Download - Auditing Data Loss Prevention (DLP) Programs
-
AuditingData Loss Prevention (DLP)Programs
September 2014
www.pwc.com
-
PwCAuditing Data Loss Prevention (DLP) Programs
1. What is Data Loss Prevention (DLP)?2. Auditing a DLP Program3. Key Audit Findings
Agenda
September 2014Slide 2
-
PwC
What is Data Loss Prevention (DLP)?Data Loss Prevention (DLP) is a capability consisting of people,process, and technology solutions which enable companies tobetter manage sensitive data within their environment.
Data-centric controls, focusing on how data is used across thebusiness and end user processes, reduce risk by providing anenhanced understanding of the clients sensitive data landscapeand tools to manage that landscape.
Sensitive data loss can be mitigated by using DLP tools designedto detect data at rest, data in motion, and data in use.
Data LossPrevention ismore than just atechnology; DLPconsists ofprocesses andcontrols designedto minimizedsensitive dataloss.
Auditing Data Loss Prevention (DLP) ProgramsSlide 3
September 2014
-
PwC
DLP applied throughout the Data Lifecycle
3. UseData used at the endpoints Files saved to the local hard
drive on devices (e.g., laptops,desktops, or mobile devices)
Files copied to removable media Copy/paste, hard-copy printing,
screenshots Email, web and application
communications to tablet ormobile devices
6. Destroy Physical data destruction Secure wipe of data
1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy
1. CreateData is created by people,processes, and technologies
2. StoreData residing in data repositoriesand files throughout thecorporate environment File servers Databases Mail files Document Management Systems
4. ShareData traversing the corporatenetwork Email and personal webmail Social media Manual or automated file transfers Network monitoring Network filtering
5. Archive Data management Periodic backups
Slide 4Auditing Data Loss Prevention (DLP) Programs September 2014
-
PwC
DLP applied throughout the Data Lifecycle
1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy
Asset Classification helpsto preemptively identify new
sources of sensitive data
Slide 5Auditing Data Loss Prevention (DLP) Programs September 2014
-
PwC
High-Level DLP Architecture
Slide 6Auditing Data Loss Prevention (DLP) Programs September 2014
Network SwitchWeb Proxy
MTA
Firewall
NetworkPrevent for Web
NetworkPrevent for Email
Network Monitor
Enforce (Management)Oracle Database
File Systems/Databases Endpoints
EndpointPrevent
NetworkDiscover
-
PwC
Auditing DLP
Slide 7Auditing Data Loss Prevention (DLP) Programs September 2014
Category Description Security Operations
ConfidentialityPreventing unauthorized people fromaccessing information while ensuringauthorized people can access information P
Integrity Maintaining and assuring the accuracyand consistency of data over its life-cycle PAvailability Responding to outages and other eventsto maximize uptime and access to data POperational Processes& Procedures
Defining and deploying processesnecessary to maintain the environmentin an operational state P
Governance & StaffingProviding an authoritative and effectivereporting structure and ensuringadequate resources to staff the program P
Architecture/Implementation
Designing and implementing the solutionin a secure way which allows formeasurable objectives to be completed P
-
PwC
Auditing DLP Confidentiality
Slide 8
Network DLP systems which contain sensitive data are segmented from the rest of the corporate
network. Perimeter firewalls are configured to only allow necessary and secure protocols.
System DLP systems are approrpiately locked down; they only contain applications and services
which have been approved/are in line with corporate security standards. DLP systems have preventative & detective security measure in-place, such as anti-virus
software, to prevent compromise of the system.
Application The DLP application is regularly updated to contain the latest security patches and
functionality. The application is configured with supported security controls enabled, such as HTTPS,
limited access to the administrative panel, etc.
Roles Distinct roles are configured and deployed which enforce least privelege and separation
of duties principles. The Administrator account is disabled; users which require administrator access are
given specific prileges to enable accurate auditing of user actions.
The implementation and operation of a DLP Program shouldnot introduce additional risk into the environment. The DLPtool contains sensitive data and must be securedappropriately.
Auditing Data Loss Prevention (DLP) Programs September 2014
-
PwC
Auditing DLP Integrity
DLP backend environments typically are designed to prevent unauthorized data changesby end users via the use of default attributes and custom attributes.
Default attributes consist of detailed information collected from the event itself (e.g.data matching a policy, user information such as AD ID and/or IP address).
Custom attributes are additional details captured for an identified event (e.g.attributes which can be pulled from Active Directory or HRIS); the DLP solution relies onsuch systems to be complete and accurate as this is the information put into events.
DLP data integrity issues primarily concern reporting. When auditing the integrity ofreports, important questions include:
Where is this report pulling incident details (e.g. from the DLP database, from data warehouse, etc.) ?
Is this report pulling in events from all vectors (in motion, in use, at rest)?
Is the report pulling in all events? How were the filters/sorts configured?
i.e. total incident counts for the period by vector, total incident counts for the period by policy,compare incident counts by vector, policy and severity against the reports in question
Who has access to create, modify, and view these reports?
What controls are in place to prevent events from being archived or purged from the database (role-based access)?
Auditing Data Loss Prevention (DLP) ProgramsSlide 9
September 2014
-
PwC
Auditing DLP Availability
Slide 10
Lack of availability can include a loss of functionality for boththe DLP solution itself and the systems it integrates it duespecifically to the implementation and operation of a DLPsolution. When a DLP solution is offline, the risk associatedwith data loss is exposed.
Impact
In the event of a catastrophic failure, the DLP databaseand server can be restored to an operational state withinan acceptable timeframe.
Control
The DLP database and servers are regularly backed upand stored in a safe location.
If a data in motion DLP server is taken offline, thefailover component can continue to operate. If thefailover component fails as well, the mail traffic and/orweb traffic will continue to operate.
In-line data in motion servers have failover components;in the event of a catastrophic failure, data in motionservers are designed to fail open.
Change management processes ensure that any necessarychanges can be quickly backed out in the event of anissue. This allows both DLP systems and associatedInternet traffic to continue to operate.
A change management process is in place toappropriately manage changes to the DLP solutionand/or integrated systems.
In the event of an issue which requires troubleshooting,resources can reliably execute troubleshooting processesto minimize service interruption.
Troubleshooting activities are well supported withsufficient staff and clearly defined processes/escalationpaths.
Auditing Data Loss Prevention (DLP) Programs September 2014
-
PwC
Auditing DLP Operational Processes
Slide 11
An effective DLP Program should haveoperational processes defined/activelyexecuted to ensure the return oninvestment.
Processes should aim to achieve thefollowing goals:
Measurable risk reduction
Efficient & effective Events processing
Maximum uptime
Minimum business impact
Event Processing & Escalation
Event Owner Identification &Remediation
Solution Maintenance
Governance & ManagementReporting
Detection Policy Management &Optimization
Issue Resolution
Auditing Data Loss Prevention (DLP) Programs September 2014
-
PwC
Auditing DLP Governance & Staffing
Slide 12Auditing Data Loss Prevention (DLP) Programs September 2014
A governance structure complete withadequate staffing is necessary for a DLPProgram to function, both in terms ofreturn on investment and measurable riskreduction.
DLP is more than just a technology tool itis a program that must be regularlyoperated in order to derive the expectedvalue which justified the investment.
Is a Data Governance Committee in place tomake key decisions related to identifiedsecurity incidents?
Are metrics routinely presented to a DataGovernance Committee to present results andaddress potential issues?
Are there designated resources for bothtechnical operation of the DLP solution as wellas investigation, risk identification, andremediation activities?
Is there a designated Data Protection Managerresponsible for the key outputs and continuedoperations of the DLP solution?
Are third parties used to operate the solution?If so, are background checks required for thirdparties accessing sensitive data?
Have third party risk assessments beenperformed for DLP vendors?
Are third parties meeting their contractualobligations?
-
PwC
Auditing DLP Architecture/Implementation
Slide 13Auditing Data Loss Prevention (DLP) Programs September 2014
The DLP Programsimpact should bemeasurable
The effectiveness ofthe DLP Program,including quantifiablerisk reduction shouldbe regularlycommunicated to theData GovernanceCommittee.
Common metrics tomeasure effectivenessand risk reductioninclude:
Impact Number of incidents remediated Rate of reoccurring incidents per data owner Number of systems which contain sensitive data Amount of unencrypted sensitive network traffic
Scope & Architecture Number & type of systems in scope DLP vectors (at rest, in motion, in use) deployed How are third parties accessing the environment? Effectiveness of architecture deployment Number of high priority use cases in production % of company assets covered
Efficiency Number of false positives detected Number of false positives reviewed Number of data owners identified
Effectiveness Number of DLP systems operational Average downtime Number of business processes analyzed Number of true incidents generated
Return onInvestment
(ROI)
-
PwC
Auditing DLP Typical Key Findings Observed
Slide 14Auditing Data Loss Prevention (DLP) Programs September 2014
The DLP environment is not segmented from the corporate network. The DLP systems are running insecure services.Confidentiality
Permissions do not prevent unauthorized users from generating reports. Report data only includes a subset of total events.Integrity
There is no change management process/DLP does not follow the changemanagement process.
The DLP database/servers are not regularly backed up.Availability
Operational processes are not clearly defined/documented. Processes for the sustainable identification and remediation of DLP Events are
not deployed.
OperationalProcesses
The DLP Program does not report to a Data Governance Committee. The DLP Program is not adequately staffed.
Governance &Staffing
Metrics are not being routinely generated and presented to the DataGovernance Committee.
DLP Events are not processed in a timely manner.
Architecture &Implementation
-
PwC Slide 15
2014 PricewaterhouseCoopers LLP (US). All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delawarelimited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network,each of which is a separate and independent legal entity.
Auditing Data Loss Prevention (DLP) Programs September 2014