Publication Summary¶
| Title | Data Leakage Prevention Policy |
|---|---|
| Author(s) | Alessandro Cardinali |
| Issued by | CEO |
Version doc. Review freq. |
0.1 Yearly |
| Date of issue | December 11, 2023 |
| Owner | CEO/Founder |
| Document status | Draft – Final Draft - Final |
| Approval Date | n/a |
| Classification | Internal |
Change Log
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | December 11, 2023 | Olaf Jacobson | First draft document |
Table of Contents
2 Data leakage prevention policy 5
Introduction¶
Soon collects and processes a significant amount of data which has value to the organization. This information is a key asset; it can be expensive to obtain and we have a duty to our interested parties to protect it, particularly where personally identifiable information (PII) is involved.
The theft of data is a risk that we need to address in as many ways as possible and an important factor in protecting it is being able to detect when recognisable data is being stolen. This policy sets out how Soon will monitor key points in its systems and network environment to identify instances where the organization’s data may be subject to theft or unauthorised use.
However, this policy applies to all channels of potential data leakage, including verbal, social media and those involving physical formats such as paper.
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon systems.
The following policies and procedures are relevant to this document:
-
Information Security Incident Response Procedure
Purpose of this document¶
The Data Leakage Prevention Policy is an overarching document that is intended to establish the principles to be used when configuring relevant software tools.
Areas of the standard addressed¶
The following areas of the ISO/IEC 27001 standard are addressed by this document:
-
A.5 Organizational controls
-
A.5.1 Policies for information security
-
A.8 Technological controls
-
A.8.12 Data leakage prevention
Data leakage prevention policy¶
It is Soon policy to monitor systems, networks and endpoint devices to detect and prevent the unauthorised extraction of sensitive information by individuals or systems.
Monitoring will be carried out in accordance with applicable legislation and solely for the legitimate interest of Soon in protecting its sensitive information.
The following major types of information will be classed as sensitive for the purpose of this policy:
-
Customer personal data
-
Employee records
-
Product designs and other intellectual property
-
Confidential financial records
-
Credit card information
-
[Define types of sensitive information]
Unauthorised extraction will be interpreted as the copying or moving or otherwise exporting of sensitive data without the asset owner’s permission to a location or medium that falls outside the organization’s boundaries, such as a cloud service, mailbox or removable storage device.
Where technically possible, steps must be taken to restrict user access to extract sensitive data by design, such as limiting the user’s ability to copy and paste within an application or preventing the connection of removable storage devices.
Technical controls must be supplemented by regular user awareness training activities which inform users about the nature of data loss and how to avoid it.
Where possible, appropriate data leakage software tools will be used to detect the disclosure of information classified as sensitive and prevent the identified action (such as file copying or sending an email) from taking place.
Unauthorised physical actions such as photographing or taking screenshots of sensitive data are not permitted and all employees of Soon have a responsibility to report such instances to management.
Personnel found to be responsible for unauthorised extraction of information falling under the remit of this policy may be subject to disciplinary action. In some circumstances a targeted programme of awareness training may also be appropriate for those found to have breached this policy.