Lesson 02intermediateKnowledge

Data Loss Prevention

Policy development, classification, and choosing the right detection engine.

Overview

DLP is only as effective as its policies. Proofpoint interviewers want to know whether you can design and tune policies in production — not just describe what DLP does in theory. Answer the five questions below with operational specificity.

Read before you answer

DLP policy development in Proofpoint starts with data classification — understanding what data you are protecting, where it lives, and how it moves. The typical enterprise data classification model defines tiers: public, internal, confidential, and restricted (or equivalent labels). Before a single policy is written, a platform specialist needs to know which data categories are in scope for regulatory or contractual reasons (PCI-DSS for card data, HIPAA for PHI, GDPR for EU personal data, ITAR for export-controlled technical data), and what business processes legitimately move that data so that enforcement does not disrupt operations.

Proofpoint DLP policies are built around rules that combine content conditions (pattern matches, EDM hits, IDM fingerprint matches, OCR detections), contextual conditions (sender, recipient, attachment type, message direction), and actions (quarantine, encrypt, block, notify, log-only). A common architecture separates policies by data type: a PCI policy with EDM fingerprints against a card number database and a regex fallback for card patterns; a PHI policy combining HIPAA-specific dictionaries with EDM against patient record exports; and a confidential documents policy using IDM fingerprints against contracts and design files. Each policy should have a defined escalation path: who reviews quarantined messages, at what SLA, and what constitutes an incident requiring formal response.

Policy tuning is the ongoing operational work. New DLP deployments almost always start in monitor-only mode to establish a baseline of violations without disrupting users, then move through progressive enforcement stages (notify user, notify manager, quarantine for review, block and notify sender) as confidence in policy accuracy grows. The key metrics for tuning are false positive rate (legitimate business emails caught by policy) and false negative rate (actual data leaks missed). High false positive rates destroy analyst trust in the system and lead to rubber-stamping; high false negative rates mean the policy is not protecting what it should. EDM and IDM dramatically reduce false positives compared to regex-only approaches because they match actual data, not just patterns that resemble data.