Does DPO need an Incident Response Management System ?
Your DLP Implementation is Incomplete without “Proper” Incident Remediation: Authored by Arvind Mehrotra and Krishna Kumar Bhardwaj
Vidyatech, which I have recently joined as a Cybersecurity Advisor, has made a foray into Incident Remediation Automation. Covid -19 and its impact on Cybersecurity has further piqued my co-author Krishna’s (also called KK) curiosity in Cybersecurity solutions in general and Data Loss Prevention (DLP) in particular. So that prompts us to co-author our first post about it😊. DLP detects and prevents data breaches, which is critical in today’s times. If sensitive data such as personally identifiable data (PII) is lost or transferred to unauthorized entities, it could cost an organization immensely. Then there is an issue of demonstrating compliance with statutory regulations such as Europe’s General Data Protection Regulation (GDPR). Working from home poses new threats and risks; sometimes, even traditional security processes are ignored due to a shortage of resources and overworked security and infrastructure professionals.
With that preamble, let’s get to the nub of the issue. Strong handoff, triaging, and responding to alerts are critical for the timely and proper closure of incidents. All incidents, including false-positive alerts, must be identified and dealt with appropriately. However, this must also lead to the refinement of DLP policies and rules for classifying incidents. Let us see why.
A DLP as a first step requires identifying sensitive data and rights to its access to detect incidents of a data breach. Now, these are questions that business needs to answer, correct? However, once a DLP implementation is over, it is typically left to the CISO team to manage and react to the IT Infrastructure or Applications team. Sometimes, clear, contextualized, and centralized communication with stakeholders in various business departments is sometimes missing. But, again, it is due to the absence of an appropriate workflow that involves business to manage the incidents.
Furthermore, a lack of skilled professionals in the DLP solution precisely, and cyber security, generally causes DLP incidents to fall through the cracks or take too long to resolve. If this happens, people ultimately find a way around the blockage and prevention, and the program fails. DLP strategies developed independently of business initiatives fail to correctly identify sensitive data, exposing organizations to excessive risk of data loss and non-compliance. It ends with inconsistent DLP implementation, thus leading to systemic inundation of alerts, recurrent violations and repeat offenders.
Failure to do “proper” DLP Incident Remediation can lead to disruption of business processes. The expectations of stakeholders, both internal and external, may be belied. And you might have inconsistencies in collaboration with internal owners of data and risks. It means that a single unremedied DLP incident can potentially disrupt one or more business processes. Similarly, a single unremedied DLP incident could lead to stakeholder heartburn, both inside and outside the company. An unremedied DLP incident could be an unresolved data breach. And if there is no discipline around collaboration with internal data and risk owners, they may or may not view a DLP incident with the seriousness it deserves.
Therefore, DLP Incident Remediation (IR) should be an enterprise-wide activity. It is not just the security team’s hassle. It is genuinely valid for almost all cybersecurity issues. Businesses (including HR, Legal, Finance etc.), especially, must be actively involved. DLP programs are often implemented as a “set and forget” technology without continuous development, creating areas of frustration for business stakeholders.
How does an organization handle them?
The answer is Appropriate Incident Remediation Workflow. Next, we shall discuss a solution to answer most of these questions. When, you ask? Let us say it depends on how much interest this post evinces😊.
