Policy Templates

Ready-to-use DLP policy templates and documentation

DLP Policy Templates

Ready-to-use policy templates and documentation to accelerate your DLP implementation. All templates are designed to align with Sri Lanka's Personal Data Protection Act (PDPA) No. 9 of 2022 and industry best practices.

Customization Required

These templates are starting points. Customize them to match your organization's specific requirements, industry, and risk profile.

Template Categories

DLP Policy

Comprehensive data loss prevention policy template

View Template

Incident Response

Data breach incident response plan template

View Template

Data Classification

Data classification framework and guidelines

View Template

Acceptable Use Policy

Employee acceptable use policy for data handling

View Template

Training Materials

User awareness and training content templates

View Template

Risk Assessment

DLP risk assessment framework template

View Template

Data Loss Prevention Policy

Comprehensive DLP policy aligned with PDPA requirements

Policy Overview

Purpose: To establish a framework for protecting sensitive data from unauthorized access, use, disclosure, or loss, ensuring compliance with Sri Lanka's PDPA.

Scope: This policy applies to all employees, contractors, and third parties who handle organizational data.

Key Policy Components:
  • Data Classification: Categorize data as Public, Internal, Confidential, or Restricted
  • Access Controls: Implement role-based access controls (RBAC) for sensitive data
  • Data in Transit: Encrypt data transmitted over networks using TLS 1.2+
  • Data at Rest: Encrypt sensitive data stored on devices and servers
  • Removable Media: Control and monitor use of USB drives and external storage
  • Email Security: Monitor and control sensitive data in email communications
  • Cloud Services: Approve and monitor cloud storage services for data handling
  • Mobile Devices: Implement MDM solutions for BYOD and corporate devices
  • Monitoring & Auditing: Regular DLP system audits and compliance reviews
  • Incident Response: Procedures for handling DLP policy violations
PDPA Compliance Requirements:
  • Lawful processing of personal data (Section 5)
  • Purpose limitation and data minimization (Section 6)
  • Accuracy and retention (Section 7)
  • Security safeguards (Section 8)
  • Breach notification procedures (Section 16)
  • Data subject rights (Sections 17-22)
Enforcement:

Violations of this policy may result in:

  • Verbal or written warning
  • Mandatory retraining
  • Suspension of system access
  • Termination of employment or contract
  • Legal action if required by PDPA

Download Full Template

Customizable Word/PDF document with detailed policy sections

Data Breach Incident Response Plan

Step-by-step response procedures for data incidents

Incident Response Framework

1. Detection & Identification (0-2 hours)
  • Monitor DLP alerts and security systems
  • Identify type and scope of incident
  • Document initial findings
  • Classify incident severity (Critical/High/Medium/Low)
2. Containment (2-4 hours)
  • Isolate affected systems
  • Prevent further data loss
  • Preserve evidence for investigation
  • Activate incident response team
3. Investigation (4-24 hours)
  • Determine root cause
  • Identify compromised data
  • Assess impact on data subjects
  • Document findings comprehensively
4. Notification (24-72 hours)
  • Notify Data Protection Authority if required (within 72 hours per PDPA Section 16)
  • Inform affected data subjects
  • Communicate with stakeholders
  • Prepare public statement if necessary
5. Recovery & Remediation
  • Restore normal operations
  • Implement corrective measures
  • Update security controls
  • Conduct post-incident review
6. Lessons Learned
  • Document incident timeline
  • Identify process improvements
  • Update policies and procedures
  • Conduct team training

Download Response Template

Includes incident forms, checklists, and communication templates

Data Classification Framework

Categorize and protect data based on sensitivity

Classification Levels

RESTRICTED
Highly Sensitive Data

Unauthorized disclosure could cause severe damage to the organization or individuals.

Examples: NIC numbers, passport numbers, financial data, health records, authentication credentials

Protection Requirements:

  • Encryption at rest and in transit (AES-256)
  • Multi-factor authentication required
  • Strict access controls and logging
  • Cannot be shared externally without approval
CONFIDENTIAL
Sensitive Data

Unauthorized disclosure could harm the organization or individuals.

Examples: Employee records, customer lists, contracts, strategic plans, proprietary information

Protection Requirements:

  • Encryption for transmission
  • Role-based access controls
  • Access logging and monitoring
  • Approval required for external sharing
INTERNAL
Internal Use Only

Data intended for internal business use only.

Examples: Internal memos, operational procedures, organizational charts, meeting minutes

Protection Requirements:

  • Standard access controls
  • Internal network only
  • Basic monitoring
  • Not for public distribution
PUBLIC
Public Information

Data approved for public disclosure.

Examples: Marketing materials, published reports, public website content, press releases

Protection Requirements:

  • No special protection required
  • Maintain integrity
  • Version control

Download Classification Guide

Complete framework with labeling guidelines and examples

Acceptable Use Policy

Guidelines for employee data handling and system usage

Policy Guidelines

Acceptable Use:
  • Access only data required for job responsibilities
  • Use approved communication channels for sensitive data
  • Follow data classification and handling procedures
  • Report security incidents immediately
  • Use strong passwords and enable MFA
  • Lock devices when unattended
  • Encrypt sensitive data before transmission
Prohibited Activities:
  • Sharing sensitive data via personal email or messaging apps
  • Storing organizational data on unapproved cloud services
  • Using unauthorized USB drives or external storage
  • Taking screenshots of sensitive data without authorization
  • Forwarding confidential emails to external parties
  • Printing sensitive documents without secure release
  • Sharing login credentials or access tokens
  • Circumventing DLP controls or security measures
Remote Work Requirements:
  • Use company-provided VPN for accessing organizational resources
  • Ensure home network security (strong WiFi password, updated router firmware)
  • Maintain physical security of devices and documents
  • Use privacy screens in public locations
  • Secure disposal of printed materials
BYOD (Bring Your Own Device) Requirements:
  • Register personal devices with IT before accessing company data
  • Install required MDM/MAM software
  • Keep device OS and apps updated
  • Enable device encryption and screen lock
  • Separate personal and business data

Download AUP Template

Employee acknowledgment form included

User Awareness & Training

Comprehensive training materials for DLP awareness

Training Program Components

1. New Employee Onboarding
  • Introduction to DLP program
  • Data classification overview
  • Acceptable use policy review
  • Account setup and security basics
  • Quiz and acknowledgment form
2. Annual Refresher Training
  • Policy updates and changes
  • Recent incident case studies
  • Emerging threats and trends
  • Best practices reinforcement
  • Compliance certification
3. Role-Specific Training
  • Developers: Secure coding practices
  • HR: Handling personnel data
  • Finance: Financial data protection
  • Executives: Strategic data handling
  • IT Admin: DLP system management
4. Incident Response Training
  • Recognizing security incidents
  • Reporting procedures
  • Tabletop exercises
  • Communication protocols
  • Post-incident reviews
Training Topics:
Email Security
Password Management
Phishing Awareness
Mobile Security
Cloud Data Safety
Device Security

Download Training Package

Includes presentations, videos scripts, quizzes, and certificates

DLP Risk Assessment Framework

Identify and evaluate data loss risks

Risk Assessment Process

Step 1: Asset Identification

Identify all data assets and their locations:

  • Databases and file servers
  • Endpoint devices (laptops, desktops, mobile)
  • Cloud storage and SaaS applications
  • Email systems and collaboration tools
  • Backup and archive systems
Step 2: Threat Identification

Common DLP threats to consider:

  • Insider threats (malicious or accidental)
  • External cyberattacks
  • Lost or stolen devices
  • Unauthorized cloud uploads
  • Email misdirection
  • Third-party data breaches
Step 3: Vulnerability Assessment

Evaluate weaknesses in current controls:

  • Missing or weak encryption
  • Insufficient access controls
  • Lack of monitoring and alerting
  • Inadequate employee training
  • Unmanaged devices and applications
Step 4: Risk Evaluation

Calculate risk using this matrix:

Impact Low Probability Medium Probability High Probability
Critical Medium High Critical
High Low Medium High
Medium Low Low Medium
Step 5: Risk Treatment

Develop mitigation strategies:

  • Avoid: Eliminate the activity causing the risk
  • Reduce: Implement controls to minimize likelihood or impact
  • Transfer: Share risk through insurance or third parties
  • Accept: Acknowledge low-level risks with documented justification

Download Assessment Template

Excel workbook with automated risk calculations

Implementation Support

Need help implementing these templates?

Implementation Guide

Step-by-step DLP deployment guide

Data Patterns

Sri Lankan data detection patterns

Community Support

Connect with DLP practitioners

Contribute Templates

Have a template to share? Help the Sri Lankan DLP community by contributing your templates and best practices.

Contribute on GitHub