Home · Synthesis · cl-dlp

Data Loss Prevention — multi-channel egress protection

RBI CSFSEBI CSCRFDPDPAISO 27001NIST CSF 2.0PCI DSSRBI ITGRCACIS Controls v8.1SEBI Cloud

Primary statement

DLP operates across four channels: (1) endpoint DLP for sensitive data; (2) email DLP for outbound; (3) network DLP for egress; (4) cloud DLP for SaaS (SEBI PR.17). Email security additionally with SPF/DKIM/DMARC enforcement, sandboxing, anti-phishing (SEBI PR.18 + RBI PR.12). Web content filtering and proxy controls for outbound internet (RBI PR.22). DLP rules calibrated against classification and to minimise false positives.

Audit-fatigue payoff

A unified DLP architecture — four-channel deployment matrix + rule inventory + email DMARC posture + web filtering + cloud SaaS coverage — satisfies DLP requirements across all 9 contributing frameworks. The four-channel SEBI PR.17 specification is the audit-defensible ceiling.

Strictness matrix

Scope
Scope: ALL four egress channels — endpoint, email, network, cloud SaaS. Coverage of sensitive data per classification. No exfiltration channel left open. Ceiling source: sebi_cscrf:CSCRF.PR.17 Rationale: SEBI CSCRF PR.17 four-channel scope is the most comprehensive.
Threshold
Email threshold: DMARC p=reject for primary domains + SPF + DKIM aligned + inbound sandboxing + DLP for outbound. The p=reject DMARC policy is the binary email threshold. Ceiling source: rbi_csf:RBI.PR.12 Rationale: RBI CSF PR.12 p=reject DMARC is the strictest email DLP threshold.
Method
Method: (1) endpoint DLP — agent on workstations and servers; (2) email DLP — outbound content inspection with classification matching; (3) network DLP — egress inspection with TLS interception where lawful; (4) cloud DLP — API integration with SaaS for content inspection; (5) email security with SPF/DKIM/DMARC enforcement (SEBI PR.18 + RBI PR.12); (6) web content filtering with URL categorisation + sandbox-on-fetch (RBI PR.22); (7) rule tuning to minimise false positives; (8) integration with classification programme. Ceiling source: sebi_cscrf:CSCRF.PR.17 Rationale: SEBI CSCRF PR.17 four-channel method combined with RBI PR.12 email + RBI PR.22 web is the most prescriptive architecture.
Frequency
DLP enforcement: continuous (real-time blocking/alerting). Rule tuning: continuous + quarterly deep-review of efficacy. Coverage gap review: quarterly. Email DMARC posture monitoring: continuous. Ceiling source: sebi_cscrf:CSCRF.PR.17 Rationale: Continuous enforcement with quarterly rule review is the audit-defensible cadence.
Evidence
Required evidence: (1) DLP deployment matrix across four channels; (2) DLP rule inventory + classification linkage; (3) sample DLP incidents + response; (4) email DMARC posture (online check or DMARC analyser report); (5) web filtering configuration + sample blocked categories; (6) cloud DLP API integration evidence; (7) rule efficacy review records (quarterly). Ceiling source: sebi_cscrf:CSCRF.PR.17 Rationale: SEBI CSCRF PR.17 evidence with the deployment matrix is comprehensive.

Auditor test pattern

Step 1: Inspect DLP deployment matrix; verify all four channels covered (endpoint, email, network, cloud). Step 2: Sample 3 DLP rules; trace to classification linkage. Step 3: Sample 3 recent DLP incidents and response. Step 4: Verify email DMARC posture — confirm p=reject for primary domains. Step 5: Inspect web filtering — verify URL categorisation and sandbox-on-fetch (RBI PR.22). Step 6: Inspect cloud DLP — verify API integration with primary SaaS apps.

Common findings

Common 2024–26 findings: (1) DLP at email but not endpoint, network, or cloud — exfiltration channels open; (2) Email DMARC at p=none or p=quarantine, not p=reject; (3) Cloud DLP API not integrated with SaaS — cloud channel unprotected; (4) DLP rules generic, not classification-linked; (5) False positive rate high → rules disabled; (6) Web filtering category-based but no sandbox-on-fetch.