Control 8.12 : Data Leakage Prevention

Summary

Data leakage prevention (DLP) measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information. This ensures that unauthorized disclosure of information is detected and prevented in real-time.

Applicability

In-Scope: Mandatory for all organizations. It is the primary technical defense against accidental or intentional data exfiltration via email, web uploads, or removable media.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Purview DLP: Configure Microsoft Purview Data Loss Prevention policies to identify sensitive information types across Exchange, SharePoint, OneDrive, and Teams.
Endpoint DLP: Extend DLP policies to managed devices via Microsoft Intune to prevent users from copying sensitive data to unapproved USB drives or personal cloud storage.
Incident Triage: Utilize the Microsoft Purview Compliance Manager to monitor DLP alerts and automatically block high-risk transfers while notifying the security team.

Evidence Checklist

DLP Policy: A documented set of rules defining what data is protected and what actions (Block, Notify, Audit) are taken upon a violation.
Alert Logs: Evidence of triggered DLP alerts and the subsequent investigation and remediation by the security team.
Rule Configuration: Records showing the specific sensitive information types (e.g., social insurance numbers) being monitored by the system.

Practical Audit Advice

Here are some questions the auditor might ask:

What are the specific criteria used to define a high-severity data leakage event within your DLP system?
How do you ensure that DLP policies do not cause significant business disruption for legitimate data transfers?
Can you demonstrate the system's reaction when an employee attempts to send a document labeled Highly Confidential to a personal email address?
How often are your DLP rules reviewed and updated to account for new sensitive data types or changing business workflows?