Data Loss Prevention Quick Readiness Checklist: The 77 Questions You Need to ASK To Move Forward | 2019
How far is your company on its Data Loss Prevention journey?
Take this short survey to gauge your business’s progress toward Data Loss Prevention leadership. Learn your strongest and weakest areas, and what you can do now to create a strategy that delivers results.
Below you will find a quick checklist designed to help you think about which Data Loss Prevention related domains to cover and 77 essential critical questions to check off in that domain.
The following domains are covered:
Data Loss Prevention, Antivirus software, Computer and network surveillance, Computer virus, Data retention, Information security, Instant Messaging, Intellectual property, Internet security, Intrusion detection system, Intrusion prevention system, Machine learning, Network security and Trojan horse.
Data Loss Prevention Critical Criteria:
- Does the tool you use allow the ability to search for registered data (e.g., database data) or specific files by name, hash marks, or watermarks, and to detect partial-file-content matches?
- Does the tool you use allow the ability to use Smart number identifiers (e.g., the ability to recognize that 999 99 9999 is not a valid Social Security number)?
- What types of transactional activities and data mining are being used and where do we see the greatest potential benefits?
- How has the economy impacted how we determine ongoing vendor viability?
- How will the setup of endpoints with the DLP manager occur?
- What are all the egress points present in the network?
- Who are the data loss prevention vendors?
- Antivirus software Critical Criteria:
- Computer and network surveillance Critical Criteria:
- Computer virus Critical Criteria:
- Data retention Critical Criteria:
- Information security Critical Criteria:
- Instant Messaging Critical Criteria:
- Intellectual property Critical Criteria:
- Internet security Critical Criteria:
- Intrusion detection system Critical Criteria:
- Intrusion prevention system Critical Criteria:
- Machine learning Critical Criteria:
- Network security Critical Criteria:
- Trojan horse Critical Criteria:
Antivirus software Critical Criteria:
Suppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of an incident?
Is antivirus software on each server, and is it updated on a regular basis?
Computer and network surveillance Critical Criteria:
Impacts: what has been achieved as a result of the outcomes or what contribution is being made to the overall goal?
Are all the data on each of the required variables in a surveillance form collected, registered and compiled?
Policy relevance: Can the indicator provide guidance for critical decisions and policy issues?
Computer virus Critical Criteria:
Assume that the Clark-Wilson model is implemented on a computer system. Could a computer virus that scrambled constrained data items be introduced into the system?
Describe in detail how an executable infecting computer virus might append itself to an executable. What changes must it make to the executable, and why?
What is your plan to maintain monitoring for possible resurgence of the computer virus attack?
Data retention Critical Criteria:
Traditional data protection principles include fair and lawful data processing; data collection for specified, explicit, and legitimate purposes; accurate and kept up-to-date data; data retention for no longer than necessary. Are additional principles and requirements necessary for IoT applications?
Are there any pre-existing data retention business rules available or does customer expect vendor to conduct workshops and define the same?
Is Data Retention Secure?
Information security Critical Criteria:
Make security a data-driven discussion. Regularly feeding the organization appropriate data is a powerful way to drive change. For example, at Cisco, every Friday morning, executives get a voicemail briefing on the last seven days around information security events of any type. Said Stewart, One thing you’ll know about Cisco is were insanely competitive, including inside the company. And as a result of hearing callouts of a senior vice presidents organization having an information security problem, they get really upset to hear their name. And they actually reflect it back into their organization, not at us. Rankings can identify security underachievers, thus motivating employees and executives to become more proactive. As Baker of Adidas noted, It is human nature that people want to stay off those negative lists or avoid the phone calls from security. So how do you get them from just reacting, being very reactionary, to being more of a pro-activist?
Does the information security function actively engage with other critical functions, such as it, Human Resources, legal, and the privacy officer, to develop and enforce compliance with information security and privacy policies and practices?
Are information security roles and responsibilities coordinated and aligned with internal roles and external partners?
Have standards for information security across all entities been established or codified into law?
Does your organization have a chief information security officer (CISO or equivalent title)?
Ensure that the information security procedures support the business requirements?
What is the main driver for information security expenditure?
Is information security managed within the organization?
Instant Messaging Critical Criteria:
Determine whether the testing strategy includes testing the effectiveness of a institutions crisis management process for responding to emergencies. (Does the testing strategy include testing the effectiveness of the institutions: roles and responsibilities of crisis management group members; risk assumptions; crisis management decision process; coordination with business lines, information technology, internal audit, and facilities management; communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and notification procedures to follow for internal and external contacts?
like email, voicemail and instant messaging. You have to search deep within your IT organization and find the people responsible for these services. As above, interview each one about the type of system or systems (many companies have one email system but several voicemail and IM systems), the physical location of the servers housing these applications and the overall volume of information (hardware and data) they store. Most importantly, ask what the system doesn’t do (e.g., can you save voicemail for more than 10 days?
Do advanced telecommunication network technologies (for example, sms, instant messaging, voip) offer unique opportunities for spam that require unique solutions?
Are you looking for a vendor to provide instant messaging built into the solution so users of the system can instant message each other?
With instant messaging, how can we do integrity check over all bytes sent before displaying?
What are the advantages of instant messaging over e-mail and voice mail for enterprise collaboration?
Do the Guidelines apply to e-mails, video chat, and instant messaging?
Intellectual property Critical Criteria:
What will be the policies for data sharing and public access (including provisions for protection of privacy, confidentiality, security, intellectual property rights and other rights as appropriate)?
During the last 3 years, have you received a complaint or an injunction arising out of intellectual property infringement, content or advertising?
What issues might arise related to copyright or intellectual property rights to the data from each source or outcome data?
Is legal review performed on all intellectual property utilized in the course of your business operations?
Am I concerned about intellectual property protection and legal issues of my application and data?
Are there any data with intellectual property (e.g., patent, copyright) concerns with sharing?
Am I concerned about intellectual property protection and legal issues of my application and data?
How is transfer pricing regulated for intellectual property in the United States?
Who will own any copyright or intellectual property rights to the data?
Internet security Critical Criteria:
Does your company’s internal network have a firewall for Internet security?
Intrusion detection system Critical Criteria:
Can intrusion detection systems be configured to ignore activity that is generated by authorized scanner operation?
Are the latest intrusion detection system (ids) signatures installed on all ids sensors?
What is a limitation of a server-based intrusion detection system (ids)?
Intrusion prevention system Critical Criteria:
Are security alerts from the intrusion detection or intrusion prevention system (ids/ips) continuously monitored, and are the latest ids/ips signatures installed?
Is a intrusion detection or intrusion prevention system used on the network?
What other options can be specified as a source for the Signature File?
What is a DDoS Attack?
Machine learning Critical Criteria:
What are the long-term implications of other disruptive technologies (e.g., machine learning, robotics, data analytics) converging with blockchain development?
Network security Critical Criteria:
Do we make sure to ask about our vendors customer satisfaction rating and references in our particular industry. If the vendor does not know its own rating, it may be a red flag that you’re dealing with a company that does not put Customer Service at the forefront. How would a company know what to improve if it had no idea what areas customers felt were lacking?
Do you maintain strict control over the internal and external distribution of any paper or electronic media containing cardholder data?
Are all associated third parties with access to cardholder data contractually required to adhere to CISP data security requirements?
Are the disaster recovery plan (DRP) and the business contingency plan (BCP) tested annually?
If the firewall is breached, what kind of damage could be done to private net?
How inconvenient is the firewall to the users?
How are protocols other than TCP, UDP handled?
Trojan horse Critical Criteria:
Several of the users in your organization have used Internet Explorer to access Internet sites that download Trojan horses to their computers. Which of the following is the best measure you can take to prevent the users from accessing these and other known hazardous sites?
Consider now the inheritance properties of new processes. If the creator controls which capabilities the created process is given initially, how could the creator limit the damage that a Trojan horse could do?
Suppose that the user installed antivirus software and determined that the Trojan horse had included a keystroke logger. How would this affect the handling of the incident?
In general, do capabilities offer more or less protection against Trojan horses than do access control lists?
What countermeasures are recommended for trojan horse and backdoor attacks?
Can capabilities protect against all Trojan horses?
This quick readiness checklist is a selected resource to help you move forward. Learn more about how to achieve comprehensive insights with the Data Loss Prevention Self Assessment:
CEO at The Art of Service
Gerard is the CEO at The Art of Service. He has been providing information technology insights, talks, tools and products to organizations in a wide range of industries for over 25 years. Gerard is a widely recognized and respected information expert. Gerard founded The Art of Service consulting business in 2000. Gerard has authored numerous published books to date.