Overview

Security Categorization (RA-2) requirements for systems that store or process restricted or confidential data include 1) use of file encryption or whole-disk encryption software and 2) appropriate use of data loss prevention (DLP) software provided and managed by the Office of the CISO.  Currently, the DLP solution provided by the Division of IT is Symantec Data Loss Prevention.

Using the Symantec DLP software appropriately requires recognizing that endpoints and servers operate with different usage profiles and characteristics. Certain types of active monitoring tools which may be appropriate in some scenarios (i.e., standard workstations with a compute load consisting primarily of business-class software) might be inappropriate in other scenarios (i.e., research workstations with heavy computational or I/O loads or servers that need to support multiple client connections with a high degree of reliability). In order to support these different scenarios, the Symantec DLP product can be configured to operate in two distinct modes. 

Service Details

Active Scanning

For most endpoints, the appropriate use of the Symantec DLP agent will be in an active state, continuously monitoring data in motion.

Passive Scanning

For other scenarios in which active scanning would impose an unacceptable performance penalty on the device, appropriate use of the Symantec DLP software can be in a passive state. Based on information resource capacity and risk management needs, information resource owners can request the DLP agent to scan the device on a periodic or as-needed basis.

Client-Server Model

In certain circumstances, servers that are used exclusively in a client-server mode, and which do not allow for interactive user sessions, may not need to have the Symantec DLP agent installed if the information resource owner can establish that an active DLP agent has been installed on all endpoints connecting to the server.