areas Risks Recommendations
Network
infrastructure
Business
processes
Software Asset
Register
Gap Hardware Asset
analysis Register Project
3rd party implementation
suppliers
Data flow
definition
Policies &
procedures
Risk
Management 13
14. Engagement timeline
Project scope definition (2 man days)
• Questionnaire
• 2 face to face meeting
• Objective definition
Gap analysis and fact finding (20 man days)
• Mapping out your current network infrastructure
• Business processes
• Software Asset Register
• Hardware Asset Register
• 3rd part supplier Assessment
• Data flow definition
• Risk management process assessment
• Policies and processing assessment
Audit report (5 man days)
• Gap analysis report
• Risks and countermeasures
• Recommendations and work streams
Project implementation
• Dependent on work streams 14