sign in sign up
<<
Home , Data loss

FEATURE

Data Loss Prevention—Next Steps

Around 2007, it became obvious that the information • Provide recommendations and next steps for security defenses that were implemented by the vendors, companies and other organizations government and businesses to prevent loss were not totally effective. Malware and malicious For this article, DLP encompasses not only individuals and organizations were wreaking havoc information technology, but also other methods for many enterprises by capturing their sensitive data. to protect data and prevent loss. This expanded These events became known as data breaches. definition is required because management and data owners need to understand that IT does not To help shore up deficient cyberdefenses, the provide all the solutions. security industry decided it was time to protect information at the data layer. This effort is now Areas to Protect known as data loss prevention or data loss From an IT perspective, there are three areas to protection, DLP for short. This article is intended to: protect: data at rest, data in motion and data in • Identify and understand the data and areas of use. Before determining the steps missing from concern, such as ever-growing, persistent threats an enterprise’s DLP program, it is important to know where its data are located. Figure 1 contains • Develop an understanding of DLP, along with the examples of locations where data exist, along associated threats and risk with an indication of the functional areas of where • Identify causes of data loss so they can be to implement or enhance applicable security and addressed privacy controls. Items with an asterisk indicate non- cyber/IT locations. • Examine the capabilities of current and future DLP tools and products Threats and Areas of Risk • Review DLP best practices to identify missing DLP There are many types of data. Each type has program components associated security and privacy threats and risk • Review technology and industry trends to be aware that can have a severe impact on an enterprise Larry G. Wlosinski, CISA, of what is on the horizon if management, employees and supporting CRISC, CISM, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL V3, PMP Figure 1—Informational Areas to Protect Is a senior consultant at Area of Concern Locations Functional Areas Coalfire with more than Data at rest • Databases • Physical endpoint security 18 years of experience in • Local computers • Host device encryption IT security and privacy. • Controlling access ports (e.g., Universal Serial • Mobile device protection (identification and Wlosinski has been a Bus [USB] drives) authentication) speaker on a variety of • Intranet/internal websites • Network/Internet storage IT security and privacy • Internal directory shares • Physical media (storage, data transfer or topics at US government • Organizational data and email archives archive) and professional • Mobile devices (e.g., laptop at home or in car) • Disposal and destruction conferences and • CDs and DVDs* meetings, and he has • Printed/hard-copy reports* written numerous • Fax machines* articles for magazines • Copiers* • File cabinets* and newspapers.

ISACA JOURNAL VOL 1 1 ©2018 ISACA. All rights reserved. www.isaca.org Figure 1—Informational Areas to Protect (cont.) Area of Concern Locations Functional Areas Data in motion • Email (organization and personal) • Perimeter security • Web/Internet • Network monitoring • File transfers • Internet access control • Data sharing • Data collection and exchange • Social media (e.g., Facebook, Twitter, LinkedIn) • Information messaging • Instant messaging (IM) • Remote access—must use virtual private • Blogs (Internet and intranet) network (VPN) • Website postings • Paper mail with sensitive data (e.g., personally identifiable information [PII], driver’s license/ID, social security number [SSN])* Data in use • Workstation • Privileged user monitoring • Server • Access/usage monitoring • Mobile device/endpoint • Data anonymization (i.e., use codes as substitutes) • Use of test data • Data redaction • Export/save controls

contractors are not aware of them. Addressing the what documents, repositories and media need to threats and risk factors is critical to protecting data. be protected. It is important that everyone in the enterprise understands this so that every person can Figure 2 breaks down threats and risk factors be part of the solution, not the problem. by data type. Examples of each data type show

Figure 2—Data Types at Risk Data Types Examples Threat(s) Risk Factor(s) Intellectual Patent portfolio development and • Competitors • Loss of company advantage property management materials such as: • Foreign governments to competitors • Invention disclosures • Discontent employees • Brand damage • Unpublished patent applications • Invention presentations • Related communications • Formulas Legal Memos, communications, • Competitors • Litigation documents presentations and notes • Weak posture in a court pertaining to: of law • Litigation • Pre-litigation • Internal investigations • Corporate governance • Internal legal presentations • Contracts Strategic • Strategic plans • Competitors • Weaker market position to planning • Sales plans competitors • Research for mergers and • Erosion of shareholder acquisitions value • Unreleased merger or acquisition information • Drafts of press releases or other announcements • Pending patents • New designs • Information about purchasing power

ISACA JOURNAL VOL 1 2 ©2018 ISACA. All rights reserved. www.isaca.org Figure 2—Data Types at Risk (cont.) Data Types Examples Threat(s) Risk Factor(s) Sales • Price/cost lists • Competitors • Insider trading information • Target customer lists • Employee discontent • Competing companies • Sales volume and projections going after an enterprise’s • Revenue potential market with lower prices • Discount ratios • Regulatory fines or • Business-to-business orders sanctions • Vendor data

Customer data • Customer lists • Competitors • Loss of customers • Customer pricing • Competitors leveraging the • Customer volumes information against the • Customer sales quotations enterprise • Internal spending habits • Significant cost to notify • Contact details affected parties • User preferences • Customer profiles • Payment statuses • Contact history • Account balances • Purchase or transaction history • Payment or contract terms Marketing • Marketing and business road maps • Competitors • Loss of market share • Business plans • Competing companies • Business forecasts going after an enterprise’s • Competitive data market with lower prices • Product designs Operations • Process and procedure • Competitors • Competitors retooling or advantages changing their processes to • Productivity and efficiency be like an enterprise and be strategies more competitive Finance • Pre-earnings releases • Competitors • Loss of competitive • Bank statements advantage • Financial statements • Periodic company performance filings • Payroll and equity data Human • Recruiting lists • Competitors • Loss of key talent resources • Organization reporting structure • Internal dissension • Salaries • Job titles and responsibilities Personal • Bank or financial account numbers • Criminals • Employee and family well- and statements • Criminal organizations being • Health records and other personal health information (PHI) • Credit card numbers • Vehicle registration numbers • Associated demographics • Preferences PII • Full names • Criminals • Impersonation • Birthdays • Criminal organizations • Fraud • Birthplaces • Loss of savings • Biometric data • Drop in credit standing • Social security numbers (SSNs) • National identification numbers • Passport numbers • Driver’s license numbers • Passwords

ISACA JOURNAL VOL 1 2 ISACA JOURNAL VOL 1 3 ©2018 ISACA. All rights reserved. www.isaca.org Figure 2—Data Types at Risk (cont.) Data Types Examples Threat(s) Risk Factor(s) Government/ • Agency data (e.g., law • Criminal organizations • Increased risk to citizens country data enforcement and border • Foreign countries • Increased risk to the country protection) • Insiders at large • Program design data (e.g., space programs) • Citizen data (e.g., criminal investigations) • Cybersecurity program data (e.g., Internet Protocol [IP] addresses, scan results) • Network infrastructure sector data (e.g., power companies, toxic ) Information • Network diagrams • Hackers • Loss of confidentiality technology • Configuration files (networks, • Malware • Loss of integrity systems, applications and • Discontent among • Loss of data availability databases) employees • Damage to company • Wireless access keys mission and standing • Encrypted files (e.g., .zip, .pdf, .xls) • Files with names such as “Passwords” • Outlook offline files (e.g., PST, MSG) • Software source code • Spreadsheets with IP addresses Causes of Data Loss Figure 4 lists examples of capabilities that exist in DLP products. To stay a step ahead of malware Another step necessary to protecting data is and malicious individuals, it is critical to watch understanding the reasons for data loss or theft. for and implement DLP product changes and Figure 3 lists causes of data loss, broken down upgrades. Doing so will improve defenses, reduce by potential area of weakness: people, process the likelihood of data breaches and minimize any and technology. This list can also be viewed as impact if one does occur. organizational vulnerabilities. Enterprises that have not implemented countermeasures to combat causes and vulnerabilities should do so immediately. TO STAY A STEP AHEAD Addressing these potential vulnerabilities will help to reduce the level of risk. OF MALWARE AND MALICIOUS INDIVIDUALS, DLP Product Capabilities IT IS CRITICAL TO WATCH Enterprises that have not considered obtaining a DLP automated measure for monitoring and FOR AND IMPLEMENT DLP protecting their cyberenvironment data need to PRODUCT CHANGES AND do so. However, it is important to be aware that vendor offerings and product capabilities vary. UPGRADES. Some automated protective measures can be implemented at the network perimeter. Some require new programs to be installed on the computing Best Practices for DLP Planning and devices and storage devices. Additionally, not all Preparation vendors provide the same product capabilities and When preparing to implement a DLP program in an features. In some cases, they can be complicated enterprise, the following best practices are critical and may require technical staff to implement and to success and following them will reduce the maintain them. likelihood of a data breach:1, 2, 3, 4, 5

ISACA JOURNAL VOL 1 4 ©2018 ISACA. All rights reserved. www.isaca.org Figure 3—Weaknesses and Causes of Data Loss Area of Causes of Data Loss Weakness People Unintentional: (insider threat) • Lack of awareness, inadequate awareness programs • Lack of skills and training in technologies, which can lead to unintentional or accidental misuse • Lack of users’ responsibility and/or accountability for their actions • Not understanding the risk to the enterprise and one’s job • Leaving sensitive data on an unattended printer • Emailing sensitive data without encryption • Sharing work devices without supervision

Intentional: • Exposing or stealing data due to discontent • Exposing or stealing data due to being blackmailed • Printing and copying sensitive data • Selling company data/information • Having one’s own agenda during employment or when leaving the company (e.g., malicious intent, hacking, fraud) • Breaching trust among developers • Misusing or sharing passwords • Using unauthorized programs on corporate computers • Copying data to a remote personal computer (to support work effort) Process Poor oversight: • Lacking governance on the use, retention and protection of data (to include government compliance and company policy violations) • Leaving data unguarded (e.g., in an unsupervised office or area) • Not assessing how sensitive data are shared with third parties • Not implementing or enforcing least privilege for system and file access • Responding insufficiently to physical intrusions or cyberintrusions • Not conducting information risk assessments to determine the threats and business impacts of data exposure

Negligence: • Categorizing sensitive data improperly • Lacking or not properly defining a policy • Lacking data transmission procedures • Lacking data usage monitoring • Transmitting sensitive data unintentionally • Not closing accounts after their expected use has expired (e.g., service accounts) Technology Unintentional: • Loss or theft of an employee laptop or mobile device • Data at rest stored without encryption (e.g., laptop, database, removable media) • Obtaining or inheriting data from another system • Having technical controls that do not measure or evaluate the level of attack persistence • Exploitation of weaknesses in a database development environment • Having unnecessary services on the computer that can be exploited • Processing production data in the development environment

Tool limitation: • Not performing regular software updates and patching (includes not only the operating system, but administrator tools and commercial-off-the-shelf [COTS] software) • Remote access tools not being flexible enough to support the enterprise, thereby forcing employees to use thumb drives and personal computing devices • Not using content-aware DLP tools (e.g., email tools that automatically perform data encryption) • Faults in vendor products (software and/or hardware)

Design or implementation problems: • Lack of flexibility in remote connectivity • Lack of secure communication platforms • Inappropriate access rights to applications with sensitive data • Lack of secure transmission links between the enterprise and a third party • Poor system programming and/or design • Poor policy and/or execution (e.g., overzealous implementations)

Intentional: • Compromising IT protective measures • Using digital cameras to capture images of printed or displayed data

ISACA JOURNAL VOL 1 4 ISACA JOURNAL VOL 1 5 ©2018 ISACA. All rights reserved. www.isaca.org Figure 4—Protecting With DLP Products Area of Concern Examples of Product Capabilities Data at rest • Tag assets based on data classification/sensitivity. • Scan storage technology (e.g., Windows file servers, Unix file servers, network storage, SharePoint files). • Provide HTTPS-based services. • Scan local drives (e.g., desktops, laptops, virtual machines). • Analyze data in a cloud storage system. • Perform forensic analysis to track leaked documents. • Report on sensitive document printing. • Send alerts to the central management server if there is a policy violation. • Locate unencrypted sensitive data (e.g., credit or debit card numbers). • Perform dynamic watermarking of sensitive documents at the time of creation. • Perform data proximity analysis to prevent the possibility of fraud. • Implement digital fingerprinting to mark files so they can be tracked. Data in motion • Enforce company DLP policies. • Detect file movement. • Block undesired traffic by file types (e.g., computer-aided design/computer-aided manufacturing [CAD/CAM] files). • Monitor instant messaging (IM) traffic. • Automatically encrypt network traffic. • Scan incoming and outgoing file transfers. • Monitor unsecure communication protocols (e.g., Telnet). • Monitor HTTP protocol communications and attachments. • Monitor Secure Sockets Layer (SSL)-based data. • Scan email (e.g., PHI, credit and debit card numbers, intellectual property). • Report on uploads to email and file-sharing services. • Report on (e.g., via real-time alerts or logging) USB and removable storage use. Data in use • Monitor, block and quarantine email (e.g., corporate, smartphones, tablets). • Monitor web mail (e.g., MSN, Gmail, Hotmail, Opera, Lotus Notes). • Provide the user with a violation warning (e.g., when copying and pasting sensitive information). • Scan social media (e.g., Facebook). • Scan internal blogs. • Scan files being printed. • Provide alerts when files are copied to removable media. • Monitor website posting. • Watch for files being written to CD/DVD. • Perform automatic encryption. • Observe user interaction with data. • Perform ad hoc user monitoring and searches when needed. • Watch for cold boot attacks. • Enforce mobile device controls. • Display customizable messaging to deter users from stealing data. (The message can be a warning banner or it can lock the computer if a reply is not received.) • Support mobile device management (MDM) systems. • Support identity access management (IAM) systems. • Analyze behavior (using artificial intelligence to detect data exfiltration).

• Management approval—Obtain support from top who is accessing them and where the data are executives, system owners and stakeholders. This going. It is important to be aware that there is includes identifying and involving representatives strict regulatory legislation coming into force from all departments to obtain buy-in. in the European Union (EU) (i.e., the General Data Protection Regulation [GDPR]),6 where a • Data comprehension—Develop an understanding breach could cause a large fine or a portion of of the data. To accomplish this: an enterprise’s annual revenue and may affect – Define the enterprise’s critical and sensitive data enterprises outside of the EU). Other countries elements. Definitions should include exposure have also implemented data protection and condition severity (i.e., low, medium and high). privacy legislation that readers may need to – Determine the DLP requirements. This includes become familiar with (e.g., Australia’s Data Privacy understanding where the data originate, Laws7 and the United Kingdom’s Data Protection the value of the data, where they reside, Act).8 Additionally, in the United States, the state of enterprise obligations for protecting the data, California has expanded its privacy laws.9

ISACA JOURNAL VOL 1 6 ©2018 ISACA. All rights reserved. www.isaca.org – Conduct a gap and risk analysis, and then • Awareness and training—Establish the enterprise’s determine the steps necessary to protect the data. awareness and role-based training program. Areas – Design and/or update the enterprise’s security to cover include: architecture (hardware and software). – Educating business units on business, security and privacy risk • Records management—Identify the data owner – Educating staff on what is sensitive and the risk or custodian who should be responsible for associated with breaking the rules/policies managing the data throughout their life cycle, which – Explaining to everyone the policies on proper use includes data in use, in motion and at rest. Records of email, the Internet and security tools (e.g., file management not only concerns data , encryption) archives and retention, but also data destruction. – Explaining applicable local, state and federal/ This best practice is especially important regarding country laws the types of data discussed in figure 2. – Training key staff on personal responsibilities • Cost-benefit analysis (CBA)—Perform a and complying with information security and cost-benefit analysis of the DLP tools under data protection policies consideration. This will help to understand the cost of ownership of DLP solutions/tools. The analysis should cover both implementation and operational costs. IT IS CRITICAL FOR AN • DLP strategy—Define a data protection strategy ENTERPRISE TO STAY that can function as a business case. The strategy ON TOP OF TRENDS AND objectives should cover the following, at a minimum: AHEAD OF THOSE WHO – Prevent the intentional or unintentional MAY TRY TO OBTAIN disclosure of sensitive data at rest, in use and in motion to unauthorized parties. THEIR DATA. – Maintain adequate security and simultaneously provide data usability. – Protect customer data, brand reputation (if applicable) and company secrets. Best Practices for DLP Implementation – Protect PII, intellectual property and other information as described in figure 2. When implementing a DLP program and/or – Reduce the enterprise’s risk and the cost of deploying DLP tools, the best practices listed in compliance. Consider government oversight figure 5 should be used to minimize vulnerabilities. requirements regarding financial, personal and Not implementing these best practices can cause health data. setbacks and problems. – Establish security, privacy and compliance measures. Other DLP Recommendations – Consider having a security partner to protect web Sometimes, organizational program implementation and mobile applications from critical data loss. policies display bad security practices and • Risk assessment—Conduct a risk assessment contribute to vulnerabilities that allow for data loss. that involves a cross-departmental team that can Figure 6 presents some of those bad practices and create meaningful policies and procedures and recommendations on how to handle them. effective oversight requirements. Technology and Industry Trends • Policies and processes—Establish DLP egress policies and policy management processes Information-security-related organizations (e.g., that cover: McAfee, Symantec, RSA, Verizon, Ponemon, – How to securely send sensitive data to third Fortinet, Gartner) have begun to study malicious parties cyberactivities, conduct surveys and report trends. – Whether employees may send sensitive data to Some experts have predicted the future of DLP their home computers and personal email technology to help professionals address threats.10 – How to handle data that are considered sensitive It is critical for an enterprise to stay on top of trends and that require data protection controls and ahead of those who may try to obtain their data. – A response plan for data leakage events, which It is always better to be prepared than to react to the includes how to deal with those who break policy consequences of data loss.

ISACA JOURNAL VOL 1 6 ISACA JOURNAL VOL 1 7 ©2018 ISACA. All rights reserved. www.isaca.org Figure 5—Best Practices for Addressing Concerns Concern DLP Implementation Best Practices People • Do not leave sensitive data unattended. • Do not permit copying of sensitive data onto removable media. • Provide view-only access to sensitive information. • Incorporate data protection clauses in contracts. Management • Implement a life cycle to organize data and manage their storage and use. • Regularly update data risk profiles to be aware of new threats. • Identify potential places where sensitive information might leak. • Standardize the endpoints to make deployment more manageable. • Document DLP incidents. • Periodically audit the enterprise for compliance. Deployment • Deploy DLP in waves for quick-wins (e.g., address the highest areas of risk first, implement compliance policies in one phase, install standardized devices). • Break decision-making and the implementation of solutions into phases. • Start with a minimal base to handle false-positives, help identify the critical or sensitive data, and fine-tune DLP policies. • Test the implementation in a small, controlled unit before going full scale. • Implement document-level security (e.g., encrypt data before transport and storage in a cloud). • Repeat the discovery and fine-tuning process to protect the information, and establish controls that are understood by stakeholders and system users. IT-restrictive • Do not allow unauthorized devices in the network. controls • Block wireless communication. • Block files containing personal identity information. • Disable all CD/DVD burners from writing. • Make all USB removable storage devices read-only, except authorized devices. • Make authorization and access controls multilayered. • Perform DLP discovery scanning at a desired frequency (or on demand) to audit and maintain awareness of the security status. Product • Check the DLP product to see if it supports the enterprise’s data formats. Selection • Scan data stores for sensitive information and, if necessary, take remedial action. • Use the DLP tool to automatically find unencrypted sensitive data, encrypt the information, and remove the information or perform another remediation according to the enterprise’s policies. • Select a product that provides reports on incidents of DLP policy violations.

Figure 6—Recommendations to Address Bad Practices Bad Practice Risk/Result Recommendation Implementing data shares (e.g., Anyone in the organization can obtain Implement least privilege for every SharePoint) with no thought for least the data and use them for their own data share. privilege gains. Implementing an internal search Everyone in the company can access Obtain information about what should engine that crawls the entire company and distribute the possibly sensitive or not appear in the search engine network for data with no restrictions private data. results and apply appropriate filters. Implementing an email data retention Employees and support contractors Obtain more storage space. The cloud policy that is too short just to manage can lose valuable information about was designed to scale when needed. space and associated costs their contacts, supporting documents, deliverables, history, etc. This is an example of internal data loss.

ISACA JOURNAL VOL 1 8 ©2018 ISACA. All rights reserved. www.isaca.org Figure 6—Recommendations to Address Bad Practices (cont.) Bad Practice Risk/Result Recommendation Having an intranet search engine that Retrieved results will include anything Put restrictions on the search. If does not have accurate filtering or that has one character in common. anything can be part of the results, presentation limitations Sensitive data and PII may be part of then the user will obtain many the retrieval. irrelevant links and the search will take longer. Not cleaning up the results of a search The engine will provide a lot Implement a periodic cleanup engine of nonapplicable information. process so that data management Additionally, data storage can be employed. This is important requirements will continue to grow because old results will include not without end. Aside from polluting the only bad, but also corrupted data. well, search engine performance is can contribute to affected. In this case, bad data are application failure. retained for an unknown period. Not following best practices The DLP program can fail. Critical Implement DLP best practices as data can be lost, resulting in response described in this article. costs and possibly fines and/or the loss of market position.

DLP Technology DLP Industry The following trends in technology can be expected to Malicious intent and product deficiencies are driving drive the creation of more and more DLP products: some organizations to implement, obtain and improve their DLP products. Predictions about the • Algorithms—Improved algorithms for recognizing DLP industry include: sensitive data such as PII, PHI and nonpublic/ private data will become more prominent. • Behavior products—New products will be based on automated human behavior identification MULTILAYER and management. Some cybersecurity solutions can find internal organizational threats based on ENCRYPTION KEY behavioral changes within the network. MANAGEMENT • Encryption—Enhanced encryption processes TECHNOLOGY WILL BE will combine consistently changing algorithms. Multilayer encryption key management technology NEEDED TO OUTWIT will be needed to outwit cybercriminals. CYBERCRIMINALS. • Data manipulation—At-rest and in-motion security issues will be addressed by shredding, randomizing and placing sensitive data in globally • Vendor changes—Larger companies will acquire diverse storage locations. best-in-class cloud DLP companies and integrate • Authentication—Entering a password will no the technology into their existing products. Other longer be the primary way to access data. Instead, vendors will expand their own DLP capabilities. access will involve knowing who someone is when • DLP professionals—There will be an increase in they log in. Multiple layers of authentication will be the need for cybersecurity professionals who can required. implement DLP policies and tools. Medium and small enterprises will be affected the most if they cannot afford full-time DLP professionals.

ISACA JOURNAL VOL 1 8 ISACA JOURNAL VOL 1 9 ©2018 ISACA. All rights reserved. www.isaca.org • Understanding DLP product differences and selection criteria to better evaluate vendor tools and techniques • Determining the best practices to follow when developing and implementing a DLP program • Understanding areas of bad data-handling practices that are critical to address now • Determining what and where to implement or improve a program (via technology improvements and changes in activities) • Identifying information that can be used to develop a data protection awareness training program

As billions of devices are launched into circulation, it will be even easier for those with malicious intent to • DLP as a service—To leverage data protection as breach networks. Protecting data-sensitive systems a service, IT teams can offload the management is vital. This article can help enterprises harden their aspect to vendors so that they can focus on cyber and procedural defenses during preparation, growing the business rather than managing the deployment, awareness and training, and planning storage. Small enterprises will gravitate to these for the future. managed services. As long as there is human involvement, the areas • Outsourcing—There will be an increase in the of concern will continue to evolve. It is essential to outsourcing of vulnerability and penetration maintain vigilance to avoid and eliminate weakness testing to better identify points of weakness in the in cyber and work environments. enterprise architecture and device configurations. • Awareness—Enterprises will develop awareness Endnotes and role-based training programs (if they do not 1 Yamasani, L.; Data Leak Prevention: Best already have them in place) that have greater Practices, April 2015, http://m.isaca.org/ depth and more content to cover DLP concerns. chapters8/Silicon-Valley/Members/Documents/ Monthly%20Meetings/2015%20-%20April%20 Conclusion Meeting%20%20-%20DLP%20-%20Lokesh%20 The next steps to a successful DLP program are the Yamasani.pdf enterprise’s to decide. They include: 2 Hall, S.; “Data Loss Prevention (DLP): Keeping Sensitive Data Safe From Leaks,” • Developing an understanding of what data are eSecurity Planet, 10 April 2017, sensitive and where to find them https://www.esecurityplanet.com/network- • Being aware of the threats and associated risk to security/data-loss-prevention-dlp.html data loss 3 Garg, R.; “10 Considerations for Implementing a Data Loss Prevention (DLP) Solution,” • Identifying the causes of data loss (i.e., internal Zecurion, 20 January 2017, http://zecurion. vulnerabilities) to implement measures to prevent com/2017/01/30/10-considerations-for- them implementing-a-data-loss-prevention-dlp- solution/

ISACA JOURNAL VOL 1 10 ©2018 ISACA. All rights reserved. www.isaca.org 4 Ernst & Young, Data Loss Prevention, October 8 Legislation.gov.uk, “Data Protection Act 1998,” 2011, www.ey.com/Publication/vwLUAssets/ www.legislation.gov.uk/ukpga/1998/29/ EY_Data_Loss_Prevention/$FILE/EY_Data_Loss_ contents Prevention.pdf 9 State of California Department of Justice, 5 IDG Enterprise, Five DLP Tips From Security “Privacy Enforcement and Protection,” USA, Executives, http://resources.idgenterprise.com/ https://oag.ca.gov/privacy original/AST-0079952_SymantecFINAL.pdf 10 Lord, N.; “Experts on the Data Loss Prevention 6 European Commission, “Reform of EU Data (DLP) Market in 2016 and Beyond,” Digital Protection Rules,” http://ec.europa.eu/justice/ Guardian, 27 July 2017, https://digitalguardian. data-protection/reform/index_en.htm com/blog/experts-data-loss-prevention-dlp- 7 Electronic Frontiers Australia, “Data Protection market-2016-beyond Laws/Privacy Acts,” 21 January 2006, https://www.efa.org.au/Issues/Privacy/ privacy.html

ISACA JOURNAL VOL 1 10 ISACA JOURNAL VOL 1 11 ©2018 ISACA. All rights reserved. www.isaca.org