A leading Architecture and Engineering firm safeguards its sensitive data with effective DLP Strategies in Action
The organization needs better automation and control for data protection, is concerned about adopting DLP strategies, and aims to integrate DLP with Microsoft tools while ensuring compliance and minimal disruption.
Customer
Leading Architecture and Engineering Firm
Solutions ProvidedEnterprise Data Loss Prevention (DLP)
Share This Story
Case Study
Background
The company is an internationally ranked architecture and engineering firm and known for delivering unparalleled client value that advances the AEC industry. Over a 75-year history, the company has earned a reputation for providing quality project solutions to high-tech and general manufacturing clients in the semiconductor, automotive, battery, food, chemical, and glass industries. It also provides forward-thinking design across healthcare and general building sectors such as corporate workplace, education, and government / judicial - and with projects completed in 40 countries having more than 1500 people working together.
Challenges
The customer was faced with the following challenges
- The organization handles a variety of confidential and sensitive data across multiple systems and storage locations. While current practices involve some manual processes for data protection and classification, there is a clear need for improved automation and stricter control measures to address emerging risks and regulatory requirements.
- Apprehension about rollout and adoption challenges of DLP given the current security posture
- Integrate DLP with other MS Workloads (e.g. Teams, SharePoint, etc.) and other complementary MS security components (e.g., Purview Information Protection, Purview IRM, etc.)
- Concern over appropriate DLP implementation to meet the regulatory requirements as well as to satisfy existing business processes without disruption
Solution
Netwoven employed a phased approach to evolve and implement a tailored DLP solution for businesses that hinged on the following.
| Phase | Objective | Approach | Outcome |
|---|---|---|---|
| Workshop and Requirements Finalization | Understand data sensitivity and exfiltration risks | Conduct workshops with stakeholders to gather information on sensitive data, communication strategies, and regulatory requirements | The document outlining data flows and risk points for unauthorized sharing |
| Identifying and Documenting DLP Requirements | Create department-specific DLP requirements | Work with departments to identify and document data protection needs, compliance obligations, and exfiltration risks | Detailed requirements document for each department e.g., Legal, HR, Finance and IT |
| Configuring DLP Policies | Prevent unauthorized data sharing | Configure DLP policies based on identified risks, including sensitivity labels and encryption rules. Set up alerts for monitoring | Implemented DLP policies across platforms with real-time alerts for administrators |
| Pilot Testing and Refining Policies | Validate and refine DLP policies | Conduct a pilot test with selected users to assess policy performance and gather feedback. Adjust policies based on pilot results | Refined DLP policies ready for organization-wide deployment |
| Final Implementation | Organization-wide rollout of final DLP policies with minimal disruption | Rollout phase was meticulously managed to ensure smooth integration with existing systems. Addressed technical issues to ensure minimal disruption | All DLP policies configured and monitored |
| Hyper-Care | Resolve any post-implementation issues with minimal disruption | Dedicated support team to resolve integration issues and maintain continuous monitoring | Successful policy enforcement and continuous monitoring |
| Adoption and Change Management | Adoption and smooth user experience | Interactive workshops, hands-on practice sessions, guidance on integrating DLP measures, open forum for questions, reference guides, online tutorials, support channel | Users onboarded successfully |
Use Cases
| Sr. Number | Use Cases | Example | Components Involved |
|---|---|---|---|
| 1. | DLP policy to monitor & protect PII information | Employee records, customer databases, forms containing social security numbers, addresses, phone numbers | Exchange, SharePoint, OneDrive, Teams |
| 2. | DLP policy to monitor & protect HIPAA information | Patient medical records, health insurance claims, medical billing information, lab results | Exchange, SharePoint, OneDrive, Teams |
| 3. | DLP policy to monitor & protect US Financial data, financial statements, General ledger, Accounts | Financial statements, general ledger entries, balance sheets, income statements, account transaction records | Exchange, SharePoint, OneDrive, Teams |
| 4. | DLP policy to detect & block data leakage based on IRM policy | Confidential business reports, proprietary research documents, sensitive emails with restricted access | Exchange |
| 5. | DLP policy to detect & monitor/block sharing of sensitive file externally | Confidential contracts, strategic plans, intellectual property documents, sensitive project files | Exchange, SharePoint, OneDrive, Teams |
| 6. | DLP policy to monitor & protect U.S Bank account details & Credit card number details | Bank account statements, credit card transaction records, payment processing documents | Exchange, SharePoint, OneDrive, Teams |
| 7. | DLP policy to monitor California and Texas state laws | Legal compliance documents, state-specific regulatory filings, contracts subject to state laws | Exchange, SharePoint, OneDrive, Teams |
| 8. | DLP policy to restrict external sharing of document if “Internal Use Only” label applied | Internal memos, internal reports, documents labeled "Internal Use Only" | Exchange, SharePoint, OneDrive, Teams |
| 9. | DLP policy to monitor & protect US Financial information | Sensitive files stored on local drives, confidential documents, proprietary software files | Exchange, SharePoint, OneDrive, Teams |
| 10. | DLP policy to restrict/block sharing of content to external hard drive or any other media | Financial reports, investment portfolios, tax documents, audit reports | Devices |
| 11. | Restrict uploading personal information to external portals or websites | Personal identification documents, personal contact information, personal financial records | Devices |
Benefits
Through MS Purview DLP implementation, the company achieved the following
- Secured Business Operation: Established controls to monitor and prevent unauthorized data sharing across key communication channels including email, cloud services, and devices.
- Achieved Regulatory Compliance: Organization can now adhere to industry regulations such as GDPR, HIPAA, and PCI-DSS, enhancing the security of personally identifiable information (PII), financial data, and other classified information.
- Comprehensive Security: The DLP project was part of a full-scale deployment of a data security strategy using Microsoft Purview for Information Protection, Data Loss Prevention, Insider Risk Management, and eDiscovery. Together, the company felt confident with its Data Governance, Security and Compliance posture.
