GASP: AICF

Search controls

Search by control ID, name or domain

DAT-017 Data Leakage Prevention

Tier 2+

Description

Controls are in place to detect and prevent unauthorised exfiltration of sensitive and personal data from systems, networks and applications. This includes monitoring for anomalous bulk data access or export, egress filtering at network boundaries, and restrictions on unapproved data transfer mechanisms.

Rationale

SaaS environments with large volumes of customer data are high-value exfiltration targets. DLP controls reduce both insider and external threat impact.

Framework Mappings (4)

CSA CCM v4.1
DSP-17Sensitive Data Protectionpartial
GDPR 2018
GDPR-Art.32.1Technical and Organisational Security Measurespartial
ISO/IEC 27001:2022
8.12Data leakage preventionfull
NIST SP 800-53 Rev 5
PM-17Protecting Controlled Unclassified Information on External Systemspartial

Evidence (2)

tool_outputautomated

DLP tool scan results or alert reports demonstrating that sensitive data egress is monitored and anomalous bulk data transfers are detected.

Example: DLP policy report from Microsoft Purview DLP, Nightfall AI, or equivalent — showing active policies covering email, cloud storage and API egress for Confidential and Restricted data, alert counts for the last 90 days, and any escalated incidents with disposition

Test: Request the DLP tool configuration and recent alert report. Verify: (1) DLP policies are active on all primary data egress channels (email, cloud storage, API exports, messaging), (2) policies cover at minimum: bulk PII exports, unencrypted sensitive data, and data matching Restricted classification, (3) alert workflow routes to a responsible reviewer, (4) no sustained high-volume alerts are unresolved.

configurationautomated

Network egress filtering or cloud security group configuration showing that unapproved outbound data transfer channels are restricted at the network layer.

Example: AWS Security Group or VPC Network ACL export, or cloud firewall policy — showing outbound traffic restricted to approved destinations (internal services, approved SaaS), with all other egress blocked by default in production VPC

Test: Review the production network egress configuration. Verify: (1) outbound traffic is restricted by default and requires explicit allow rules, (2) allow-listed destinations are documented and reviewed, (3) bulk file transfer protocols (FTP, SMB) to external destinations are blocked unless explicitly approved, (4) configuration changes are logged.

Questions (2)

boolean

Does your organisation have technical controls in place to detect and prevent unauthorised exfiltration of sensitive and personal data, including monitoring for anomalous bulk data access or export?

DLP controls should monitor all major egress channels (email, cloud storage, API exports, messaging). Network egress should be restricted by default. Alerts should route to a responsible reviewer.

multi

Which data leakage prevention controls are active in your environment?

DLP tooling monitoring email and collaboration platforms for sensitive dataDLP policies covering API exports and bulk data downloads from the applicationNetwork egress filtering restricting outbound traffic to approved destinationsAnomaly detection alerts for bulk data access or unusual export volumesCloud access security broker (CASB) monitoring for unsanctioned data transfersNo active DLP controls in place

A layered approach combining application-level DLP, network egress controls and anomaly detection provides the strongest coverage. At minimum, DLP should cover email and bulk export channels for Confidential and Restricted data.