A financial institution must design internal control procedures and implement appropriate technology in all applications and access points to enforce DLP policies and trigger any policy violations. The technology deployed must cover the following:
(a) data in-use - data being processed by IT resources;
(b) data in-motion - data being transmitted on the network; and
(c) data at-rest - data stored in storage mediums such as servers, backup media and databases.