Top learnings from evaluating and implementing a DLP Solution
1. Escorts IT – DLP Project Review
Executive Summary
2. Escorts – Brief Background
More than 65 years old premier engineering company of
India.
Escorts has four major divisions & Corporate Office
• Escorts Agri Machinery .
• Escorts Construction Equipment.
• Escorts Railway Product.
• Escorts Automotive Product.
Major products
• Tractors , Implements, Gensets,
• Crains, Compactors, Backhoe loaders,
• Shockers, Brakes, Auto Components ,
• Components for Railways like couplers, shockersss
etc.
Combined turnover of around Rs.5000 crores.
3. Data Loss Prevention
Three Key Organization Challenges
Where is my confidential data stored?
• Data at Rest
Where is my confidential data going?
• Data in Motion
How do I fix my data loss problems?
• Data Policy Enforcement
4. DLP- Key Expectations
To address the challenges of securing data in use, data in
motion and data at rest.
To protect proprietary and sensitive information against
security threats caused by enhanced employee mobility and
new communication channels.
To proactively prevent the misuse of data at endpoints
(Laptops/Desktops) for unauthorized circulation, both on and
off the Escorts network.
E-Mail access control from devices (without DLP Endpoint)
outside of the Escorts Network.
Protect data at Email gateway in the cloud.
5. Data Loss Prevention - a Priority
Compliance
Secured working environment
IPR & Critical information protection
Brand and Reputation Protection
Remediation Cost
6. Evaluation Process
Salient Features
Involved industry leading DLP vendors
15 days of POC at our site for each solution
Evaluation of DLP against defined requirements
Integration feasibility with IRM
Successful Case studies
Strong Product Roadmap
Cost
7. DLP- SCOPE
Propose to cover the entire user base across all
divisions of Escorts including
All end points desktops & laptops
Servers
Gateways
Email solution on the cloud
Integration with Active Directory
8. Key Implementation Highlights
Presented the project objectives to GMC (Group
Management
Committee)
consisting
of
CEO’s, CFO’s, Material Heads, R&D heads of all divisions
and chaired by Managing Director.
Phased the implementation track wise , across
divisions, covering the most critical departments like R&D
and Materials first.
Created core user groups, across divisions, for each
vertical such that all interrelated core users were part of
one track. Eg Procurement and R&D core users were part
of one track.
Established a project governance structure to monitor the
project progress.
9. Key Implementation Highlights
Extensive trainings to core users to equip them to
rightly classify the data getting generated in their
respective departments.
Training to end users on the project objectives, data
classification and its impact on their working.
Managing the fears, assumptions of users.
Involved the internal auditors in the project from the
very beginning.
10. Data Classification
Data Classification is the heart of the DLP project.
What is Data Classification ?
• It is a scheme by which the organization assigns a level of
sensitivity and an owner to each piece of information that it
generates
,
owns
and
maintains
e.g.
–
Confidential, Internal, Public
Not all information requires same protection
Classification helps in establishing the value of information
Also helps in determining the level of protection required and
in selection of appropriate controls
11. Data Classification
Information Owner:
• Individual that has responsibility for making classification
and access control decisions for information
Information Custodian:
• Individual, organizational unit, or entity acting as caretaker
of information on behalf of its owner
Information Security Officer (ISO):
• A designated officer responsible for information security
management
12. Key Learning
Never try to implement DLP as a IT project. It will fail
miserably. Let Business spearhead the project and do most of
the talking.
Availability of dedicated core team.
Involve all stakeholders from end users to senior leadership
at every stage of the project.
Handle change management issues of people and processes
very intelligently involving stakeholders and dispel all wrong
notions and fears of business community.
Set the right expectations among business teams.