CHECKLIST

DLP Checklist
Have you been assigned a data protection project?

Follow this checklist to ensure that you’re covering

all the bases, from developing your DLP strategy to
rollout and enforcement.
DLP Checklist

1. Identify and Understand Regulatory Obligations

Define where the DLP strategy fits within existing security
policies and controls within the business
General Data Protection Regulation (GDPR)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)
California Consumer Privacy Act (CCPA)
Federal Standards (e.g., Committee on National Security
Systems Directive 504 (CNSSD 504) for User Activity
Monitoring)

2. Develop your DLP Scope

Define success metrics (e.g., FP rates, training interventions,
detection accuracy)
Inclusion of endpoints and/or networks
Inclusion of cloud applications
Inclusion of chat/messaging

3. Identify business requirements

What business processes need to be facilitated and secured
through the implementation of the DLP solution? (e.g the
transfer of customer payment data to a finance contractor)

4. Identify technical requirements

Performance on endpoints
Compatibility with endpoints
Overhead required for building and maintaining rules
Bandwidth requirements
Storage requirements
Off-network performance for remote workforce

5. Understand what data you need to protect

Internal data
PII
PHI
Payment card information
Customer data
Intellectual Property and trade secrets including source
code, design documents, and strategic planning data
Financial data
Business partner information
Confidential information
Controlled Unclassified Information (CUI)
 6. Develop an identification and classification system
Structured data sources (databases)
Unstructured data sources (text documents, presentations,
chat, video, images)
Semi-structured (email, spreadsheets)
How do you recognize sensitive data
String matching for credit cards, Social Security and
Drivers’ license numbers
Regular expressions for key financial information
Keywords
By user
By data store

7. Define security requirements and policies

Identify controls and escalations
Identify user training to stop accidental or negligent leaks
Encryption requirements
Data sanitization and redaction

8. Determine roles and responsibilities

Rule creation
Rule enforcement
Exception handling

9. Employee communication
Distribute and require review of policies
Inform on cyber hygiene principles
Sanctioned and unsanctioned applications and devices

10. Identify and correct poor cyber hygiene practices

Identify and quantify unsafe activities
Monitor policies for effectiveness
Incident-based training
Controls such as warn, block, and acknowledge policies

11. Rollout and Enforcement

Prepare (and test) an incident response plan
Enforce policies with block, isolate devices from the network,
lock out user sessions, take screenshots (static/in motion),
display messages, block uploads, and kill processess

www.nextdlp.com

Copyright © 2023, Next DLP Ltd. All rights reserved.

We reserve the right to introduce modifications without notice.