Data Loss Prevention (DLP) procedure policy requires a comprehensive understanding of your Netspective Communications LLC’s specific needs, regulatory requirements, and industry best practices. [FII-SCF-009-DCH-03]
Data loss prevention Program
-
The CISO (Chief Information Security Officer) shall establish a DLP program to prevent data loss and manage digital rights. The DLP program shall focus on identifying, developing, implementing, and managing controls and processes that enable and leverage digital rights management protections to help prevent the loss of data. The CISO shall perform the following functions regarding the DLP program:
-
Develop, implement, and oversee a DLP governance structure.
-
Coordinate with the Project team and Quality team to identify and maintain sensitive information characteristics for enabling information labeling and tracking.
-
Coordinate with the Project team and Quality team personnel to develop, operate, and maintain processes for reviewing and adjudicating detected possible data leakage.
-
Evaluate the effectiveness of protections and create, capture, and utilize performance metrics to improve procedures, processes, and controls.
-
Ensure awareness through outreach and training.
-
Coordinate between the Project team and Quality team to define, build, implement, and maintain a DLP solution that automates information labeling and detects and prevents sensitive data leakage.
-
The DLP solution must be capable of detecting and preventing leakage from the Netspective Communications LLC’s network to the Internet or other external entities outside the agency boundary, between network enclaves within the enterprise network, from endpoint and mobile devices, and from cloud solutions, including encrypted traffic at a minimum.
-
The CISO and the Quality Manager shall coordinate annually to verify the sensitive information inventory.
-
The annual verification shall include, but not be limited to, a review of:
- Existing data inventories.
- High-value assets.
- Mission Essential Functions (MEF).
Data Classification
The information security, data classification involves classifying data based on its level of sensitivity and the impact on the college if that data is disclosed, altered, or destroyed without authorization. The classification of data will help determine baseline security controls for protecting the data.
Confidential Data
Netspective Communications LLC classify data as Confidential when the unauthorized disclosure, alteration, or destruction of that data could pose a significant level of risk to the college or its affiliates. Unauthorized access to or disclosure of confidential information may result in an unwarranted invasion of privacy, financial loss, damage to the college’s reputation, and the loss of community confidence. We should apply the highest level of security controls. Access to Confidential data must be controlled from creation to destruction and should only be granted to individuals affiliated with the Netspective Communications LLC who require such access.
Internal/Private Data
-
Internal/Private data encompasses data that, if someone discloses, alters, or destroys it without authorization, could expose the college or its affiliates to a moderate level of risk. By default, any information assets not explicitly classified as Confidential or Public should be treated as Internal/Private data. It is crucial to implement a reasonable level of security controls to safeguard internal data.
-
Individuals must request and obtain approval from their reporting manager to access Internal/Private data. The granting of data access to individuals also entails a review and authorization process conducted by the Data Owner, who holds responsibility for the data. Additionally, access to Internal/Private data may be authorized for groups of individuals based on their job classification or responsibilities (known as “role-based” access). Furthermore, access to Internal/Private data may be restricted based on an individual’s department.
Public Data
The Netspective Communications LLC classifies data as Public when unauthorized disclosure, alteration, or destruction of that data would pose little or no risk to the Netspective Communications LLC and its affiliates. While protecting the confidentiality of public data does not require significant controls, some level of control is necessary to prevent unauthorized modification or destruction of public data.
Restricted Data
-
Restricted data represents a highly sensitive category within Tier 1-Confidential data. We define restricted data as “any confidential or personal information that is protected by law or policy and requires the highest level of access control and security protection, whether stored or transmitted.”
-
Restricted data encompasses various types, including but not limited to:
- Personally Identifiable Information (PII)
- Credit card data regulated by the Payment Card Industry (PCI)
- Electronic Protected Health Information (ePHI)
- Information explicitly designated as restricted by contract
- Other information with a high potential for adverse consequences resulting from unauthorized access or disclosure.
Restricted Data - Personally Identifiable Information (PII)
Unencrypted electronic information that combines an individual’s first name or initial and last name with any of the following constitutes personally identifiable information (PII):
- Social security number
- Driver’s license number
- Financial account number, credit card number, or debit card number, when combined with any security code, access code, or password.
Restricted Data - Payment Card Information (PCI)
Credit card account number with any of the following:
- Cardholder name
- Service code
- Expiration date
Data Handling Requirements and Safeguards
For each restricted data classification, the data handling requirements and restrictions are defined to appropriately safeguard the information. All employees must adhere to the following requirements and restrictions regarding the storage and handling of unencrypted restricted data
| Data storage handling | PCI | PII |
|---|---|---|
| Network shared drive | No | Requires Authorization |
| Workstation | No | No |
| Copying/Printing | No | Should only be printed for legitimate need. Limited to employees authorized to access the data and who have signed a confidentiality agreement. Print should not be left unattended on a printer/fax or in a public area. Must be sent via Confidential envelope; data mus be marked ‘Confidential’. |
| Mobile computing devices | No | No |
| Removable media | No | Requires special authorization and should be rare. Requires password protection. |
| Home and travel computer | No | Requires special authorization and should be rare. Requires password protection |
| Email communication | No | No |
| Electronic File Transfer | Requires secure FTP | Requires secure FTP |
| Cloud based commercial server | No | No |
| Personal email | No | No |
| Personally Managed Computer | No | No |
| Personal Smart phone | No | No |
Data Disposal Requirements and Standards
To ensure proper disposal, it is necessary to shred paper documents that contain confidential or private data. Documents awaiting shredding should be stored securely. When electronic data files are no longer needed, they should be promptly deleted and permanently removed from the trash, if applicable. Electronic devices that might have held confidential or private data and are ready for disposal should be drilled or destroyed.
Data Discovery
Conducting data discovery is one of the key elements of a DLP program. Despite implementing various security controls, there is a possibility that confidential data could be at risk. The Netspective Communications LLC depends on powerful discovery tools to perform data discovery and address potential data leaks effectively. Regular data discovery assessments will be conducted to ensure ongoing protection.
Securing Data in Motion
Email serves as a primary means of communication within the Netspective Communications LLC. Although unencrypted restricted data is not allowed in email communications, there may be instances where confidential data is included. In such cases, if a sensitive message necessitates encryption, the Email Encryption feature can automatically quarantine or encrypt the message.
Employee Training and Awareness
To ensure the success of the college’s data loss prevention (DLP) plan, employees play a crucial role. It is essential for every employee to have a clear understanding of their responsibilities in safeguarding college data and to be fully aware of the potential consequences associated with a data breach. The college regularly provides training and reminders to employees regarding data loss prevention through the following methods:
- Broadcasting IT Security email messages
- Conducting employee IT Security training sessions
- Displaying IT Security messages on network time-out screens
- Offering Red Flag Training
These initiatives aim to keep employees informed and educated about data loss prevention measures.
Awareness Training →
Violations
Any individual who possesses knowledge or has reasonable grounds to suspect that another person has violated this procedure should promptly report the matter to their supervisor, department head, or the Chief Information Officer. Once a violation of this procedure has been reported or identified, it will be addressed expeditiously to minimize any harm to the college and its affiliates. Individuals found to have violated this procedure may face disciplinary action, which can range from consequences such as warnings or reprimands to the termination of employment, depending on the seriousness of the violation or data breach.