Wednesday, January 02, 2008

Necessary additions for an enterprise running a DLP solution:

It is my belief that in order to run a successful DLP solution in your enterprise, you need to address remediation of any incidents that you find. The success of your implementation does not rely solely on how effective the solution is at finding incidents. It also relies on how well you can use the toolset to remediate these incidents.

I feel that most of the solutions available in the market place lacks one significant item, which is permanent classification of the information found. If you don't classify the sensitive information in a visible manner to the end user, you will end up with a whack-a-mole game with less than optimal risk reduction. Please read the previous post about why classification matters.

Furthermore, I believe it is important to tie your incident management into already existing incident management deployments already in place in the organization. That allows a complete tracking and reporting on all your incidents, whether from a DLP incident or a missing patch on a critical server. It also allows you to measure the effectiveness of your service, and if you are meeting your SLAs.

Maintaining strong metrics is an integral part of Service Management, and helps strengthen your ability to prove compliance to regulatory requirements and other requirements. It should also reduce your cost of audits.

Since most of the vendors are still venture capital, VC, funded, they are not able to meet all the requirements of an enterprise. Some of the vendors have now been purchased by larger companies, most notably Vontu, purchased by Symantec, and Tablus purchased by RSA/EMC. Even when a vendor has been acquired by a larger player, it takes time to integrate their solutions, so for a while I believe it is important to spend some development resources to build a comprehensive solution to serve the enterprise needs.

To be successful, Information Loss Prevention should be part of your overall compliance strategy and overall compliance service. This again should be part of your overall Governance, Risk and Compliance strategy, GRC.

No comments: