DXfoto.com - Fotolia
Organizations take pains to protect against cyber attacks and data theft. And data loss isn't just an external problem. Employees and other internal end users can leak vital data, expose important business strategies and compromise company secrets through something as simple as a carelessly worded email or a confidential attachment.
Tactic #1: Use the right DLP template for the data being protected
The foundation of a successful DLP deployment involves the creation of detailed DLP policies -- sets of rules that define the types of information deemed sensitive, confidential or otherwise protected. Creating such rules from scratch can be a time-consuming and error-prone exercise, sometimes leaving the organization open to regulatory violations if the policy is not fully tested. IT professionals can usually jump-start any Exchange 2013 DLP policies or efforts by using pre-defined templates designed to cover a number of common regulatory needs.
Default templates included with Exchange Server 2013 deal with financial data such as credit or debit card numbers, SWIFT codes and healthcare data such as patient file numbers. Templates to deal with an assortment of other Personally identifiable information such as driver's licenses, passports and social security numbers are also included. The templates also support compliance legislation in a number of countries, including the United States, Canada, Japan, Saudi Arabia and France.
It's important to pick the right template for the job and use multiple templates when the organization is subject to multiple governmental or industry regulations. For example, a publically traded company providing retail sales in the U.S. might implement templates for Federal Trade Commission Consumer Rules, the Gramm-Leach-Bliley Act, PCI Data Security Standard and the Patriot Act. If that business provided healthcare services, it would also invoke a template for the Health Insurance Portability and Accountability Act.
Microsoft is not the only source of templates for DLP policies. In addition to creating your own templates, third-party security providers such as Nucleuz Inc. may provide similar policy templates. Regardless of where the templates come from, picking the right one is only a starting point. Many organizations choose to adapt and refine templates to fit specific business needs. You may also need to replace or update templates as new regulations appear or as existing regulations change.
A company using sensitive product codes and confidential project terms, for example, might tailor a template to incorporate those designations and ensure the content isn't included in email. Once a template is created or adapted, it can also be changed as often as necessary to meet changing confidentiality needs. For some organizations, this means quarterly, monthly or even more frequent updates.
This is part one in a series about DLP policies in Exchange Server 2013 SP1. Stay tuned for part two to learn how transport rules fit in.