Improving Data Loss Prevention Using Classification

The financial institutions provide the resources to protect their sensitive data and information by trying to prevent unauthorized leakage. They approve policies and realize technical restrictions to block the loss and revelation of sensitive data and information by external attackers as well as careless insiders. One example of Data Loss Prevention (DLP) restrictions consists of endpoint protection solutions to block data transmissions to USB storage devices. Nevertheless, financial institutions approve exceptions to these policies, based on the business need for the specific user, in order to be able to fulfill their job-related tasks. But from these exceptions derive the following questions: How an approval for an exception can create impact over the risk of data leakage for the financial institution? What is the particular risk for according an individual user a confident exception? This paper introduces a new concept to risk depending on exception management, which will provide the financial institution to assign exceptions derived from on basic DLP. Initially, the paper presents an approach for evaluating and classification users based on their access to sensitive data and information, and afterward, a standard of rights is decided for assigning exceptions to derive from the classification of users, which allows specific approvers to prepare knowledgeable decisions concerning exception requests.