Development of terms of reference for the implementation of a DLP system
Ensuring information security of information with a high degree of confidentiality requires the use of serious protection measures. The implementation of a DLP system reduces the risk of leaks. Most modern products do not belong to the "box type"; it is necessary to refine the functionality for the needs of a particular company. Such revision and implementation itself require detailed technical specifications.
Prerequisites for the implementation of a DLP system
In most cases, a company comes to a decision to implement a DLP system after the first significant information security incident, which caused significant damage to the interests of the company. Having weighed the balance of costs and risks, the management decides to install an increased level of protection in order to secure information processed during business processes from leaks.
Having chosen the necessary product, the company sometimes faces the fact that it needs to customize its functionality to suit its own needs. At a minimum, you need to fill the dictionary of the text analyzer with vocabulary and digital fingerprints of data that will help track the leakage of information that is confidential for a particular company. But more often the task turns out to be more complicated, and the stage of adjusting the software to the client's needs and implementation takes several months. The most detailed technical task will allow you to track all stages of work and evaluate the result.
Engaging a security expert will help determine which version of the DLP system will solve the problem of controlling information leakage channels. For a small company, the solution may be to implement one or several modules of a ready-made DLP solution. Before inviting a developer, you need to decide what information security tasks the software should solve.
Full implementation, including examination of business processes and preparation of the lexical apparatus, takes at least three months, and in conditions of force majeure, the finished product may turn out to be more effective.
Questions to be answered by the terms of reference
The terms of reference for the development and implementation of software has a standardized structure that slightly differs depending on the type of software. The format of the technical task can be found in GOST and ISO / IEC / IEEE standards. According to these regulatory documents, TK, which most often suits the state customer, should have the following structure (GOST 34):
1. General information.
2. Purpose and goals of DLP-system implementation.
3. Characteristics of the customer's information system.
4. Technical requirements for the implemented program, its desired functionality (here it is necessary to take into account the provisions of the security policies).
5. Composition, content and timing of work.
6. The procedure for monitoring the implementation and acceptance of works.
7. Requirements for documentation (sometimes, when introducing a foreign system, the documentation has to be translated).
International standards (IEEE) offer a slightly different, but generally similar structure of TK:
1. Introduction (software application, terms used, short links to sites with information, concise description of the product).
2. General description (functionality, security policies, protected channels, interaction with other software, user characteristics, restrictions and assumptions).
3. Detailed requirements for functionality, interface, performance, interaction with users.
4. Applications, Policies and Rules.
The assignment should outline what the IT department and the company's security service expect from the implementation of an automated system for protecting and preventing information leaks.
An integral part of the terms of reference is the security policy. It is developed on the basis of documents that already exist in the company, namely:
- list of information related to confidential;
- description of business processes for interacting with classified information;
- list of persons admitted to its processing, differentiation of their access rights.
These documents are the basis for the development of technical specifications. If they are not there, you will have to spend time classifying information and personnel and preparing internal regulations.
In addition to security policies, when developing technical specifications for the implementation of a DLP system, it is necessary to take into account and reflect in it the risks arising at the stage of testing, revision and installation:
- delay in the implementation process. The risk is mitigated by clearly setting deadlines, stage-by-stage acceptance of the system and payment based on the results of the stage, determination of responsibility measures for delaying work
- over budget. An unsatisfactory quality of the initial survey can lead to the identification of new challenges and, as a result, an increase in the cost of work. For companies with strict budgetary discipline or in the case of a contract at an auction, this risk may become critical, therefore, the terms of reference for the implementation of a DLP system should be as detailed as possible at the stage of preparation;
- insufficient qualifications of the performer. If a little-known company is invited to implement a licensed product, this risk can be significant, therefore, when a complex and complex problem is to be solved, it is necessary to interact with the product developers. Of course, this applies only to domestic developments, when introducing foreign software products, their completion on their own is practically impossible under the terms of the license;
- insufficient control over the actions of the performer. If there are no professionals on the customer's staff who are able to control the execution and accept the results of each stage of work, the involvement of experts will be required;
- internal systemic problems, opposition of structural units or individual employees. This risk must be foreseen even before the preparation of the technical specification, since it can significantly complicate the work of the contractor to implement the DLP system. The way out of this situation will be the adoption of a decision on the implementation of the system at the level of the Board of Directors within the framework of the general concept of the company's security and motivation of personnel based on the results of the timely and successful completion of work;
- conflict with existing infrastructure and software. Even before purchasing a product, you need to find a solution that will be compatible with all software available in the company. If during the audit the likelihood of a conflict is revealed, it is worth considering the option of installing a DLP system in a virtual space.
TK development stages
Traditionally, the task of preparing a technical assignment is assigned to a developer who has greater competencies than the customer's representatives. The finished document is agreed by the parties and becomes an integral part of the contract for the development and implementation of a DLP system. If the company employs specialists with relevant experience, they can prepare a draft TOR, relying on an agreed confidentiality policy. If not, the best solution would be to invite an expert who will take part in the development of documentation and in the acceptance of the technical specification.
Development of technical specifications for the implementation of a DLP system goes through the following stages:
- harmonization of security policies;
- coordination of technical parameters;
- development of technical specifications;
- coordination of time and financial parameters;
- approval and signing of TK.
The task reflects all subsequent actions of the developer in the process of implementing a DLP system. It should be designed in such a way that no changes are made to it after the start of work. Changes can be initiated by the customer of the DLP system or the contractor, who in the course of work discovers that the parameters of the technical assignment are impracticable or can be performed with less financial or time costs. The agreement must be prepared in such a way as to exclude changes in the technical specifications and interruptions in the implementation of the DLP system associated with additional stages of approval. The preparation of the TOR should involve all interested departments in order to avoid conflicts or misunderstandings at the stage of system implementation.
The terms of reference can be prepared for several weeks, but this time will not be lost. With proper consideration of all factors, it will help to avoid delaying or unpredictable increase in the project budget at the stage of work execution.