NET-17: Data Loss Prevention (DLP)
Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.
Control Question: Does the organization use automated mechanisms to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed?
General (13)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC6.7-POF1 |
| CIS CSC 8.1 | 3.13 |
| CIS CSC 8.1 IG3 | 3.13 |
| CSA CCM 4 | UEM-11 |
| CSA IoT SCF 2 | DAT-02 |
| GovRAMP High | SC-07(10) SI-04(18) |
| MPA Content Security Program 5.1 | TS-1.8 |
| NIST 800-53 R4 | SC-7(10) |
| NIST 800-53 R5 (source) | SC-7(10) SI-4(18) |
| NIST 800-53 R5 (NOC) (source) | SC-7(10) SI-4(18) |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | NET-17 |
| SCF CORE ESP Level 2 Critical Infrastructure | NET-17 |
| SCF CORE ESP Level 3 Advanced Threats | NET-17 |
US (8)
| Framework | Mapping Values |
|---|---|
| US DoD Zero Trust Execution Roadmap | 4.3.4 4.4.1 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.7.4 4.7.6 4.7.7 |
| US DoD Zero Trust Reference Architecture 2.0 | 5.4 |
| US DHS CISA TIC 3.0 | 3.PEP.FI.DLPRE 3.PEP.EM.DLPRE 3.PEP.WE.DLPRE 3.PEP.UN.DLPRE 3.PEP.DA.DLPRE 3.PEP.SE.DLPRE |
| US DHS ZTCF | DPR-02 |
| US HIPAA HICP Medium Practice | 4.M.E |
| US HIPAA HICP Large Practice | 4.M.E 4.L.A |
| US IRS 1075 | SI-4(18) |
| US - CA CCPA 2025 | 7123(c)(8)(B) |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia OTCC-1 2022 | 2-6-1-2 |
| EMEA UK DEFSTAN 05-138 | 2320 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC India SEBI CSCRF | PR.DS.S4 |
| APAC New Zealand HISF 2022 | HHSP63 HML69 HSUP55 |
| APAC New Zealand HISF Suppliers 2023 | HSUP55 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 4.1 4.2 |
| Americas Canada OSFI B-13 | 3.2.5 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed.
Level 2 — Planned & Tracked
Network Security (NET) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Network security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for network security management.
- IT personnel define secure networking practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets, data and network(s).
- Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
- Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
- Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
- Technologies are configured to implement Data Loss Prevention (DLP) techniques to protect sensitive/regulated data as it is stored, transmitted and processed.
- DLP prevents unauthorized devices from connecting to endpoint devices to control the distribution of sensitive/regulated data.
Level 3 — Well Defined
Network Security (NET) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- A Technology Infrastructure team, or similar function, defines centrally-managed network security controls for implementation across the enterprise.
- Secure engineering principles are used to design and implement network security controls (e.g., industry-recognized secure practices) to enforce the concepts of least privilege and least functionality at the network level.
- IT/cybersecurity architects work with the Technology Infrastructure team to implement a “layered defense” network architecture that provides a defense-in-depth approach for redundancy and risk reduction for network-based security controls, including wired and wireless networking.
- Administrative processes and technologies configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
- Technologies automate the Access Control Lists (ACLs) and similar rulesets review process to identify security issues and/ or misconfigurations.
- Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
Level 4 — Quantitatively Controlled
Network Security (NET) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Network Security (NET) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- NET-17_A01 points where communications traffic is to be analyzed are defined.
- NET-17_A02 outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information.
- NET-17_A03 outbound communications traffic is analyzed at interfaces internal to the system to detect covert exfiltration of information.
Technology Recommendations
Micro/Small
- Data Loss Prevention (DLP)
Small
- Data Loss Prevention (DLP)
Medium
- Data Loss Prevention (DLP)
Large
- Data Loss Prevention (DLP)
Enterprise
- Data Loss Prevention (DLP)