Skip to main content
← All controls
SC-7(10) / A.8.11 / CIS-3.14 NIST SP 800-53 Rev 5

Data loss prevention (DLP)

Demonstrate that the organization has deployed and configured Data Loss Prevention controls to identify, monitor, and prevent unauthorized transmission or exposure of sensitive data across endpoints, network boundaries, and cloud services.

Description

What this control does

Data Loss Prevention (DLP) is a set of technologies and processes that detect, monitor, and block sensitive data from being transmitted outside authorized boundaries, whether intentionally or accidentally. DLP solutions inspect data at rest (stored files), in motion (network traffic, email, web uploads), and in use (endpoint applications) by applying content inspection rules, classification labels, and contextual analysis to identify protected information such as PII, PHI, credit card numbers, intellectual property, or confidential business data. Effective DLP prevents unauthorized exfiltration through endpoints, email gateways, cloud services, removable media, and network channels, providing both preventive controls and forensic audit trails.

Control objective

What auditing this proves

Demonstrate that the organization has deployed and configured Data Loss Prevention controls to identify, monitor, and prevent unauthorized transmission or exposure of sensitive data across endpoints, network boundaries, and cloud services.

Associated risks

Risks this control addresses

  • Unauthorized exfiltration of customer personally identifiable information (PII) via email, cloud storage, or removable media by malicious insiders
  • Accidental disclosure of confidential intellectual property or trade secrets through misconfigured cloud sharing links or unsecured file transfers
  • Theft of payment card data or protected health information (PHI) transmitted through unauthorized channels in violation of regulatory requirements
  • Malware or ransomware staging sensitive data for exfiltration through encrypted tunnels or command-and-control channels undetected by perimeter defenses
  • Contractor or third-party access resulting in unauthorized download or transmission of proprietary data beyond contractual boundaries
  • Shadow IT usage (personal email, unapproved cloud services) bypassing enterprise security controls and creating unmonitored exfiltration paths
  • Incomplete visibility into data movement across hybrid environments leading to undetected policy violations and compliance gaps

Live threat patterns this control mitigates:

HIGH Database Leak / Unauthorised Data Exposure Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption…

Testing procedure

How an auditor verifies this control

  1. Obtain and review the current DLP policy documentation, including data classification scheme, sensitive data types covered, and defined exfiltration channels monitored (email, web, endpoint, cloud).
  2. Export and examine DLP system configuration for all deployed enforcement points (email gateways, web proxies, endpoint agents, cloud access security broker integrations) to verify coverage of critical egress paths.
  3. Review content inspection rules, regular expressions, and data identifiers configured to detect sensitive data types aligned to the organization's data classification policy (PII, PHI, PCI, IP, confidential).
  4. Select a sample of 15-20 DLP policy violations or alerts from the past 90 days and trace each incident through detection, user notification, quarantine action, and resolution workflow to verify enforcement effectiveness.
  5. Test DLP detection capabilities by simulating exfiltration attempts using sample sensitive data across multiple channels: send test PII via personal webmail, upload sample credit card numbers to unapproved cloud storage, and copy test files to USB devices.
  6. Interview three end users from different departments to confirm awareness of DLP policies, their experience with block notifications, and understanding of authorized methods for sharing sensitive data externally.
  7. Review DLP system logs and reporting dashboards to verify continuous monitoring, alert thresholds, false positive tuning activities, and integration with SIEM or security operations workflows.
  8. Examine exception and whitelist configurations to ensure business-justified exemptions are documented, approved by data owners, reviewed periodically, and do not create unacceptable risk exposure.
Evidence required Collect DLP policy documents, data classification standards, and deployment architecture diagrams showing enforcement points. Export configuration files or screenshots showing content inspection rules, monitored channels, enforcement actions (block, quarantine, alert), and integration with email gateways, endpoint agents, and cloud services. Obtain DLP incident logs for the past 90 days, sample alert tickets with resolution evidence, exception approval records, and testing simulation results demonstrating detection across email, web, and endpoint channels.
Pass criteria DLP controls are deployed across all critical exfiltration paths (email, web, endpoints, cloud services), configured to detect and enforce policies for all sensitive data types defined in the classification scheme, generate alerts with documented incident response workflows, and demonstrate effective detection through log evidence and testing simulations without excessive false positives or undocumented exceptions.

Where this control is tested

Audit programs including this control

Database Leak / Unauthorised Data Exposure — Audit Program

Attacker dumps or sells a customer database. Implies the data store was accessible from the internet, lacked encryption…

6 controls · v0.1.0