I work for a healthcare organization and we are in process of implementing HDLP. As this is my first McAfee HDLP experience I am looking for others who have implemented for any tips or willing to share what they are doing to protect PHI and PII going to USB (encrypted or unencrypted). Thanks!
I'm not in that vertical, but my main client here we've successfully used HDLP to prohibit use of anything but hardware encrypted USB's (I strongly recommend IronKeys over anything currently for formerly McAFee branded, by the way). The policy options available are quite rich, so you should be relatively confident that it'll do what you want. One caveat I'd add from one client: If you're among a surprising number of places out there that enjoy the management wins of Novell (which has evolved beyond Netware, by the way) for file shares, and you use the Novell client on workstations... HDLP comes with some serious caveats about that Novell file shares. This can be worked around by eliminating the Novell client from your life and using native file access instead, which is probably a good idea anyway.
At any rate, the USB stuff works pretty well for what it is.
Note though that, like any software based scheme, someone can pretty trivially undermine it unless you lock out boot to usb or boot to CD in the BIOS or you are doing full disk encryption.
The bypass works like so: Save sensitive document to local hard disk somewhow, boot to a USB drive or optical drive into some other operating system (system rescue cd, a linux live cd, Hiren's boot cd... there are many many options) , mount that local hard drive and copy local hard drive file off to any ole USB you want. So to be serious about this, you'll want to make sure your workstations can't be booted from alternative media. But if you already have full disk encryption, and the encryption can't be mounted under an alternative operating system, you're covered against this threat vector.
Also, a lot of places ignore web mail and cloud services and pretend they don't exist. If you want to be serious about preventing PII and PHI going encrypted out the door, you'll need serious network DLP associated with your outbound email and web uploads as well, and a strong egress policy on the firewall that forces things to go out through your control points of web gateway and email gateway.
Thanks for the info Regis. We are currently doing sorta same with the USB drives. Thats the easy part of HDLP I think. We are also utilizing EEFF to enrypt the device if need be. We already have NDLP to monitor cloud and web along with MCP.
I guess I am more interested in the actual data going on devices and what others have done in regards to utilizing classification rules with their dictionaries and text paterns and what problems they ran into while implementing. Trying not to bog down the clients too much if not needed.