Back

Establish, implement, and maintain a data loss prevention program.


CONTROL ID
13050
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Include the data loss prevention strategy as part of the data loss prevention program., CC ID: 13051


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Banks may consider such solutions, if required, after assessing their potential to improve data security. (Critical components of information security 15) xi. ¶ 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A personal information controller shall prepare countermeasures to minimize the risk of damage in the case of divulgence of personal information. (Article 34(2), Personal Information Protection Act)
  • The FI should implement appropriate measures to prevent and detect data theft, as well as unauthorised modification in systems and endpoint devices. The FI should ensure systems managed by the FI's service providers are accorded the same level of protection and subject to the same security standards… (§ 11.1.2, Technology Risk Management Guidelines, January 2021)
  • data in use - data that is being used or processed by a system. (§ 11.1.1(c), Technology Risk Management Guidelines, January 2021)
  • The FI should develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorised access, modification, copying, or transmission of its confidential data, taking into consideration the following: (§ 11.1.1, Technology Risk Management Guidelines, January 2021)
  • The FI should implement data loss prevention measures on personal computing or mobile devices that are used to access the FI's information assets. Two common ways to address BYOD security are the use of mobile device or application management, as well as virtualisation solutions. These solutions can… (Annex B.1, Technology Risk Management Guidelines, January 2021)
  • Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems. (Control: ISM-1535; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Processes, and supporting procedures, are developed, implemented and maintained to prevent AUSTEO, AGAO and REL data in both textual and non-textual formats from being exported to unsuitable foreign systems. (Control: ISM-1535; Revision: 5, Australian Government Information Security Manual, September 2023)
  • implementation of network segmentation, data loss prevention systems and the encryption of network traffic (in accordance with the data classification); (3.4.4 36(c), Final Report EBA Guidelines on ICT and security risk management)
  • minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity; (Art. 9.3.(b), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Strategies for avoiding permanent loss of information are defined. (3.1.2 Requirements (should) Bullet 4, Information Security Assessment, Version 5.1)
  • loss prevention and recovery; (§ 7.11 Bullet 7, SS2/21 Outsourcing and third party risk management, March 2021)
  • Implement mechanisms for detecting and preventing clear-text PAN from leaving the CDE via an unauthorized channel, method, or process, including generation of audit logs and alerts. (A3.2.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Mechanisms are implemented for detecting and preventing cleartext PAN from leaving the CDE via an unauthorized channel, method, or process, including mechanisms that are: (A3.2.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documented response procedures to verify that procedures for responding to the detection of cleartext PAN outside the CDE are defined and include all elements specified in this requirement. (A3.2.5.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented response procedures to verify that procedures for responding to the attempted removal of cleartext PAN from the CDE via an unauthorized channel, method, or process include all elements specified in this requirement: (A3.2.6.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. (CIS Control 13: Data Protection, CIS Controls, 7.1)
  • The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. (CIS Control 13: Data Protection, CIS Controls, V7)
  • The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor. (PR.DS-5.1, CRI Profile, v1.2)
  • The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor. (PR.DS-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication, data destruction, system event monitoring and detection, and backup procedures (¶ 3.59 Bullet 9 Sub-Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading policy and procedure manuals, system documentation, flowcharts, narratives, asset management records, and other system documentation to understand IT policies and procedures and controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication… (¶ 3.50 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • CSPs must provide a spillage remediation plan addressing the above and Mission Owner control of capabilities for all CSOs as part of their provisional authorization package. (Section 5.7 ¶ 10, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Where the Mission Owner does not have control over the cloud environment and/or how their data is stored as in most SaaS and some PaaS CSOs, the CSP must provide capabilities within the CSO that can be activated when a spillage is detected. These capabilities should be under the control of the Missi… (Section 5.7 ¶ 9, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Determine whether the financial institution and service provider have developed specific procedures for the investigation and resolution of data corruption in response and recovery strategies, including data integrity controls. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Employs appropriate data protection and data loss prevention tools. (App A Objective 4:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Protection of data consistently throughout the institution. (App A Objective 2.5.j, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Requires secure storage of all types of sensitive information, whether on computer systems, portable devices, physical media, or hard-copy documents. (App A Objective 6.18.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should control and protect access to and transmission of information to avoid loss or damage and do the following: - Establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices and cloud services. - Define and implement… (II.C.13 Control of Information, FFIEC Information Technology Examination Handbook - Information Security, September 2016)