How to Divest a Division Without Divulging Your Data

According to a recent EY divestment study, “28% of CEOs say the most important strategic action their company will take in the next six months is divesting assets to raise capital for investing in other parts of the business.”  How do you successfully divest a business division without introducing unintended data risk?

Business restructuring processes - such as divestitures and offloading - are complex and challenging for any organization.  There are two important dimensions that organizations have to manage. 

• First, they face a critical challenge in ensuring the protection of sensitive and confidential data before, during, and after the transition. 
• Second, while navigating a complex IT systems change, they need to retain a robust, operational DLP system, that will work for the business post-divestment.  For example, updating data protection policies and protecting intellectual ‘know-how’ during staff changes.

Data protection should therefore be at the center of these challenging business processes.  At Symantec, we have helped customers successfully complete complex divestitures.  We can share six important lessons to ensure best practices are followed and that companies successfully protect information during a business restructuring process:

Use DLP Discovery tools to create a complete inventory of your data. 

Once an organization decides to embark on a divestiture process, it is paramount to discover the information related to the assets that will be offloaded, including business records, intellectual property, and personally identifiable information.  Symantec DLP can help organizations proactively discover and classify sensitive data that needs to be protected during the divestiture process.  Symantec DLP offers numerous tools that customers can rely on to prioritize the discovery effort.  With DLP Core, you can use Network Discover to scan file systems, Sharepoint, databases, and other customer-managed information repositories and Endpoint Discover for end-user devices running multiple operating systems (Windows, Mac and Linux).  

Adding DLP Cloud gives access to additional DLP and CASB technology (CloudSOC Securlets) to control the flow of sensitive data to third-party SaaS and IaaS applications.

Ongoing data monitoring helps you cope with changes to timelines or compliance needs. 

During a divestiture, organizations must continue complying with various regulations and data protection laws, and remaining compliant is paramount.  Symantec DLP can help organizations maintain compliance by ensuring that sensitive data is handled in accordance with regulatory requirements.  It can also provide audit trails and reporting capabilities to demonstrate compliance with data protection laws and regulations.  Policy Groups, Endpoint Agent Groups, and Synchronized Directory Group Matching are mechanisms that can help customers create policies to understand and then protect the new organizational boundaries.  Exact Data Matching (EDM), Exact Match Data Identifiers, and Indexed Document Matching detection technologies are useful for identifying specific information assets belonging to the divesting business unit. 

Symantec DLP offers a comprehensive set of reporting capabilities, and continuously updated policy templates.  

Assume data will migrate so enforce protection to keep it safe. 

Protecting sensitive data is a core value that Symantec DLP delivers to our customers.  Throughout the divestiture, Symantec DLP can prevent data leakage across email, web, cloud, endpoint, and other communication channels by enforcing data protection policies.  This ensures that sensitive data remains secure and does not fall into the wrong hands during the divestiture process.  Customers can rely on our comprehensive set of Response Rules to automatically prevent data leakages, either from Enforce or from other enterprise remediation and triaging tools via APIs.  Detection technologies like Exact Data Matching, Exact Match Data Identifiers, and the recently released Structured Data Identifiers are particularly useful to prevent structured data from inadvertently spilling after the offloading/divestiture is complete.  Symantec DLP also allows you to create specific roles with granular controls - like masking data in incidents -  to ensure that data in our platform is only available on a need-to-know basis. 

Our approach of scanning file contents, as well as using DLP Classification tags, provides peace of mind that sensitive data will be highly protected, even if users try to remove data tags in order to bypass detection.  In addition, this approach ensures data is protected in line with the latest DLP policy (for example if regulations are updated).

Ground your DLP program with best practices. 

Symantec DLP can help organizations ensure a smooth transition during a divestiture process, for both the originating and the divesting organization.  It can help identify and mitigate any risks associated with the transfer of data between the parent company and the newly created entity.  We provide best practices and documentation to help our customers with their business continuity processes. If the organization decides to prune the incidents from the database, Symantec DLP allows you to perform scheduled deletion of incidents.  If the new entity needs to bring Symantec DLP incidents as part of its business assets, customers can leverage the flexibility of the Web Archive functionality or the robust Reporting API to ensure that the right information is available after the divestiture or offloading.  

Don't be afraid to ask for help. 

To prepare for life after the divestment, it is recommended that customers review their DLP systems.  Symantec Information Protection Program Reviews offers customers a proven way to align their DLP program at both a strategic and tactical level.  Through a process of facilitated workshops, we help customers understand the multiple facets involved in DLP, identify operational risks and make short and medium-term improvement recommendations. 

Our technical experts can help customers evaluate their options by drawing on their experience of advising some of the world’s largest users of DLP systems.

Data Protection needs to be everywhere, so integrate DLP into your security stack.

Symantec DLP has become a valuable repository of intelligence and best practices for our customers, underpinning Information Protection and Cybersecurity efforts.  Our solutions can integrate with other security solutions to provide a comprehensive security posture during the divestiture process.  For example, it can integrate with identity and access management solutions to ensure that only authorized users have access to sensitive data.  Symantec DLP offers robust APIs for reporting, incident remediation, policy management, user and role reporting, infrastructure management, scan settings, and endpoint certificate management.

Conclusion

Divestiture processes can be risky, and organizations must take steps to mitigate these risks.  Symantec DLP can help organizations manage these risks, ensuring that sensitive data is properly identified, monitored, and protected throughout complex and challenging divestiture and offloading processes.  We also have experienced resources in our Professional Services and Partner organizations to ensure that the post-divestment DLP system is properly configured and resourced for success.  For more information and to learn more, please visit us here.