Data Governance

Data Governance

Introduction

Data Loss Prevention Plan (DLP) combines various procedures, policies, and technologies in a bid to prevent users in a particular network from misusing or leaking critical data while at rest, in motion, or in use. DLP works by categorizing sensitive data versus insensitive data in a bid to respond effectively to potential exfiltration activities. In order to increase security in its systems, Saudi Arabia intends to invest approximately 400 million USD in data loss prevention solutions (Infotech, 2013). As the main custodian of the main holey mosques and biggest oil producers, Saudi Arabia has taken active procedures to increase data protection in the country. A report by the InfoWatch indicated that most financial institutions and government bodies are the most susceptible to data security threats followed by oil and gas, utilities, and construction.

KSA organizations which implement a Data Loss Prevention (DLP) plan.

Saudi Telcom Company (STC) is one of the companies that have implemented a data loss prevention plan. STC is a focused digital champion that has always focused on evolution and innovation by thinking and planning ahead in order to remain a purposeful and meaningful organization (STC, n.d.). The company is a world-class leader in the digital field and provides innovative platforms and services to its customers in order to facilitate an efficient digital transformation. The company provides digital solutions which range from financial technology, cybersecurity, digital media, and various digital solutions.

SABIC is another organization in Saudi Arabia that has invested in data loss prevention plan in a bid to increase security and income. SABIC is a diversified manufacturing company that is active in the production of petrochemicals, industrial polymers, fertilizers, and metals, among others (Banda, 2017). The company has been ranked previously as the most significant chemical producer in the world, and it is one of the largest producers of ethylene glycol in the world and is expected to become the top after the unveiling of new products.

Reason for the Implementation of the DLP Plan

Increase in data loss as a result of insider threats and data leaks facilitated the SABIC organization and Saudi Telecom Company (STC) to invest in a DLP plan. The companies aimed at preventing end-users from misusing company data maliciously or accidentally. There was also a need to meet the stipulated regulatory and compliance standards by ensuring stringent monitoring of critical data movement. DLP enables organizations to prevent accidental loss of confidential information across various devices. According to 2019, DLP increases data security in that it can monitor data in storage, at rest, or in transit in a manner that reduces the risks associated with data loss. DLP systems often work through contextual analysis and deep inspection of content and transactions in a bid to reinforce data security policies ((Pearl, Kiang, & Bailon, 2016). The system provides an organization with a centralized management framework that is well designed to identify and prevent any unauthorized use of confidential information. DLP protects an organization from mistakes that may lead to data leaks and intentional misuse by internal and external users.

SABIC and STC implemented the system in that the organizations were not sure whether the company’s confidential data was being stored as required, and the people who had access to it. DLP enabled the organizations to check various network actions to defend and control sensitive data such as customer information and personally identifiable information, intellectual property and financial data (Pearl, Kiang, & Bailon, 2016). SABIC was concerned about negative exposures, liability, and lost revenue that was associated with the breach of data. There was also a need to maintain its compliance with the stipulated complex regulations in the country.

Components in the Data Loss Prevention Plan

Three main components were included in the data prevention plan. The first plan was the identification and categorization of sensitive data. Before enacting any changes, the organizations evaluated the ecosystem of the data environment in a bid to identify the data that was being used and the people who were using it. For instance, the company could not secure the payment of card data without the certification that the users of the cards can process payments (Hart, Manadhata & Johnson, 2011) Categorization of data is important in order to understand the data that needs immediate servicing. For instance, SABIC data was categorized under intellectual property, employee information, customer data, and financial information. These categories facilitated the creation of varying rules that can handle varying kinds of data.

Tracing the route of data transmission was another component of importance that enabled the administration to identify data users – authorized and unauthorized – to increase data security. Prevention of unauthorized access to company data was a component that enabled the company to restrict entry and use by unauthorized users. In order to achieve this component, the organizations were advised to involve stakeholders, create policies, automate use and educate users to reduce the vulnerability of the company data to attackers.

Type of Data Protected

            SABIC and STC engaged DLP in order to protect its most crucial data from malicious users. The main type of data protected included personally identifiable information (PII) such as bank account number, email address, social security number, passport number, full names, and email addresses. The plan also protected the organizations’ intellectual property while helping it to achieve enhanced data visibility in revered organizations. It secured data on the company’s remote cloud system and secured various mobile workforce in the company. SBT and SABIC needed data loss prevention plan to enforce the anticipated security in a bid to achieve the benefits of Bring Your Own Device (BYOD) environments in order to increase productivity.

Benefits Gained from Data Loss Prevention (DLP) Plan

SABIC and STC benefited from the implementation of a DLP plan in that the organizations were able to prevent unexpected data breaches. The DLP protected the organization’s systems against both external and internal threats through the implementation of various DLP features such as Microsoft Exchange, Microsoft file server, and Microsoft SharePoint. Automation was achieved through content-aware scanning in that the system always notified the users that they were entering into a sensitive site and often requested for justification so as to increase security. DLP understands that mistakes are part of human nature, and thus, it is necessary to allow technology to protect organizational information in order to reduce the chances of data breaches.

The organizations benefited from the implementation of DLP in that it was able to configure real-time incidents after particular insecurity issues after which it would undertake a perfect overview of the incidents and generate a report on the issue. Unlike other security plans, DLP provides early detection of the insecurity with incredible visibility of traffic in order to make it easy to detect malicious use and take appropriate action to prevent similar happenings. DLP is quite agile in that its features can be enabled easily without any application by third parties (Liu & Kuhn, 2010). It is easy to use due to its user-friendliness that keeps the environment free from any hassle. It has various file support systems and a wide range of file formats that support a wide array of file formats. The use of DLP also enables organizations to remain compliant with the stipulated data regulations by increasing their ability to remain in line with industry requirements such as the Sarbanes-Oxley Act, among others. Besides, it increases security frameworks in that it maps in and strengthens the security framework.