Which option best describes a primary approach to data loss prevention (DLP) on endpoints?

A comprehensive endpoint DLP works by combining multiple controls to detect and prevent data leakage: content filtering, device controls, policies, and encryption. Content filtering lets the system identify sensitive information in documents, emails, and other data, and block or flag it when it tries to leave the device. Device controls manage how data can be moved or stored, such as restricting USB drives or requiring encryption on removable media. Policies codify what constitutes leakage and specify the actions to take, like alerting, blocking, or quarantining at the endpoint. Encryption protects data so that even if it is copied or accessed by an unauthorized party, its contents remain unread without the key. Together, these elements cover data as it sits on the device, moves via multiple channels, and is stored, making leakage much harder in real-world use. Relying only on user education misses the enforcement side; network firewalls address data in transit across networks but don’t control or detect leakage on the endpoint itself; encryption of data in transit alone doesn’t stop leakage from the device or data at rest.