Data loss prevention (DLP) is a managerial and technical control that monitors and blocks sensitive data from being moved, copied, or sent outside an organization, applied based on the data's classification and state.
Data loss prevention (DLP) is everything an organization does to keep sensitive data from walking out the door, whether that's by accident, theft, or a malicious insider. Think of it as a security guard watching every exit, but for data instead of people. If someone tries to email a file full of credit card numbers to a personal account, or copy patient records onto a USB drive, DLP is the system that flags or blocks it.
In the AP Cybersecurity CED, DLP lives inside Topic 5.2, which covers managerial controls and access controls for protecting applications and data. DLP only works if you know what you're protecting and where it lives, which is why it leans directly on data classification (EK 5.2.A.1) and the three data states (EK 5.2.A.2). You protect data at rest (sitting on a drive), data in transit (moving between devices), and data in use differently, and DLP rules are written to watch each of those states for the specific data types, like payment card information or protected health information, that legal requirements force an organization to lock down.
DLP sits in Unit 5: Securing Applications and Data, and it's the practical payoff of learning objective AP Cybersecurity 5.2.A, which asks you to explain how the state or classification of data changes the security applied to it. The whole point of classifying data is so you can build controls around it, and DLP is one of those controls. It also connects to AP Cybersecurity 5.2.B (managerial controls) because a real DLP program starts as written policy before it becomes software. On the exam, this term rewards you for thinking like a security manager: identify the sensitive data, figure out which state it's in, and pick the control that matches the legal and business risk.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryData Classification and Data States (Unit 5)
DLP is useless until you know what counts as sensitive. Classification labels the data (public, confidential, regulated), and DLP enforces rules based on those labels and whether the data is at rest, in transit, or in use.
Protected Health Information and Payment Card Information (Unit 5)
These are the textbook examples of data that legal requirements force you to protect (EK 5.2.A.1). DLP is often the tool that keeps PHI and PCI from being emailed, uploaded, or copied somewhere they shouldn't go.
Access Control Models like RBAC (Unit 5)
Access control decides who can open a file in the first place; DLP watches what they do with it afterward. RBAC might let an accountant read payroll data, but DLP stops that accountant from forwarding it outside the company.
Encryption and Cryptography Policy (Unit 5)
Encrypting data at rest and in transit (EK 5.2.A.2, EK 5.2.B.1) is a prevention layer that complements DLP. If a DLP system fails and data leaks, encryption means an adversary still can't read it.
Expect DLP to show up in multiple-choice scenarios where you have to match a control to a data-protection problem. A stem might describe an employee copying customer records to a flash drive and ask which control best prevents that, with DLP as the correct answer. You may also see it in questions that test data states, asking you to identify whether a given DLP rule protects data at rest or in transit. No released FRQ has used this term verbatim, but it fits the kind of free-response prompt that asks you to recommend controls for a specific data type, where you'd name DLP alongside classification, access control, and encryption. The skill being tested is connecting the data's classification and state to an appropriate control, which is exactly AP Cybersecurity 5.2.A.
Access control decides whether a subject can touch an object at all, like whether a user can open a file. DLP assumes the user already has legitimate access and instead watches whether they try to move that data somewhere it shouldn't go. Access control is the locked door; DLP is the guard checking your bag on the way out.
Data loss prevention (DLP) monitors and blocks sensitive data from leaving an organization, whether by accident, theft, or insider action.
DLP depends on data classification and data state, so you protect data at rest, in transit, and in use with rules tailored to each.
DLP is the practical reason classification matters under AP Cybersecurity 5.2.A: you classify data so you can build controls around it.
DLP and access control are different layers; access control decides who can open data, while DLP decides whether they can take it out.
Regulated data like payment card information (PCI) and protected health information (PHI) are the classic targets DLP is built to protect.
Data loss prevention (DLP) is a control that stops sensitive data from leaving an organization without authorization. In Topic 5.2 it's applied based on the data's classification and state, like blocking an email that contains regulated data such as PCI or PHI.
No. Access control decides whether a user can open or modify a file at all, while DLP watches what happens to data the user already has rights to, like stopping them from emailing it outside the company. They're complementary layers, not the same thing.
Classification labels data by sensitivity and legal requirements (EK 5.2.A.1), and DLP uses those labels to know what to watch. You can't prevent the loss of data you haven't identified as sensitive in the first place.
No. DLP covers all three data states from EK 5.2.A.2: data at rest on a drive, data in transit between devices, and data in use. Strong DLP programs apply rules to each state, often alongside encryption.
Yes, it fits Unit 5 and learning objective AP Cybersecurity 5.2.A. Expect multiple-choice scenarios that ask you to pick the control that prevents sensitive data from leaving an organization, with DLP as the answer.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.