DLP (data loss prevention) is a security control that monitors and blocks sensitive or classified data from being leaked, copied, or transmitted outside an organization, especially data in transit and data in use.
DLP stands for data loss prevention. It's the technology and policy combo that keeps sensitive data from walking out the door, whether that's an employee emailing a customer list to a personal account, uploading payroll files to the cloud, or copying records to a USB stick. DLP tools watch the data, recognize what's sensitive, and stop the action if it breaks the rules.
In AP Cybersecurity terms, DLP only works if you've first classified your data (EK 5.2.A.2). A DLP system needs to know what counts as sensitive before it can protect it, so it scans for things like Social Security numbers, credit card numbers (payment card information), or health records (protected health information). It then enforces rules based on the data's state. Data at rest sitting on a drive, data in transit moving between devices, and data in use being actively accessed each get matching protections. DLP is the enforcement muscle behind the legal and compliance requirements in EK 5.2.A.1.
DLP lives in Unit 5: Securing Applications and Data, specifically topic 5.2. It supports learning objective AP Cybersecurity 5.2.A, which asks you to explain how the state or classification of data changes the security applied to it. DLP is the practical answer to "so what do you actually DO with classified data?" It also ties into the managerial controls in AP Cybersecurity 5.2.B, since organizations write policies that define when and how DLP rules fire. The bigger theme is compliance: companies handling regulated data like PCI or PHI face legal requirements (EK 5.2.A.1), and DLP is how they prove they're keeping that data from leaking.
Keep studying AP Cybersecurity Unit 5
Visual cheatsheet
view galleryData Classification and Data States (Unit 5)
DLP can't protect what it can't identify. You classify data first (at rest, in transit, in use), and then DLP enforces the rules that match each state. Think of classification as labeling the boxes and DLP as the security guard checking labels at the exit.
Protected Health Information and Payment Card Information (Unit 5)
PHI and PCI are the textbook examples of data organizations are legally required to protect. DLP is one of the main tools that scans for these patterns and blocks them from leaving, which is how a company stays compliant with rules like HIPAA or PCI DSS.
Access Control Models (Unit 5)
Access control (RBAC, EK 5.2.C.2) decides who can touch data inside the system. DLP picks up where access control stops, watching what happens to data once an authorized user has it, so an accountant who can open payroll still can't email it out.
DLP shows up in Unit 5 questions about protecting data and meeting compliance requirements. On multiple choice, expect stems that describe a scenario, like an employee trying to email sensitive records externally, and ask which control would stop it. The answer is DLP. You may also see DLP paired with data classification: a question describes data being leaked and asks you to identify both the data state and the control that should have caught it. No released FRQ has used "DLP" verbatim, but the concept supports any free-response prompt asking you to recommend controls for protecting classified or regulated data. Be ready to connect DLP to data states (at rest, in transit, in use) and to specific data types like PHI and PCI.
Access control decides WHO is allowed to reach data in the first place (RBAC assigns roles, Linux rwx permissions set file access). DLP doesn't grant or deny access; it watches what authorized users do with data and blocks leaks. An employee can have full access to a file and still be stopped by DLP from emailing it outside the company.
DLP stands for data loss prevention, and it stops sensitive data from leaving an organization through email, uploads, USB drives, or other channels.
DLP depends on data classification first, because it has to know what's sensitive before it can protect it (EK 5.2.A.2).
DLP protects data across its states, especially data in transit and data in use, not just data sitting at rest.
Organizations use DLP to comply with legal requirements for regulated data like PHI and PCI (EK 5.2.A.1).
Access control decides who can reach data; DLP controls what happens to that data after access is granted.
On the exam, the correct control for a scenario where authorized data is being leaked outward is usually DLP.
DLP means data loss prevention, a control that monitors and blocks sensitive or classified data from leaking out of an organization. It appears in Unit 5 under topic 5.2 and supports objective AP Cybersecurity 5.2.A on protecting data based on its classification and state.
No. Access control (like RBAC or Linux rwx permissions) decides who is allowed to reach data, while DLP watches what authorized users do with data and blocks them from leaking it. A user can have legitimate access and still be stopped by DLP from emailing the file outside the company.
No. DLP protects data across all three states, but it's especially focused on data in transit (being sent between devices) and data in use (being actively accessed), since that's when leaks usually happen.
PHI (protected health information) and PCI (payment card information) are regulated data types organizations are legally required to protect. DLP scans for these patterns and blocks them from leaving, which is how a company meets compliance requirements described in EK 5.2.A.1.
DLP can only block what it can recognize as sensitive, so the data has to be classified first. Once data is labeled, DLP enforces the matching rules, like blocking files marked confidential from being uploaded to personal cloud storage.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.