DLP / outbound monitoring on Restricted data
Demonstrate that DLP controls are configured, deployed, and actively enforcing policies that prevent unauthorized transmission of data classified as Restricted through all monitored egress channels.
Description
What this control does
Data Loss Prevention (DLP) systems monitor and control the movement of sensitive data classified as Restricted across network boundaries, endpoints, and cloud services. The control uses content inspection, pattern matching, and policy enforcement to detect and block unauthorized transmission of Restricted data via email, web uploads, removable media, and other exfiltration channels. By continuously scanning outbound traffic against defined data classification rules, organizations prevent accidental or malicious disclosure of high-value intellectual property, personal data, financial records, and regulated information.
Control objective
What auditing this proves
Demonstrate that DLP controls are configured, deployed, and actively enforcing policies that prevent unauthorized transmission of data classified as Restricted through all monitored egress channels.
Associated risks
Risks this control addresses
- Exfiltration of Restricted data through email attachments to unauthorized external recipients
- Unauthorized upload of Restricted documents to personal cloud storage services (e.g., Dropbox, Google Drive)
- Copying Restricted data to USB drives or other removable media without approval or encryption
- Transmission of Restricted data via unmonitored communication channels such as instant messaging or collaboration platforms
- Insider threat actors intentionally leaking Restricted intellectual property or customer data to competitors
- Accidental exposure of Restricted data due to user error such as misdirected emails or misconfigured file shares
- Data exfiltration through encrypted channels that bypass content inspection (e.g., SSL/TLS tunnels, steganography)
Testing procedure
How an auditor verifies this control
- Obtain the current data classification policy and identify all categories, labels, and handling requirements designated as Restricted
- Retrieve the DLP policy configuration from the management console, documenting all rules, patterns, and detection logic targeting Restricted data
- Review coverage maps or deployment architecture diagrams to confirm DLP agents and network appliances are deployed across email gateways, web proxies, endpoint workstations, and cloud access security brokers
- Select a representative sample of at least 10 DLP policy violation incidents from the past 90 days where Restricted data was detected in outbound traffic
- Verify each sampled incident shows appropriate enforcement actions (block, quarantine, encrypt, or alert) consistent with documented policy
- Conduct a simulated exfiltration test by attempting to send a test file containing Restricted data patterns via email and web upload to confirm real-time blocking
- Review DLP tuning and false-positive management logs to assess accuracy and effectiveness of detection rules
- Interview DLP administrators to confirm policy review frequency, rule update procedures, and incident escalation workflows
Where this control is tested