Question 35
Domain 5 — Privacy Operations, Incident Response, and Continuous ImprovementWhich of the following is the BEST course of action to prevent false positives from data loss prevention (DLP) tools?
Correct answer: D
Explanation
DLP tools rely on tuned policies and configuration rules to identify sensitive data, so false positives often happen when those rules are too broad or outdated. Re-establishing baselines for configuration rules lets the organization compare current activity against normal behavior and adjust thresholds, reducing unnecessary alerts.
Why each option is right or wrong
A. Conduct additional discovery scans.
More discovery scans increase visibility, but do not fix miscalibrated detection logic causing false positives.
B. Suppress the alerts generating the false positives.
Suppressing alerts hides symptoms and can cause real data loss events to be missed.
C. Evaluate new data loss prevention (DLP) tools.
A different DLP product may still produce false positives if policies and baselines remain poorly tuned.
D. Re-establish baselines tor configuration rules
Under NIST SP 800-137, continuous monitoring requires organizations to establish and periodically refresh a baseline of normal activity so alerts can be evaluated against current conditions rather than stale assumptions. In DLP deployments, overly broad or outdated configuration rules are a common cause of false positives; re-establishing the baseline lets the team retune those rules and thresholds to the actual data flows and sensitivity patterns observed in the environment.