In my experience, the biggest challenge in data leakage prevention (DLP) projects is the client’s expectation to jump straight to configuration without understanding the real issues. Often, they simply say, “We must stop emails with confidential data.”
This is where education and a solid plan become crucial. A successful DLP project requires careful planning. At PTS, we use in-house tools to gather the right information and streamline the process.
By Barry Lewington
Key Steps for DLP Implementation:
1. Identify Stakeholders:
DLP is a business-focused project that relies on IT. Data owners (business leaders) are responsible for the data, while IT acts as custodians.
Advice: Ensure your project team includes someone who can bridge the communication gap between business and IT.
2. Clearly Define Objectives:
Develop a clear, concise paragraph outlining the project’s key objectives.
3. Identify Starting Points:
In regulated environments, focus on low-hanging fruit by developing policies around key data types. Leverage pre-defined policies in tools like Microsoft Purview for a quick start.
4. Categorise Sensitive Data:
Once business teams identify sensitive data, categorise it by department.
5. Develop an End-to-End Plan:
This plan should detail how to identify, categorise, protect, and monitor sensitive data. Include a testing process for policies and define how data movements will be tracked.
6. Train End Users:
Turning on sensitivity labelling without proper training can be disruptive. Educate users on how to label files and handle sensitive information.
Advice: In large organisations, appoint departmental champions as super-users to reduce the impact of end-user requests.
7. Prioritise Rollout:
Start with the most critical data (identified with help from audit/compliance teams).
8. Implement Policies Carefully:
Avoid the temptation to rush. Test policies in simulation mode before full rollout. Establish an auditable process for policy changes.
9. Maintain Communication:
Provide ongoing support and tips to end-users. Utilise champions to share advice tailored to their departments.
10. Transition to Business as Usual:
Once the process is smooth, hand over DLP operations to an Information Governance Officer (IGO).
Conclusion:
DLP projects require a methodical approach. Mistakes can severely impact the business, so thorough policy testing is vital. Many projects fail due to lack of skills or understanding of the project scope. Seek professional support if needed to ensure your DLP implementation is a success.