ISMS-DOC-A08-12-1 Data Leakage Prevention Policy

Page 1

Data Leakage Prevention Policy

ISO/IEC 27001 Toolkit: Version 13

Data Leakage Prevention Policy

Implementation guidance

The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document

The Data Leakage Prevention Policy is an overarching document that is intended to establish the principles to be used when configuring relevant software tools.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.5 Organizational controls

o A.5.1 Policies for information security

• A.8 Technological controls

o A.8.12 Data leakage prevention

General guidance

This is an area where software tools come into their own. There are many available at varying costs, but don’t forget to consider those provided as part of existing cloud subscriptions.

Review frequency

We would recommend that this document is reviewed annually and upon significant change to the organization.

Document fields

This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”.

To update this field (and any others that may exist in this document):

Leakage Prevention Policy

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name.

2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab).

3. Press F9 on the keyboard to update all fields.

4. When prompted, choose the option to just update TOC page numbers.

If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9.

If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly.

Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice

Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence

terms

This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence.

If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer

Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use.

Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country.

You should take all reasonable and proper legal and other professional advice before using this document.

CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Data Leakage Prevention Policy [Insert classification]

Data Leakage Prevention Policy

Version 1

DOCUMENT CLASSIFICATION [Insert classification]

DOCUMENT REF ISMS-DOC-A08-12-1

VERSION 1

DATED [Insert date]

DOCUMENT AUTHOR [Insert name]

DOCUMENT OWNER [Insert name/role]

5 of 9 [Insert date]

Distribution

NAME TITLE

Approval

NAME

1 Introduction

[Organization Name] collects and processes a significant amount of data which has value to the organization. This information is a key asset; it can be expensive to obtain, and we have a duty to our interested parties to protect it, particularly where personally identifiable information (PII) is involved. The theft of data is a risk that we need to address in as many ways as possible and an important factor in protecting it is being able to detect when recognisable data is being stolen.

The purpose of this policy is to set out how [Organization Name] will monitor key points in its systems and network environment to identify instances where the organization’s data may be subject to theft or unauthorised use.

This policy applies to all channels of potential data leakage, including verbal, social media and those involving physical formats such as paper.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The intended audience for this policy is employees responsible for designing systems and managing service delivery within [Organization Name].

Failure to comply with the contents of this policy may result in disciplinary action being taken by [Organization Name] against the individual(s) concerned.

Terms used in this policy are defined as follows:

• Sensitive information means data that must be protected due to its confidential nature and the potential harm or risk that could arise if it is accessed, disclosed, or used without authorization.

• Legitimate interest is a legal basis under data protection laws that allows organizations to process personal data without explicit consent if they have a valid reason to do so.

• Removable storage devices are portable data storage mediums that can be easily connected to and disconnected from a computer or other digital device.

The following ISMS documents and external references are relevant to this document:

• Information Security Policy

• Information Security Incident Response Procedure

2 Data leakage prevention policy

It is [Organization Name] policy to monitor systems, networks and endpoint devices to detect and prevent the unauthorised extraction of sensitive information by individuals or systems.

Monitoring will be carried out in accordance with applicable legislation and solely for the legitimate interest of [Organization Name] in protecting its sensitive information.

The following major types of information will be classed as sensitive for the purpose of this policy:

• Customer personal data

• Employee records

• Product designs and other intellectual property

• Confidential financial records

• Credit card information

• [Define types of sensitive information]

Unauthorised extraction will be interpreted as the copying or moving or otherwise exporting of sensitive data without the asset owner’s permission to a location or medium that falls outside the organization’s boundaries, such as a cloud service, mailbox or removable storage device.

Where technically possible, steps must be taken to restrict user access to extract sensitive data by design, such as limiting the user’s ability to copy and paste within an application or preventing the connection of removable storage devices.

Technical controls must be supplemented by regular user awareness training activities which inform users about the nature of data loss and how to avoid it.

Where possible, appropriate data leakage software tools will be used to detect the disclosure of information classified as sensitive and prevent the identified action (such as file copying or sending an email) from taking place.

Unauthorised physical actions such as photographing or taking screenshots of sensitive data are not permitted and all employees of [Organization Name] have a responsibility to report such instances to management.

Personnel found to be responsible for unauthorised extraction of information falling under the remit of this policy may be subject to disciplinary action. In some circumstances a targeted programme of awareness training may also be appropriate for those found to have breached this policy.

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.