Despite increased emphasis on technical controls intended to prevent data breaches of Personally Identifiable Information (PII), Patient Health Information (PHI), Card Holder Data (CHD), and Intellectual Property (IP) - it continues to be a problem. Generally, the emphasis in controlling these types of attacks has been to prevent malicious access into the environment, however, this provides little benefit to a malicious insider or a malicious outsider should they bypass external security mechanisms.
Increasingly we are working with our clients to develop the control mechanisms (operational/technical) necessary to address this issue and reduce the probability of a business impacting data breach.
A DLP Gap Assessment includes a combination of a controls gap assessment relating to those controls (e.g., Data Classification, Data Encryption, User Account Management, Segregation of Duty), that are critical to maintaining the confidentiality and integrity of sensitive data, and Extrusion Testing where the focus is on determining whether sensitive data can be acquired on the "wire" and transited outside the organization via different modalities and in various forms. Extrusion Testing generally involves some combination of network sniffing, man-in-the-middle attacks, SSL Attacks, and data tunneling.
Where organizations have employed some form of Data Leak Prevention the Gap Assessment may be extended to validate the efficacy to ensure there are no gaps in coverage, procedure, or monitoring.