TEXAS A&M UNIVERSITY
Proofpoint Endpoint DLP — Acceptable Use
Audience: IT Administrators and Security Officers.
Purpose: Determine appropriate deployment of DLP agents.
Overview
End user devices (laptops, tablets, smartphones) provide a gateway to university data, research, and teaching platforms. These devices are bound by TAMU Security Controls.
Requirements
Systems storing or processing critical or confidential data require:
- ✓ File encryption or whole-disk encryption
- ✓ Data loss prevention (DLP) software
Deployment Guidelines
When to Install DLP
Recommended for:
- Faculty and staff devices handling critical or confidential data
- Workstations with access to sensitive university systems
- Devices used for administrative functions
When NOT to Install DLP
DLP agents are inappropriate for:
| Scenario | Reason |
|---|---|
| Devices used by users without access to sensitive data | No data exposure risk |
| Digital signage | Cannot access confidential data |
| Open access workstations | Student/public use |
| Ephemeral desktops (under 30 days lifespan) | Transient systems |
| Servers (see Client-Server Model) | Different security model |
| Application servers with only source code | No direct data access |
Client-Server Model
In client-server architectures where servers:
- Are used exclusively in client-server mode
- Do not allow interactive user sessions
The server may not need a DLP agent if:
- All connecting endpoints have DLP agents installed
- Information resource owner can verify endpoint coverage
Database Servers
Even when storing confidential information, database servers may not need DLP agents if:
- Access follows least privilege principles
- Connecting endpoints have DLP installed
Detection Capabilities
Proofpoint Endpoint DLP scans data in motion when it leaves the TAMU environment:
| Action | Description |
|---|---|
| Copy to USB | USB drives, thumb drives, external hard drives |
| Web File Sync | Cloud storage without university agreements (Dropbox, iCloud) |
| Web File Upload | Cloud storage other than TAMU tenants |
Printing, web file download, and document open may be monitored in future releases.
Alert Response
| Step | Owner |
|---|---|
| Policy trigger → Alert in console | Automatic |
| Review all alerts | Technology Services |
| Optional: Campus IT review | Unit admins |
| Policy violation incident | ServiceNow notification |
| Response request | Data owner/steward |
Request Access
Contact cloudsecurity-notify@tamu.edu to:
- Request console access
- Obtain DLP software repository access
- Ask questions about implementation