1 / 16

Making the Business Case for Data Security at Home and Away

Making the Business Case for Data Security at Home and Away. CLT -2. Panel Discussion of the need for increased awareness of data security from the perspective of clients (corporations), law firms & consultants . Speakers. PANELISTS

adah
Download Presentation

Making the Business Case for Data Security at Home and Away

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Making the Business Case for Data Security at Home and Away CLT -2 Panel Discussion of the need for increased awareness of data security from the perspective of clients (corporations), law firms & consultants. LegalTech® New York January 30, 2013

  2. Speakers PANELISTS • Harvey Jang, Director, Privacy and Information Management at HP • Glenn Siriano, Principal, Advisory Services – Information Protection & Business Resiliency at KPMG  • Abby Smith, IT Director Client Services, Security & Architecture at Purdue Pharma L.P • Jim Fortmuller, Manager Systems Security at Kelley Drye & Warren LLP Moderator • Tom Morrissey, Sr. Director, IT Legal at Purdue Pharma L.P,

  3. Disclaimer The opinions expressed or presented during this session are those of the individual speakers and do not necessarily reflect the official policy or position of any of their respective employers.

  4. A real world example related to data security… • Former S.C. Department of Revenue computer security chief Scott Shealyspoke to his bosses for several years about how information should be encrypted and employees should be required to enter a code or scan a thumbprint to access the information. • Computer security experts said either step could have lessened the impact or stopped the hacker who accessed 4 million state tax returns and likely stole Social Security numbers,bank account information and other sensitive data. • “As a security officer, I was unable to adequately perform my job function because I did not have the support of my CIO,” • They were “more concerned with keeping employees from accessing news, sports and social media websites on their work computers than protecting taxpayer data like Social Security numbers Former Department of Revenue computer security chief Scott Shealy testifies before a S.C. House committee in Columbia on Thursday Jan 3, 2013

  5. Law Firms Must Protect Client Data and Maintain Confidentiality ABA Model Rules of Professional Conduct • Rule 1.6 (c): A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. What are “reasonable efforts”? What Physical, Technical, and Administrative Controls Are Required? • Regulatory requirements (eg, HIPAA, Massachusetts and other jurisdictions) • Industry standards and best practices (eg, PCI Data Security Standards, ISO) • Client / contract requirements (eg, security schedules) • Brand and reputation

  6. Law Firms Are A Target / Backdoor To Client Data • On November 1, 2009, the FBI issued an advisory warning to law firms that they were specifically being targeted by hackers. • “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.” “China-Based Hackers Target Law Firms to Get Secret Deal Data” Bloomberg, January 31, 2012, quoting Mary Galligan, Head of the FBI Cyber Division (NY)

  7. 23,148 apps downloaded 98,000 tweets Controlling The Perimeter Is Not Enough 400,710 ad requests kaggle Pandora Music SolidFire Scribd. SmugMug iHandy Amazon Finance salesforce.com 2000 lyrics playedon Tunewiki SuperCam AppFog Travel Plex Systems Joyent Urban Snapfish Facebook Parse Xactly Google DCC PingMe eBay Dragon Diction Product Configurator SAP GoGrid LinkedIn Reference CCC Hosting.com UPS Mobile CRM Atlassian HP Bromium 1500pingssent on PingMe New Access Methods • Technology has changed how information is created and accessed • There is no real perimeter anymore • The content itself must be protected Tata Communications buzzd Bills of Material Lifestyle Engineering Amazon Web Services Ariba NetReach CyberShift PaperHost Cash Management SCM Splunk Sport Quickbooks Bull Inventory Scanner Pro ERP NetDocuments HCM Zoho LimeLight Yahoo! Xerox CloudSigma DocuSign Quality Control ScaleXtreme Time and Expense Serif Yandex box.net Fijitsu Microsoft Baidu Every 60 seconds Alterian EMC Burroughs Games Hootsuite Fixed Assets Foursquare SLI Systems Accounts Receivable Costing Pinterest HCM Taleo OpSource YouTube Qvidian Datapipe Education nebula Avid Hyland Hitachi Atlassian Cost Management HP ePrint Elemica Billing Workbrain ADP VirtualEdge Navigation OpenText IBM Zynga MRM 34,597 peopleusing Zinio Payroll Mobile, social, big data & the cloud SCM Mixi cloudability Activity Management Workday Sage Corel Unisys Manufacturing Projects PLM NetSuite Workscape iSchedule Order Entry CyberShift Yandex Adobe Training Photo & Video Sales tracking & Marketing Twitter Yahoo Khan Academy The Internet Heroku Kinaxis Yammer Time & Attendance Rostering Mainframe Client/server Zillabyte Microsoft SugarCRM Renren Entertainment Viber SuccessFactors Saba Service PPM Database Answers.com Sonar6 Commissions News Atlassian Quadrem Kenexa Sonar6 Social Networking Data Warehousing Claim Processing BrainPOP RightScale Saba CYworld NetSuite Softscape MobileFrame.com Intacct Jive Software Business Exact Online myHomework Cornerstone onDemand Qzone Tumblr. Toggl dotCloud Fring FinancialForce.com Amazon Softscape Xing Mozy Cookie Doodle NEC New Relic Volusion IntraLinks MailChimp PingMe Zynga Utilities Ah! Fasion Girl Associatedcontent BeyondCore 208,333minutes ofAngry Birds played SmugMug MobilieIron Productivity Fed Ex Mobile Rackspace Flickr Twitter Paint.NET TripIt

  8. What SHOULD law firms be doing to manage those expectations'? • FFIEC requirements on non-bank providers with respect to security and controls • Adoption of a security controls framework – such as BITS, COBIT or ISO27001 • Implementation of applicable controls • Periodic self-assessment

  9. Corporate RFPs to Vendors/Firms • Remember the interview where the person asked you to “Tell me about yourself”?... • You should have walked out….Bad Interview AHEAD!! • Same with the RFP… • Expectations should be set from the start • Specific questions about assets and capabilities speak volumes about how serious the potential client is.. • Allow for feedback and questions

  10. Solutions for providing security have evolved far beyond anti-virus and there are now over 50 standard security technologies expected to be in place for a company to be considered as having a strong security platform - or “defense in depth.” Beyond Anti-Virus Solutions include protections for desktop, data, server, network, email, web filtering..… ….log management, virtualization, and overall risk and compliance.

  11. Requests for Security & Controls Standards Completion of a security risk assessment in an honest and accurate manner is more important than any single control, precaution, or procedure being in place. Not all controls are required; merely the knowledge of what is in place is required. Onsite follow-up visits can be conducted for high priority efforts. • Security Policies? • Please provide copies of Corporate Security Policy and any other policies relating to information security: Acceptable Use Policy, Encryption Policy, Data Retention, Data Classification Policy, Certificate Policy, Audit Policy, Remote Access, etc • Security Organization? • Please provide a general outline of your security organization: number of dedicated full-time security professionals, number of shared resources, and reporting structure. • Procedures? • Please provide a list of any documented procedures such as Certification Practice Statement, Standard Operating Procedures, Build Procedures, Incident Response Plan, Disaster Recovery Plan, etc.

  12. Types of Requests regarding security/controls Security and controls responses are evaluated with consideration for the type of confidential exchange, the type of information to be disclosed, and whether it is a mutual (2-way) agreement. • Access Controls? • What are the Physical and console access restrictions, including Firewall Rules • Authentication & Account Management • Where do you use encryption? Are the algorithms and vendors current? • Physical and Environmental Security? • How is physical security controlled at your facility? Is this done by a third party? • What are the environmental controls for Air handling, Fire Suppression and detection systems, and Environmental Alerting systems. • Asset Classification and Control? • Data Classification, labeling, and defined handling policies? • Data Storage and Co-location policies? Offshore and onshore? • Privacy Related Data classification, labeling and handling policies? • Asset Tracking & Hardware Inventory

  13. Types of Requests regarding security/controls Risk assessment, completed during review of the responses, includes risk of impact, likelihood of occurrence, and likelihood of detection. • Business Continuity Management? • Are there plans for Availability, Power Capacity and Planning • Is Disaster Recovery in place? • Do Data Retention policies exist? • Incident Response and Management? • Incident response plan • Intrusion Detection • Alerts, Monitoring, Configuration, Location • Service Level Agreements • Antivirus? • Procedures • What devices are covered? • General Technology? • Database, Server, Network Technology • What Standards in place • Standard build and process • How many non-standard systems?

  14. Types of Requests regarding security/controls • Compliance, Law, and Investigation? • Do you maintain compliance with any of the above? How do you maintain compliance with the standard? Please provide the results of the last audit for this standard? • Audit and Assessment? • Please provide any policies or methodologies used in the following audits? • Please provide the interval in which you audit the following areas? • Please provide the results of your last audits of these types? • Do you use an independent 3rd party auditor if, so who? • Third Party Agreements? • Any outsourced business agreements

  15. Information Security Sample Resource Sites • Krebs on Security – former Washington Post reporter • http://krebsonsecurity.com • http://krebsonsecurity.com/category/pharma-wars/ • Verizon Security Blog • http://securityblog.verizonbusines.com/ • Bat Blue Security Watch Desk • http://www.batblue.com/ • Watchguard Security Center • http://watchguardsecuritycenter.com/ • US Computer Emergency Readiness Team • http://www.us-cert.gov/ • Mitigation Strategy from Dept of Defense AU • http://www.dsd.gov.au/images/top35-table-2012.png

More Related