I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply
Data Loss is something you prevent; you enforce controls to prevent data
leakage, DLP can be a programme, but , I find very difficult to support
with a policy.
Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?
Let me try again.
Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.
Remember: CMM plays an important part in ISO 27000
The DLP device you end up with on the ad-hoc basis is just whatever the networking people think they want; it may or may not fulfil business objectives from the POV of other stakeholders.
Oh, and did I mention priority? Priority leads to how you allocate resources such as budget. The business may place a different importance on matters than the network technicians or even the IT managers. But if there is policy that says something should be done then the IT managers can go to the executives and say "Your policy says we have to do this, please give us the means to fulfil your policy".
There is more in this ilk, but trying to justify actions and expenditure for which there is no policy is going to be fraught with complications that a policy could just cut through. You are trying to put the horse
before the cart.
Policy serves many other objectives in a variety of settings, such as coordination, of activities, avoiding redundant activity ("reinventing the wheel"), guide product selection, avoid liability for negligence,
make issues visible as part of an awareness program and more.
And if you have an ISO9000 or other then you are using policy to, as I said, establish metrics for measurement and improvement as part of the quality control process.
Please note that I'm not saying that things - and DLP is just one of them - shouldn't be done, but on a means of ensuring that they ARE done and done is a consistent and managed manner rather than as the ad-hoc whim of technical people in the networking group.
"Oh we need a DLP" could very well be "We've just come back from a vendor's presentation about this whiz-bang product and its really exciting and we should get one..." for whatever it is. The technoloy-de-jour principle of IT management.
And as a number of people have had attributed to them:
"If you think that technology can solve your problems
then you don't understand technology and you don't
understand your problems"
- How to write ISO 27001 Assessment/Audit Reports (zecuboy.wordpress.com)
- Information Security Risk Management and ISO 27001 - An interview with Information Security Professional Tony Drewitt (vigilantsoftware.co.uk)