Skip to content

Data Leakage Prevention Policy

Owner Classification Review Date Status
CDO Office Internal April 2027 Active
Field Details
Document Type Policy
Document Reference SP-DLP-009
Version 1.0
Owner CISO
Classification Confidential
Review Cycle Annual

Introduction

Scope

This policy applies to all Simpaisa employees, contractors, and third parties who have access to Simpaisa's information systems, data, and networks. It covers all data in all forms — electronic, printed, or otherwise — and all methods of data transmission, storage, and disposal.

Control Objective

The objective of this policy is to prevent the unauthorised disclosure, exfiltration, or loss of Simpaisa's sensitive and confidential data. Data leakage poses significant risks to Simpaisa, including financial loss, reputational damage, regulatory penalties, and harm to customers and partners.

This policy establishes controls to detect, prevent, and respond to data leakage incidents, ensuring that sensitive data is handled appropriately throughout its lifecycle.

Policy Statement

Simpaisa is committed to protecting all sensitive and confidential data from unauthorised access, disclosure, or loss. All employees and contractors are responsible for understanding and complying with this policy as a condition of their engagement with Simpaisa.

Deliberate or negligent data leakage will be treated as a serious disciplinary matter and may result in termination of employment or contract, and referral to relevant legal authorities where appropriate.

Data Classification and Storage

All data handled by Simpaisa shall be classified in accordance with Simpaisa's Data Classification Policy. The following classification levels apply:

  • Public — Information approved for public release

  • Internal — Information for internal use only

  • Confidential — Sensitive business information restricted to authorised personnel

  • Restricted — Highly sensitive information (e.g., customer PII, financial data, credentials) subject to the strictest controls

Data storage requirements by classification:

  • Restricted and Confidential data shall be stored only in approved, secured systems

  • Restricted data shall be encrypted at rest and in transit

  • Data shall not be stored on personal devices, unapproved cloud services, or removable media without explicit authorisation

  • Hard copy documents containing Confidential or Restricted data shall be stored in locked storage

Data Access and Movement

Access to sensitive data shall be granted on a need-to-know basis and in accordance with the Access Control Policy (SP-ACP-001).

Controls on data movement include:

  • Confidential and Restricted data shall not be transmitted via unencrypted channels (e.g., plain text email)

  • Transfers of sensitive data to external parties shall require explicit authorisation from the data owner and CISO

  • Use of personal email accounts, consumer file-sharing services, or unauthorised cloud storage for Simpaisa data is prohibited

  • Removable media (USB drives, external hard drives) containing sensitive data shall be encrypted and subject to authorisation controls

  • Printing of Confidential or Restricted data shall be minimised and subject to secure handling and disposal requirements

Incident Response and Remedial Actions

Monitoring and Data Security

Simpaisa shall deploy and maintain technical controls to monitor and protect sensitive data, including:

  • Data Loss Prevention (DLP) tooling to monitor and control the movement of sensitive data across endpoints, networks, and cloud services

  • Email security controls to detect and prevent the exfiltration of sensitive data via email

  • Endpoint controls to restrict the use of removable media and unapproved applications

  • Network monitoring to detect anomalous data transfers

Monitoring and Enforcement

  • DLP policies shall be configured to alert on and, where appropriate, block attempts to transfer sensitive data in violation of this policy

  • Alerts generated by DLP and monitoring tools shall be reviewed by the security team in a timely manner

  • All data leakage alerts and incidents shall be logged and tracked

  • DLP tool configurations shall be reviewed and updated at least quarterly

User Responsibilities

All users are responsible for:

  • Handling data in accordance with its classification level

  • Reporting suspected data leakage incidents immediately to the security team

  • Not attempting to circumvent DLP or monitoring controls

  • Completing mandatory data protection and security awareness training

Annexure A: Standard Operating Procedure for Handling Data Leakage Incidents

The following 16-step SOP shall be followed upon detection or report of a suspected data leakage incident:

  1. Detection / Report — The incident is detected by a monitoring tool alert, or reported by an employee, customer, or third party.

  2. Initial Triage — The security team performs an initial triage to assess the credibility and potential severity of the report.

  3. Incident Logging — The incident is formally logged in the incident management system with all available details.

  4. Incident Classification — The incident is classified by severity (Critical, High, Medium, Low) based on the nature and volume of data potentially involved.

  5. Escalation — The CISO and relevant stakeholders are notified in accordance with the incident severity level.

  6. Containment — Immediate containment actions are taken to stop or limit further data leakage (e.g., revoke access, block data transfer channels, isolate affected systems).

  7. Evidence Preservation — Digital evidence is preserved in a forensically sound manner to support investigation and potential legal action.

  8. Investigation — A detailed investigation is conducted to determine the cause, scope, and impact of the incident, including what data was involved and how the leakage occurred.

  9. Affected Data Identification — All data potentially compromised in the incident is identified and catalogued.

  10. Regulatory Assessment — The incident is assessed against applicable regulatory requirements (e.g., data protection legislation) to determine notification obligations.

  11. Notification — Where required by regulation or contract, affected individuals, regulators, and/or partners are notified within the prescribed timeframes.

  12. Remediation — Technical and procedural remediation actions are implemented to address the root cause of the incident.

  13. Communication — Internal and external communications are managed by the CISO and Communications team in a coordinated manner.

  14. Post-Incident Review — A post-incident review is conducted to assess the effectiveness of the response and identify lessons learned.

  15. Policy and Control Update — Policy, procedures, and technical controls are updated as required based on the findings of the post-incident review.

  16. Incident Closure — The incident is formally closed in the incident management system once all remediation actions are complete and verified.