We examined DLP Technology from the perspective of ISO 27001 Information Security management system (ISMS), which is the most accepted systematic approach to ensure information security all over the world.
Possible effects of information security risks in ISMS are tried to be minimized with ANNEX-A controls. We have compiled for you which of the ANNEX-A controls DLP contributes to the implementation.
| ANNEX-A CONTROL ARTICLE | ANNEX-A CONTROL ITEM EXPLANATION | RELATIONSHIP WITH DLP |
| A.8.1.3 Acceptable use of assets | Rules regarding the acceptable use of information and assets related to information and information processing facilities should be determined, documented and implemented. | It can make a great contribution to the implementation of acceptable use policies from the document. While non-DLP solutions are limited to user awareness, since logical rules are defined in DLP, it allows the determined policies to be operated at the desired level without error and independently of the user. |
| A.8.2.1 Information classification | Information should be classified according to legal requirements, value, criticality, and vulnerability to unauthorized disclosure or modification. | Classification of information is of vital importance in terms of both the assessment of information security risks and compliance with regulations. Classification of logical data and sharing, access, etc. related to the classified data. It is possible to monitor and manage data processing activities. Non-DLP solutions are very user-dependent, while in DLP the limitations specified can be operated strictly and independently of the user. |
| A.8.2.2 Information labeling | An appropriate set of procedures for information labeling should be developed and implemented according to the classification scheme adopted by the organization. | After the classification of information is done, it is a must to apply labels to the necessary information classes. With DLP, this labeling can be done both correctly and without requiring labor. |
| A.8.2.3 Use of assets | Procedures should be updated for use, handling, storage and contact information consistent with classification. | Appropriate use of information assets is critical for information security. Appropriate use of logical information assets (especially correct communication) supports implementation as determined without risk of user error through DLP. |
| A.8.3.1 Portable media management | Procedures for portable media management should be implemented according to the classification scheme adopted by the organization. | It is imperative that the data to be transferred to portable media is within the policies determined by the organization, both for compliance (eg KVKK) and information security. With DLP, these transfers can be both managed and monitored. |
| A.9.1.1 Access control policy | Access to all systems and services for all user types an official user to assign or revoke their rights access authorization process should be implemented. |
With DLP, access authorization is given a new dimension and access is made more accurate and detailed. |
| A.9.2.2 Allow user access | Access to all systems and services for all user types an official user to assign or revoke their rights access authorization process should be implemented. |
“” |
| A.9.4.1 Restriction of access to information | Access to information and application system functions should be restricted in accordance with the access control policy. | “” |
| A.13.2.1 Information transfer policies and procedures | Formal transfer policies, procedures and controls should be in place to protect information transfer through the use of all types of communication facilities. | In the event that files transmitted by e-mail with DLP, the content of the files and even the transmitted image are inappropriate, e-mail sending is prevented and possible undesirable results are prevented. |
| A.13.2.3 Electronic messaging | Information in electronic messaging should be appropriately protected. | E-mails are the doors of institutions that open to the outside, and if not used correctly, it can cause major problems both in terms of regulations and information security. Thanks to DLP, e-mail sending is prevented in case the files transmitted by e-mail, the content of the files and even the transmitted image are inappropriate, preventing possible undesired results. |
| A.16.1.2 Reporting of information security events | Bilgi güvenliği olayları uygun yönetim kanalları aracılığı ile olabildiğince hızlı bir şekilde raporlanmalıdır. |
Timely response to information security breach incidents is of vital importance, late detection of the incident may cause irreversible damage. Thanks to DLP, the occurrence of many events can be prevented by logical constraints, and due to full-time monitoring, violations can be reported to incident response teams very quickly. |
| A.16.1.4 Evaluation and decision making in information security incidents | Information security incidents should be evaluated and a decision should be made whether to classify them as information security breach incidents. | “” |
| A.16.1.5 Responding to information security breach incidents | Incidents of information security breaches should be responded to in accordance with written procedures. | “” |
