Data Loss Prevention Audit Checklist

admin | December 19th, 2017 | Audit, Data Loss Prevention

The Data Loss Prevention audit checklist for the internal quality audit comprises of a particular set of questions. These questions are derived from the standard requirements of quality management system and also the rules required by the firm. Business users map the requirements against all those challenges that are procuring the technical solutions. For a help, a Prospective vendor Checklist is developed, which comprises of requirements to be organized in following 3 major categories:

  • Host or network protection from data leakage and file encryption
  • Management and the support
  • Organization profile and costing

The entire blog acts as a checklist for prospective vendors. This could be utilized in a combination with an interactive data protection requirements worksheets for calculating the rates and then, vendor comparison.

Prospective Vendor Data Loss Prevention Audit Checklist

These points are to be checked after successfully completing with implementation of DLP in the account.

Data Loss Prevention Audit Checklist

Data Leakage Protection

This testing is performed when is data at rest, data in use, and data in motion.

Data Leakage Protection

1. Discovery, Searching, and Retention

  • Discovery: Capable of discovering the unknown or unmarked data
  • Retention: Registration of repository files by providing them inventory
  • Search: There are two parameters upon which users can search data i.e., specified time duration and indexed content based. This content-based is dependent upon expressions, keyword, content patterns, type of the document file, etc.

2. Monitoring, Alerting, and Enforcement

  • Monitoring: Discovering, identifying, correlating, analyzing, and logging every activity performed with the sensitive data. This includes file hosting, items processed within the application on host, program being getting accessed, over input/output channels, and capability of differentiating unclassified or untagged data and then, adding them to existing DLP policies.
  • Alerting: Just after the time when violation is detected, define and then, implement the actions to be performed. One can monitor the tagged data for the violation purpose from the management console. They can also provide alert to end users or administrators as a preventive measure. At the last, capable of applying the alert rules to the previously unclassified or untagged data.
  • Enforcement: Mention and apply actions to be taken to enforce at the time of violation. DLP encounter new incidents, which are defined by the end user, location, context, and application. When a sensitive file is discovered, the DLP should encrypt, quarantine, and delete it.

3. Forensic / Investigation: This captures the data from an event with a set of appropriate metadata (date/time, protocol, user). These get stored and indexed for searching purpose ‘after the fact’. It must be having storage capability at high-scale to preserve metadata with raw items for investigation as well as regulation purpose. After checking all this, verify that partnerships with third-party service providers are also established.

4. External Device Control: Through the help of endpoint agents, describe and implement usage controls over the external device components. One can assign either the ‘allow’ or ‘disallow’ permission to others. Check that the encrypted data is getting copied on the devices. Users can block the copying of protected data on the device. Dependent upon the data type of the copied items, users are having authority to disable external components.

5. DLP Rules Support: Check the following parameters in support section of DLP rules:

  • Business / Regulation Support
  • Rules Creation, Extension, and Management



1. General: This persistent the data encryption when data is in use or is at rest. This involves emails with attachments, files or folder, complete disk encryption, On client machine pagefile, offline files, and mobile devices.

2. Algorithms, Keys, and Certificates

  • The DLP supports FIPS 140-1 / 140-2 algorithms (RC5 / AES)
  • It gives support to strong key length i.e., 256-bit and more
  • Provides a common level of certifications, including all the standards for protection purpose

3. Key Management and Recovery

  • A centralized management for encryption keys and policies
  • Not administrative key for unlocking all files that are having responsibilities as per specified rules. The files can be decrypted only by their original keys
  • Even is the machine is in offline mode then also there should be secure recovery for forgotten tokens
  • Encrypt all the communications for transferring of key information
  • In case of damage occurrence, data retrieval from important users data

4. Encryption Management

  • The centralized management for policies of encryption with the keys and recovery techniques
  • Procedure for flexibly developing and updating the policies
  • Set the rules, which are based on the type of documents and files
  • Depending on the user and group, create a set of rules
  • Management support for folders, files, and full disk encryption
  • Support for several types of two-factor authentication along with their certification

Management and Support

Management and Support

1. Implementation, Deployment, and Management

  • Support centralized administration, deployment, DLP management, and reporting
  • Control all the products related to security from one administrative console
  • Renders easy and interactive installation steps, and
  • Provides documentation, which is easy to follow

2. Administrative Access

  • Require an individual account for each admin
  • Working flow chart, which provides support to owners in business hierarchy
  • Management and proper configuration of several administrative roles
  • Diving duties or responsibilities depending on the administrator

3. General Policy and Rule Management

  • Renders centralized management across the data protection and policies of encryption
  • Easy-to-use working interface to customize rules as well as policies
  • Enabling reuse of the already existing rules for constructing new templates
  • Permit with a feature of disabling machine ports and provides support for granular program and control over the device

4. Incident Workflow

  • Investigates the incident, which involves data at rest, in use, and data in motion from the console of centralized management
  • Enables definition and establishment of particular workflow
  • Divides the cases into basis of user-defined categories
  • Renders access controls and security around the incidents

5. Reporting, Auditing, and Compliance

  • Supervise the alerts of HDLP, NDLP, and encryption just from one console
  • Launch single components from a single console screen of central management
  • Capable of meeting all regulatory requirements, which are applied
  • Flexibility in identifying all the log events

Company Profile and Pricing

Company Profile and Pricing

1. Company Profile

  • Compatible base for customers
  • Comprehensive technology partnerships
  • Standing for sound financially
  • Track the record of adapting the market requirements

2. Maintenance and Support

  • Profession services breadth
  • Policy to upgrade the software
  • Accessible base of knowledge
  • Web-enabled access for upgrading and patching

3. Pricing

  • Pricing model (per group, user, device)
  • Add a value (integration, manageability, etc.)


The blog gives an outline of Data Loss Prevention audit checklist. Users can read this after successfully implementing DLP feature in their account.