A.8.12 — Is data leakage prevention deployed (DLP at email/endpoint/cloud)? (NEW in 2022)
Demonstrate that data leakage prevention controls are deployed across email, endpoint, and cloud channels, configured with policies aligned to organizational data classification, and actively detecting or blocking unauthorized data transmission.
Description
What this control does
Data Leakage Prevention (DLP) is a suite of technologies deployed across email gateways, endpoints, and cloud services to detect and block unauthorized transmission of sensitive data based on content inspection, contextual analysis, and policy rules. DLP systems classify data (e.g., PII, payment card data, intellectual property) and enforce policies that prevent exfiltration via email, web uploads, removable media, cloud storage, or messaging platforms. Effective DLP combines automated detection, real-time blocking or alerting, and logging to support both preventive and detective controls against insider threats and accidental data exposure.
Control objective
What auditing this proves
Demonstrate that data leakage prevention controls are deployed across email, endpoint, and cloud channels, configured with policies aligned to organizational data classification, and actively detecting or blocking unauthorized data transmission.
Associated risks
Risks this control addresses
- Exfiltration of sensitive customer data (PII, PHI, payment card data) via email attachments or body content by malicious insiders
- Accidental transmission of confidential intellectual property to unauthorized external recipients through cloud file-sharing services
- Data theft via removable media (USB drives, external hard disks) from endpoints by employees or contractors
- Unauthorized uploads of proprietary source code or financial records to personal cloud storage accounts or webmail services
- Loss of competitive advantage through leakage of strategic documents, M&A information, or trade secrets during breach or insider activity
- Regulatory non-compliance and fines due to undetected transmission of regulated data in violation of GDPR, HIPAA, PCI DSS, or other frameworks
- Reputational damage and loss of customer trust resulting from publicized incidents of sensitive data leakage
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification policy and DLP program documentation, including scope of covered channels (email, endpoint, cloud), data types monitored, and deployment architecture.
- Inventory all DLP solutions deployed, including vendor names, versions, deployment models (on-premises, cloud-based, hybrid), and integration points with email gateways, endpoint agents, and cloud access security brokers (CASB).
- Review DLP policy configuration exports for email, endpoint, and cloud channels, verifying that rules are defined for each data classification tier (e.g., confidential, restricted, public) and aligned with organizational risk appetite.
- Select a sample of 10–15 DLP policy rules across channels and verify that content inspection patterns (regex, fingerprinting, machine learning classifiers) are current, tested, and cover key data types (credit card numbers, social security numbers, proprietary keywords).
- Examine DLP alert logs and incident reports for the past 90 days, confirming that detection events are logged with sufficient detail (user, timestamp, channel, action taken, data classification) and retention meets policy requirements.
- Conduct a controlled test by attempting to send a sample file containing test sensitive data (e.g., dummy credit card numbers) via email, upload to personal cloud storage, and copy to USB drive, verifying that DLP blocks or alerts on each channel.
- Review DLP exception and override logs, confirming that any policy bypasses are formally approved, documented with business justification, and subject to periodic re-validation.
- Interview IT security staff responsible for DLP operations to confirm that alerting thresholds, false positive tuning, and incident response workflows are defined and operational.