The Data Loss Prevention (DLP) Policy aims to protect sensitive information within Door Ventures from unauthorized access, use, disclosure, disruption, modification, or destruction. This policy supports our compliance with GDPR, SOC2 standards, and the goal of achieving ISO 27001 certification.
This policy applies to all employees, contractors, and third-party users who have access to Door Ventures’ information systems, data, and network infrastructure across our offices in the UK, US, and India.
- Lead Infosec Analyst: Responsible for implementing and managing the DLP program, monitoring data loss incidents, and handling incident responses.
- Chief Product and Technology Officer (CPTO): Oversees the Infosec programs, including the DLP strategy and incident response processes.
- Employees: Serve as the first line of defense by adhering to DLP policies and promptly reporting any suspicious activities.
- Lead Infosec Analyst + Operations Team: Monitors and investigates alerts generated by the DLP solution.
To ensure appropriate protection of information, Door Ventures will implement a data classification scheme based on the sensitivity and criticality of the data:
- Public: Information that can be freely shared with the public.
- Internal: Information intended for use within Door Ventures only.
- Confidential: Sensitive information that could harm Door Ventures or its clients if disclosed.
- Restricted: Highly sensitive information requiring the highest level of protection, including PII and client data such as fund manager names and dates of birth.
Door Ventures utilizes Microsoft DLP (Data Loss Prevention) solution which is designed to help organizations protect sensitive information across various Microsoft services and applications. Here are the key aspects of Microsoft’s DLP solution leveraged by Door:
- Unified Platform: Microsoft’s DLP solution is integrated into the Microsoft 365 ecosystem, covering applications such as Exchange Online, SharePoint Online, OneDrive for Business, Teams, and more.
- Policy Templates: Door leverages pre-defined policy templates offered by Microsoft for common regulatory requirements and data protection needs.
- Sensitive Information Types: Door leverages Microsoft’s DLP solution which includes built-in sensitive information types (SITs) that help identify and protect common types of sensitive information such as credit card numbers, social security numbers, and confidential documents.
- Policy Enforcement: DLP policies are enabled to prevent unauthorized sharing or leakage of sensitive information.
- Detection Methods: Microsoft employs various detection methods to identify sensitive information, including content inspection, keyword matching, and regular expression (regex) pattern recognition. These methods help ensure comprehensive coverage across different types of data.
- User Education and Notifications: Door’s InfoSec Team is informed when any employee attempts to share sensitive information in violation of DLP policies. Notifications come directly to inbox.
- Monitoring and Reporting: Microsoft provides monitoring capabilities and detailed reports to track incidents, policy violations, and trends over time. This helps organizations assess their DLP effectiveness and adjust as needed.
- Compliance and Auditing: The DLP solution supports compliance with SOC-2.
Implement role-based access controls to ensure that only authorized personnel have access to sensitive data.
Use encryption for data at rest and in transit to protect against unauthorized access.
Apply data masking techniques where appropriate to protect sensitive information from exposure.
In the event of a data breach or potential data loss incident, the following steps will be taken:
- Identification: The Infosec team, alerted by the Microsoft Defender DLP solution, will assess the incident to determine its scope and impact.
- Containment: Immediate actions will be taken to contain the breach and prevent further data loss.
- Eradication: Identify and eliminate the root cause of the incident.
- Recovery: Restore and validate the integrity of the affected systems and data.
- Notification: Notify affected parties, including clients and regulatory authorities, as required by law.
- Documentation: Document the incident, response actions, and lessons learned for future reference and continuous improvement.
¶ 4.4 Training and Awareness
- Regular Training: Conduct mandatory training sessions for all employees on data security and DLP policies at least annually.
- Awareness Campaigns: Run ongoing awareness campaigns to reinforce the importance of data protection and compliance.
¶ 4.5 Data Transfer and Sharing
- Internal Data Transfers: Use secure methods such as encrypted emails and secure file transfer protocols for sharing sensitive data within the organization.
- External Data Transfers: Ensure that data shared with clients in the UK and US complies with GDPR and other relevant regulations. Utilize secure channels and agreements to protect shared data.
¶ 4.6 Monitoring and Auditing
- Continuous Monitoring: The Infosec team will continuously monitor data access and usage using the Microsoft Defender DLP solution.
- Regular Audits: Conduct regular audits of DLP practices and policies to ensure compliance and effectiveness. Address any identified gaps or weaknesses promptly.
- Feedback Mechanism: Establish a feedback mechanism for employees to report issues or suggest improvements related to data protection.
- Review and Update: Regularly review and update the DLP policy to reflect changes in regulations, technology, and business processes.
By adhering to this DLP Policy, Door Ventures aims to protect sensitive information, ensure regulatory compliance, and maintain the trust of our clients and stakeholders. Overall, Microsoft’s DLP solution aims to provide robust protection against data loss and unauthorized disclosure by integrating seamlessly with its productivity and collaboration tools while offering flexibility and customization to meet diverse organizational needs.
¶ 5. Review and Revision
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Further information and advice on this policy can be obtained from the Infosec Team, policies@doorfunds.com.
| Version |
Date Created |
Date Reviewed |
Summary of Change |
Owner’s Name |
| v1 |
12-Mar-2024 |
12-Mar-2024 |
Initial Version |
Archit Mahajan |