application , business , security

Sample – Data Loss Prevention Proposal (DLP)

April 7, 2013

Introduction

Analysis and Implementation of a selected Data Loss Prevention (DLP) solution. We will assess data management strategy and identify gaps from both a business policy and data loss standpoint. These activities will provide {Client} with a highly effective, streamlined policy management solution for protection of information assets.

Initial Security Enterprise Roadmap

Vendor proposal focuses on data management practices at the subject area, information group and system level. This discovery and analysis will show how information assets are exposed or protected from inherent and external risk. This will provide {Client} with insight into:

  • How Consumer and Employee data originates
  • How applications and user communities access and process Consumer and Employee data
  • What various levels of access and authority are applied within each user community
  • What vendors and third parties have access to {Client} data
  • What policies are in place today with key stakeholders
  • What policies affect key stakeholders as identified by the DLP solution
  • Where the policy gaps are
  • Which new policies and processes are required
  • How to continuously monitor and enforce newly developed policies and processes

This engagement involves utilizing a two phased approached as described below:

  1. Discovery Phase- including Data Loss Prevention Analysis based on results from initial deployment of DLP product, existing policy discovery, and subsequent policy gap analysis
  2. Analysis Phase- including development of policy maps for causal processes, identification of disconnects, and creation of a remediation strategy for the policy gaps identified in the Discovery phase.

Deliverables

The following identifies high-level deliverables to be prepared and presented as part of this engagement:

  1. Existing policy inventory (collection)
  2. Policy-to-issue high-level mapping (organizational level)
  3. Policy gap analysis
  4. Detailed Policy/process-to-gap mapping
  5. Policy/process deficiency inventory
  6. Controls & metrics effectiveness scorecard
  7. Policy & process improvement strategy

Work Plan

The work plan is based on a 5 week engagement. The 5 weeks will be completed within an 8 week calendar window commencing with a mutually agreed upon start date. Each week has specific deliverables associated with it, identified below.

Week

Topic

Deliverable

1-3

Discovery

 Identify/Interview Key StakeholdersIdentify current policies utilized/responsible departments

Identify Data sources (workflows) and User Communities

An overview of current situation and gaps in business policy

Run DLP product, utilize up to 25 product policies optimized, turn on new policies

4

Analysis

 Refine new policies, eliminate false positives (meeting with key stakeholders)

4

Analysis/Implementation

 Define specific notification and escalation processes

5

Analysis/Implementation

 Create reports to key stakeholders; initial policy development to key stakeholders

5

Final Recommendations

Presentation of Summary Findings and Wrap-up

Deliverables

The following identifies high-level deliverables to be prepared and presented as part of the managed services:

  • Generate Log reports based on the DLP periodic reporting services.
  • Escalation of validated critical policy violations.

Client responsibilities

  1. Non-Disclosure agreements between all parties need to be in place.
  2. Provide access to the equipment, facilities, and work-space; confirm that the site is prepared for the assessment. With appropriate {Client} Subject Matter Experts available for resourcing.
  3. Assist in collection and discovery of organizational charts, lines of business descriptions, policies including disaster recovery, business continuity and incident response plans.

Execute a validation of completion upon the conclusion of the identified statement of work.