Background ---------- ISO/IEC 27002:2022 clause 8.12 indicates that "Data leakage prevention measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information [in order] to detect and prevent the unauthorized disclosure and extraction of information by individuals or systems." Policy statements ----------------- 1. Identify and classify sensitive proprietary and personal information. 2. Identify and monitor channels or mechanisms through which sensitive information may leak, such as email, file transfers, mobile and portable ICT devices and printed paperwork. 3. Take steps to prevent the leakage of sensitive information e.g. encryption, quarantining emails, requiring approval for data exports, random searches, tokenisation. 4. If appropriate, employ data leakage prevention tools to identify, monitor and log/alarm/block the unauthorised disclosure of sensitive information. Notes ----- This is a “skeleton” policy providing just the bare bones, the basic foundations on which to construct a custom policy for your organisation. Jump-start the process by visiting www.SecAware.com for a more comprehensive customisable policy template in MS Word.