Sunday, March 02, 2008

Selection Criteria for an ILP solution

Here are the high level selection criteria I would use for selecting a DLP solution

· Accuracy (I would be willing to trade speed for accuracy if needed)
· Speed (can all high risk areas be scanned efficiently without a high bandwidth cost)
· Scalability (can all high risk areas be scanned efficiently)
· Remediation capabilities (if a scanning solution is deployed without proper remediation, it leaves the organization with a much higher risk than prior to scanning)
· Upfront cost of application
· Upfront cost of services needed to deploy application
· Cost of ownership
o How many headcount are needed to manage incidents and systems
o What is the annual support cost
o What is the total life time cost of the application (3 years)
· Risk reduction provided by application
o How is it measured
o Will result set stand up in court (can I prove due diligence when using these tools)
o Can new regulatory requirements or new corporate policy be set up within a standard framework
o Does the reporting meet the following needs
§ Overall risk reduction
§ Specific risk reduction for business unit/regulatory compliance/regional compliance
§ Can ROI be demonstrated
§ Are executive reports easy to understand
§ Can executive reports be rolled into a CIO scorecard
§ Does the reports for the operations team allow for improving efficiency of team and rules (this drives TCO)

No comments: