Summary
Connor Group systems and services are securely architected to protect data within the environment. The export and sharing of sensitive data has proven to be a persistent and quantified risk requiring additional controls to prevent the inadvertent leak of sensitive data from managed endpoints and email systems.
This article describes Connor Group's Data Loss Prevention (DLP) policy on restricting sensitive data spread and the process of approving sensitive data transmission to external parties. DLP controls include but are not limited to endpoint and email analysis and protection and are a subset of controls that constitute Connor Group's Data Classification and Data Management initiatives.
Scope
-
Managed Endpoints and Systems
- These are computer systems or applications fully managed by Connor Group and accessed by FTE or IC identities on a company-owned or remote network.
-
Managed Networks
- These are networks fully managed by Connor Group, whether physical or virtual.
-
Managed Cloud Storage
This includes storage as a service such as Microsoft OneDrive, SharePoint, or Google Drive, as well as other managed services where storage is a supplemental service, such as NetSuite or SalesForce
-
Email
Email services operated by Connor Group or other email providers which Connor Group owns or manages the namespace.
-
Managed Endpoints and Systems
Details
Email Monitoring
DLP inspection of company email traffic is performed both from the client-side application as well as message transport during back-end processing. DLP rules targeting patterns or strings of sensitive data are configured to automatically deny transmission of messages to external recipients.
Sensitive Data Transmission Approval
Email to external recipients containing sensitive or confidential information without prior documented approval violate this policy. Corporate email or other electronic communication to an external recipient containing sensitive data requires documented authorization from Connor Group's President or their assigned delegate. Violations of this policy are subject to disciplinary action, up to and including termination of employment or legal action. 'Sensitive data' is defined in the data classification standard.
Endpoint and User Activity Monitoring
All company-owned devices shall be secured using modern business or enterprise-class solutions, including DLP controls. Endpoint DLP protection will include client-side protections against data egress, both physically and electronically. Users of company equipment should expect behavioral analytics as well as inspection and analysis of data stored or processed on the device. In addition to DLP controls, the user is expected to maintain protection of sensitive data. At no time shall sensitive data be transmitted or stored to unprotected / unencrypted systems without explicit approval from Information Security.
Network Monitoring
Aside from the transmission of data that would be classified as general common data under the Data Classification Standard, all data transmission not isolated to secure internal networks is subject to inspection and additional DLP or other information security controls.
Responsibility
- IT Engineering - establishment of infrastructure and controls
- IT Support - Monitoring by observation through daily interactions
Administration
Effective from |
April 10, 2023 |
Policy owner |
Connor Group Information Security |
Policy administrator |
Connor Group Information Security |
Application |
All policies and schedules of Connor Group |
|
|
Version, File reference |
1.0, 1 |
Published externally |
No |
Approved by |
Matt Larsen, IT Director |