CHECKING FOR WEAK LINKS: SECURITY AUDITS OF YOUR MOST POPULAR PLATFORMS Your text here

#ILTA134

ILTA 2015 TECHNOLOGY SURVEY – TOP FIVE AREAS OF FOCUS

Security/Risk Management Change: Managing Expectations (Users and Management) Change: Users’ Acceptance of Change Email Management Change: Keeping Up with New Versions of Software

WHY SHOULD LAW FIRMS WORRY ABOUT VENDOR INFORMATION SECURITY? • Safeguarding Client Data • Maintaining Client Confidentiality and Attorney-Client/Work Product Privilege • Protecting Firm Reputation

LEGAL OBLIGATIONS • Relevant Laws • Trends in Lawsuits

LEGAL OBLIGATIONS •

Relevant Law – Approximately 46 states have enacted breach notification laws – Still talk of a Nationwide breach notification – Breach notification requirements could prove devastating to a Law Firm’s Reputation – Nevada District Ct. finds no standing to sue where the only risk is a potential for future  harm – CA N.D.: finds standing to sue where costs of credit monitoring, passwd protection,  threatening e‐mails are sufficient to show harm – Flow through from OCC, CFPB, HIPAA, FDIC, FFIEC, and other regulators often looking  through contractual relationships

LEGAL OBLIGATIONS •

Current Areas to Watch: • Insurer sued for declaration of non‐liability where Insured failed to follow minimum  required cybersecurity practices • State sponsored attacks: some cyber policies contain language that limits coverage  where attack initiated as act of war or terrorism • Third‐party: some cyber insurance policies do NOT cover breaches of third‐parties  or of data held by a third‐party (e.g. cloud services) • State or Federal Fines and Penalties: many cyber insurance policies do not offer  coverage for any fines or penalties that might be levied against a company

ETHICAL OBLIGATIONS • ABA Rules • Model Rules • Trends in Lawsuits

ETHICAL OBLIGATIONS •

•

Relevant Regulations and Administrative Guidance – ABA Model Rules of Professional Conduct:  • 1.1: … Attorneys must keep abreast of changes in the law – including risks and benefits of technology • 1.6:  Attorneys must take reasonable precautions with client data (storage and transmission) • 5.3: Using cloud based storage – attorney must take reasonable precautions to safeguard client data Ethical Obligations – CA (Prof’l Resp. and Conduct Op. 2010‐179): Attorney must take reasonable steps to ensure use of technology does not expose  confidential client data – AZ (Ethics Op. 05‐04): Attorney must have expertise to assess HW/SW & Network for data safeguards OR must retain an expert  to do so – NJ (Ethics Op. 701): Documents transmitted via email over the internet should at a minimum be password protected – NY (Ethics Op. 842): use of third‐party provider to store client data – MUST exercise reasonable care to protect client data – PA (Ethics Op. 2011‐200): 15‐point list of steps a firm may take to exercise reasonable care of client data storage (cloud based)

WHAT IS ISO 27001? ISO 27001 is an international standard for information security. ISO 27001 is a standard for an information security management system (ISMS) standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Includes all legal, physical and technical controls involved in an organization's information risk management processes.

ISO 27001 – SUPPLIER REQUIREMENTS

• Supplier security policy (A.15.1.1)-This is a control in ISO 27001:2013, and such policy can cover a wide range of controls – how the screening of potential contractors is done, how the risk assessment of a supplier is made, which security clauses to insert into the contract, how to supervise the fulfillment of contractual security clauses, how to change the contract, how to close the access once the contract is terminated, etc. • This is a mandatory policy under ISO 27001

ISO 27001 – SUPPLIER REQUIREMENTS

•

The following controls of ISO 27001: 2013 standard refer to the Supplier relationship management:

• •

15.1.1 Information Security policy for Supplier relationships The Information Security policy of the organization should address the processes and procedures to be implemented by the organization to mitigate the risks associated with the vendor such as defining types of vendors, documenting types of information access to different vendor etc. 15.1.2 Addressing Security within supplier agreements Contractual agreements between the suppliers and the organizations should be documented to ensure that there will not be any misconceptions in future. For example, the organization may include legal and regulatory requirements, 'right to audit' clause, Terms & Conditions etc., in the contractual agreement. 15.1.3 Information and communication technology supply chain Agreements with supplier should include requirements to address information security risks associated with Information and communication technology services such as monitoring process, defining rules for sharing information etc. 15.2.1 Monitoring and review of supplier services The organization should monitor , review and conduct audits on supplier services at regular intervals to ensure that supplier is adhere to the terms and conditions as per the agreement. This can be achieved by monitoring performance level of the supplier services and by reviewing the internal audit trials of the supplier. 15.2.2 Managing changes to supplier services Changes in supplier services such as updation of information security policy, use of new technologies/tools, changes to physical location, improvised services etc., should be managed by the organization.

• •

• •

• •

• •

OTHER SECURITY REQUIREMENTS BESIDES ISO 27001 - ABA

• Develop contractual security requirements for outsourcing vendors, cloud providers or other entities that connect to the firm’s network or handle client data, including notification in the event of a breach. • This applies to any vendor that handles or has access to client data including cloud vendors for document management, litigation support vendors that process your data, cloud archiving and email……

OTHER SECURITY REQUIREMENTS BESIDES ISO 27001 - HIPAA

• Health Insurance Portability & Accountability Act of 1996 and HIPAA Omnibus Rule – Establishes administrative, physical and technical security and privacy standards – Applies to both healthcare providers and business associates (3rd parties)

OTHER SECURITY REQUIREMENTS BESIDES ISO 27001

1. NIST – National Institute of Standards and Technology - less focus on third party security 2. SSAE - Statements on Standards for Attestation Engagements – SSAE 16 is the standard for reporting on controls at service organizations important for service providers 3. Shared Assessments Agreed Upon Procedures (AUP) – is a standard for performing procedure based on-site assessments at 3rd party. CPA firms use AT 201 for attestation.

SECURITY AND VENDOR SELECTION

• It starts upfront – be proactive when assessing and selecting vendors • Conduct Due Diligence. Whether or not an RFP is used, take the time to conduct due diligence of any prospective security vendor, including contacting former and existing clients (not just clients provided on an approved reference list furnished by the vendor). • Negotiate as You Would For Any Critical Vendor. Most law firms do not negotiate their security consulting agreements with the same level of care as they do for other critical vendor agreements. At best this may lead to serious cost overruns. At worst, this may result in the very compromise of sensitive data the firm was trying to prevent

VENDOR RISK MANAGEMENT

• What is vendor Risk Management – Vendor Risk Management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities in the hiring of third parties (vendors) to provide It products, business process outsourcing and other related services

VENDOR RISK MANAGEMENT

• What is vendor Risk Management – Vendor Risk Management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities in the hiring of third parties (vendors) to provide It products, business process outsourcing and other related services

VENDOR RISK MANAGEMENT

• What is vendor Risk Management – Vendor Risk Management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities in the hiring of third parties (vendors) to provide It products, business process outsourcing and other related services

SETTING UP A BASIC VENDOR MANAGEMENT PROGRAM

SETTING UP A BASIC VENDOR MANAGEMENT PROGRAM – THE PROCESS

• • • • •

Inventory Vendors Categorize Vendors Create Master Checklist Map Controls to Categories Create Vendor Risk Assessment Questionnaires • Distribute Questionnaires to vendors • Analyze responses • Track exceptions to closure

INVENTORY VENDORS - BASIC INFORMATION

Supplier Name: Support Location: Address: Contact Number: Respondent Name & Role: Supplier Profile: What is your organizations main business function: • What function(s) does your organization perform for xxxx Law Firm: • Is an industry standard accreditation issued by ISO27001, independent audit, SSAE-16 report or equivalent available? • • • • • •

CATEGORIZE VENDORS

• Geographic Challenges - If in EU • Industry Challenges - If in the health care industry

CATEGORIZE VENDORS

– DATA SENSITIVITY • What is the nature of data that vendor will ha ve access to? – No Risk: No data exchanged, no security impact – Low Risk: Only demographic information and pr ojected financial information – Medium Risk: Only names, addresses and phon e numbers – High Risk: Non‐public private information (NPI), for example SSN, medical, financial, proprietary , and private information about real individuals

• Is the data in physical or electronic form or both? • What business are they in?

CREATE MASTER CONTROLS CHECKLIST

• • • • • • • • • • • • • • • •

Policy Management Vendor/Third Party Management Asset Management Change Management Incident and Problem Management Data Management Risk Management Business Continuity Management HR Management Organizational Security Physical and Environmental Access Control Mobile Cloud Privacy Software Security

MAP CONTROLS TO CATEGORIES

• Map controls from master list to categories based on: – What is relevant to the type of data being stored, processed or transmitted such as if credit card data then PCI may be more relevant – What is relevant from a business perspective such as if it is a data center vs. software maintenance vendor – What is relevant from a geography perspective such as EU privacy policies and practices

CREATE QUESTIONNAIRE

• • • • • • • • • • • • • • • •

Policy Management Vendor/Third Party Management Asset Management Change Management Incident and Problem Management Data Management Risk Management Business Continuity Management HR Management Organizational Security Physical and Environmental Access Control Mobile Cloud Privacy Software Security

CREATE QUESTIONNAIRE

• Has a security policy document(s) been published and enforced in your organiz ation? • Do you have policies and procedures co vering the following: – HR practices? – Authorized/acceptable use of networked services? – Use of corporate email, intranet, and Inte rnet – Password management? – Software/hardware acquisition – Change Management? – Encryption policy and standards? – Security related incident response/handl ing?

CREATE QUESTIONNAIRE

• Has a security policy document(s) been publish ed and enforced in your organization? • Do you have policies and procedures covering the following: – Third party access and remote access? – Do you outsource any security management func tionality? – Are policies and procedures updated frequently? – Is a senior corporate official directly responsible f or the implementation of your organizational security policy? – Are procedures employed to ensure compliance with privacy laws/regulation requirements relate d to maintaining security, confidentiality, and pro tection of customer data?

CREATE QUESTIONNAIRE

– Do you have information security staff dedicated to the following? • • • • •

Security awareness? Policy enforcement? Risk evaluation? Risk mitigation? Regulatory compliance?

– Are the consequences of non‐compliance to the policies clearly documented?

CREATE QUESTIONNAIRE

– Can you provide a recent SSAE‐16 report or other industry r ecognized audit report? – Do you limit administrator level access on network and systems infrastructure? – Is your information security staff profession ally certified? – What is the average tenure of your informa tion security staff? ☐ 1‐3 years ☐ 3‐5 years ☐ 5+ years – Is access to security logs strictly controlled (firewall logs, IDS logs, etc.)? – Do you employ version management, build & deploy processes?

CREATE QUESTIONNAIRE

– Disaster Recovery and Business Continuity • Are backup/recovery procedures regularly tested? • Are backup/restore procedures documented? • Can you meet recovery time objective(s) (RTO) and recovery point objective(s) (RPO) for all products and services contracted for? • Is there a business continuity plan (BCP)?

CREATE QUESTIONNAIRE EXAMPLE

– https://supplier.intel.com/static/governance /documents/SSRE%20%20Ver%205%200.pdf – Intel - Supplier Security Requirements and Expectations – Shared Assessments Standardized Information Gathering (SIG) Questionnaire • Used as part of standard in Legal Vendor Network

DISTRIBUTE THE QUESTIONNAIRE

– Let them know it will be coming – Be prepared to answer questions – Make sure to ask for documentation – Set a deadline

ANALYZE RESPONSES

• Answers to questions • Comments • Supporting Materials • Identify issues • Identify exceptions and remediation

TRACK EXCEPTIONS

• Document issues • Communicate issues to the vendor • Give a timeframe for remediation • Work with the vendor • Follow-up

ONGOING MONITORING

• Compliance monitoring (control A.15.2.1). You may hope that your supplier will comply with all the security clauses in the agreement, but this is very often not the case. This is why you have to monitor and, if necessary, audit whether they comply with all the clauses – for instance, if they agreed to give access to your data only to a smaller number of their employees, this is something you need to check

LEGAL VENDOR NETWORK

• Standardized assessment • Shared assessment collections and distribution • Meet requirements from clients • Utilize threat intelligence for continuous monitoring • Perform assessment, risk management, and remediation securely in same platform • Steering Committee made up of leading law firms determining standard

CHALLENGES

- Time - Cost - Ongoing efforts

THANK YOU

• Questions and Discussion