Proof of Concept of an ILP solution:

Before embarking on a full fledged information loss prevention program, you should conduct a proof of concept testing of the vendors you want to evaluate.

Before you start your proof of concept, you need to gather information from your lines of business on what they consider to be sensitive, as well as information from your legal counsel in regards to what regulatory compliance areas you should be concerned about.

With this information, you should do a thorough risk analysis. If you don't have all of the necessary knowledge inside your organization, I would recommend to hire an independent consultant to help you in this phase, as well as in the execution of the proof of concept.

You should also have a good understanding of how you want to run an ongoing ILP process in your organization after you have purchased the solution that best fits your needs.

The way I prefer to start of the process is to assemble both a core team and a virtual team so that you have the resources you need to succeed. The core team typically consists of a PM, an Architect, maybe a developer if needed, and a system administrator.

The plan for implementation begins with a project plan detailing the steps necessary. It should contain the Request for Information, RFI, process, Request for Proposal, RFP, process, actual testing both in a lab environment and some select production areas, as well as deployment tasks and hand off to service management.

The inception phase of the project is used to create the business requirement document, BRD, and project plan.

The planning phase is also the beginning of the POC phase where testing happens in a controlled environment within a lab.

The Development phase is also used for contract negotiations as well as developing any needed processes and code for the DLP solution to work optimally within the organization.

The testing phase is used to test any custom code, as well as any additional deliverables needed from the DLP vendor, as well as testing the processes established to see if they need any polishing.

The Deployment phase then follows which should contain alternate plans for deployment in case you face any obstacles.

The final phase is hand off to Service Management. I prefer upfront planning and collaboration with the Service Management team, and have RACI (responsible, accountable, communicate, and inform) all in place along with service management documentation such as Service Level Agreements, SLA, Operational Level Agreements, OLA, and Independent Contracts, IC. This makes the hand off much easier.