cybersecurity: protecting law firms - vanderburg - jurinnov

34
© 2013 JurInnov, Ltd. All Rights Reserved CONFIDENTIAL April 22, 2013 berSecurity: Protecting Law Fi

Upload: eric-vanderburg

Post on 22-Jan-2015

65 views

Category:

Technology


2 download

DESCRIPTION

Timothy Opsitnick, Senior Partner, and Eric Vanderburg, Director of Information Systems and Security at JurInnov, explain how to implement information security at Law Firms.

TRANSCRIPT

  • 1. CONFIDENTIALCyberSecurity: Protecting Law Firms April 22, 2013 2013 JurInnov, Ltd. All Rights Reserved

2. CONFIDENTIALAgendaThe World Around UsHow JurInnov Helps Recommended Service 2013 JurInnov, Ltd. All Rights Reserved1 3. CONFIDENTIALThe World Around Us 2013 JurInnov, Ltd. All Rights Reserved 4. CONFIDENTIALHow Do You Measure Success? Risk Management and Compliance Areas (U.S. and Global) Anti-money laundering (AML) Bribery / FCPA / UKBA Business ethics Code of business conduct Competition / antitrust Country law CYBERSECURITY Department of Transportation (logistics distribution / reverse distribution) Environmental Employment compliance (wage and hour / facility accessibility) Employment practices / workplace rights Export controls / ITAR / dual use technology / military use technology Food safety / labeling Government relations 2013 JurInnov, Ltd. All Rights Reserved3 Import / customs Information protection Intellectual property Licenses and permits OSHA (health and safety) Product stewardship / product safety Pharmacy and health services Privacy Records and information management Securities law (including insider trading, Dodd Frank) Supply chain / conflict minerals Third party management Trade sanctions / Office of Financial Assets Control (OFAC) Government boycotts / Bureau of Industry and Security 5. CONFIDENTIALData Breaches Grow in Number and Scale This past year saw major hacks at: Zappos (24M customer accounts) Statfor (private U.S. intelligence firm; 5M e-mails) Global Payments (1.5M credit card numbers) LinkedIn (6.5M passwords) eHarmony (1.5M passwords) Yahoo (0.5M passwords) Nationwide Mutual (1.1M customer accounts) Wyndham Worldwide (600K credit card numbers)many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices. Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13 2013 JurInnov, Ltd. All Rights Reserved4 6. CONFIDENTIALNew ABA Ethics Rule: Lawyers Obligation August, 2012, change to Rule 1.1 Comment, shown below in italics Rule 1.1 Competence A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. Comment to the Rule: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. 2013 JurInnov, Ltd. All Rights Reserved5 7. CONFIDENTIALAdditional Obligations Rule 1.6 Confidentiality Comment 16 act competently to safeguard information to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons ABA Formal Ethics Opinion 95-398 [a] lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information. 2013 HIPAA Omnibus Rules Law firms having contact with PHI must revisit policies, practices, enforce information security controls, protect confidential info, monitor workforce info access, track compliance 2013 JurInnov, Ltd. All Rights Reserved6 8. CONFIDENTIALCyberattacks Against Law Firms Are on the Rise We have seen over the last three years an increase in the targeting of law firms. Trent Teyema, FBI Cyber Crimes, Washington, D.C. National Law Journal, 04/23/12Law firms have incredibly valuable and sensitive information the Internet just provides a whole other methodology through which the information can be accessed and pilfered. The Wall Street Journal, 06/26/12 2013 JurInnov, Ltd. All Rights Reserved7 9. CONFIDENTIALWhy Law Firms? The more mobility you have, the more documents youre sending through the Internet, the more likely you are to be the victim of a cyber attack, and thats what were seeing at law firms. Mary Galligan, FBI NY Special Agent, Cyber/Special Ops Law Technology News, 02/01/13some of the most vulnerable targets are law firms, which hold so much information of their clients and serve as gates to their clients. Laurel Bellows, ABA President Law Practice Today, 04/13 2013 JurInnov, Ltd. All Rights Reserved8 10. CONFIDENTIALWhat are Cybercriminals After? Access to: Lists of confidential witnesses Patent applications Financial information M&A documents Intellectual property Drug study results Client correspondence Possible litigation claims 2013 JurInnov, Ltd. All Rights ReservedBusiness disruption of: Calendar system Billing system Website9 11. CONFIDENTIALImproving Critical Infrastructure Cybersecurity Executive Order, Federal Register 13636: February 19, 2013WASHINGTON (Reuters) - U.S. President Barack Obama on Tuesday signed an executive order seeking better protection of the country's critical infrastructure from cyber attacks that are a growing concern to the economy and national security.Reuters, 02/12/13 2013 JurInnov, Ltd. All Rights Reserved10 12. CONFIDENTIALPresident Obama: Cyber Threats "We know hackers steal people's identities and infiltrate private e-mail.We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.U.S. President Barack Obama, State of the Union Speech, 02/12/13 Continued 2013 JurInnov, Ltd. All Rights Reserved11 13. CONFIDENTIALPresident Obama: Cyber Threats Cyber threat is one of the most serious economic and national security challenges we face as a nation. America's economic prosperity in the 21st century will depend on cybersecurity. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. U.S. President Barack Obama, State of the Union Speech, 02/12/13 2013 JurInnov, Ltd. All Rights Reserved12 14. CONFIDENTIALCyberspace Policy Review Near Term Actions What are Yours? 1.Appoint a cybersecurity policy official responsible for coordinating the Nations cybersecurity policies and activities.2.Prepare for the Presidents approval an updated national strategy to secure the information and communications infrastructure.3.Designate cybersecurity as one of the Presidents key management priorities and establish performance metrics.4.Designate a privacy and civil liberties official to the NSC cybersecurity directorate.5.Conduct interagency-cleared legal analyses of priority cybersecurity-related issues.6.Initiate a national awareness and education campaign to promote cybersecurity.7.Develop an international cybersecurity policy framework and strengthen our international partnerships.8.Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships.9.Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure.10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.Executive Order, Improving Critical Infrastructure Cybersecurity, Federal Register 13636 (02/19/13) 2013 JurInnov, Ltd. All Rights Reserved13 15. CONFIDENTIALCybersecurity Maturity: Where are You? Elements of Effective Cybersecurity Culture of Security Legal Requirements Training and Education Policy, Procedure and Controls Monitor and Auditing Response and Documentation Information Management AccountabilityLeading Optimizing PracticingDeveloping Ad Hoc Defined controls Documented standards Consistent performance Likely repeatable Some consistency Lacks rigorous process discipline Informal Reactive Inconsistent performance 2013 JurInnov, Ltd. All Rights Reserved Effective controls Uses process metrics Targeted improvement14 Integrated strategies Innovative changes Seamless controls 16. CONFIDENTIALHow JurInnov Helps 2013 JurInnov, Ltd. All Rights Reserved 17. CONFIDENTIALCybersecurity Solutions Cybersecurity Survey Training: Cybersecurity, Breach Response and Computer Forensic Breach Investigation Incident Response Planning Cybersecurity Assessment / Audit Cybersecurity Risk Management and Strategic Planning Cybersecurity Policy Review and Development 2013 JurInnov, Ltd. All Rights Reserved16 18. CONFIDENTIALRecommended Service 2013 JurInnov, Ltd. All Rights Reserved 19. CONFIDENTIALWhere to Start: The Cybersecurity Survey A quick assessment of meaningful performance indicators to take the pulse of the organizations cybersecurity environment.Access Controls Business ContinuityApplication Security Security Governance Security Awareness 2013 JurInnov, Ltd. All Rights Reserved18 20. CONFIDENTIALThe Cybersecurity Survey Objective: Identify areas where the company is performing well and areas where information security can be improved Scope: Conduct a high level security review, gain insight into the current level of information security and develop recommendations Deliverable: Acknowledges elements that are appropriately secured Provides confidential recommendations and workable action items Priorities based on acceptable risk profile, effort and budget 2013 JurInnov, Ltd. All Rights Reserved19 21. CONFIDENTIAL Access Controls Business Continuity Application SecurityAccess Control IndicatorsSecurity Governance Security AwarenessAccess Controls ChecklistAudit Log RetentionFirewall FirmwareEncrypted Mobile DevicesSystem AvailabilityDo you know everyone who has access to your systems? How would you know if an unauthorized person accessed sensitive data? 2013 JurInnov, Ltd. All Rights Reserved20 22. CONFIDENTIAL Access Controls Business continuity Application SecurityBusiness Continuity IndicatorsSecurity Governance Security AwarenessUninterruptable PowerRestore TestingDisaster Recovery PlanningBusiness Continuity TestingAre you certain that you can recover from an unexpected loss? 2013 JurInnov, Ltd. All Rights Reserved21Scheduled Maintenance 23. CONFIDENTIAL Access Controls Business Continuity Application SecurityApplication Security IndicatorsSecurity Governance Security AwarenessSecurity PatchingMalicious ProgramsApplication Security ReviewAntivirus SoftwareHave your applications been tested from a security viewpoint? 2013 JurInnov, Ltd. All Rights Reserved22Virus Updates 24. CONFIDENTIAL Access Controls Business Continuity Application SecuritySecurity Governance IndicatorsSecurity Governance Security AwarenessConfiguration ManagementIncident ResponseMedia SanitationDocumented Security ControlsVulnerability MitigationHow does your management team make and implement decisions about information security? 2013 JurInnov, Ltd. All Rights Reserved23 25. CONFIDENTIAL Access Controls Business Continuity Application SecuritySecurity Awareness IndicatorsSecurity Governance Security AwarenessPassword AwarenessData Storage AwarenessMobile AwarenessSoftware AwarenessDo your employees know and understand your security policies? Are they disciplined in their daily behaviors? 2013 JurInnov, Ltd. All Rights Reserved24Email Awareness 26. CONFIDENTIALThe Approach Taken 3-5 WeeksJoint TeamCustomerJurInnovJoint TeamKick-off the ProjectComplete Employee Awareness SurveyAnalyze InputsDiscuss RecommendationsDiscuss Environment and Data RequestsPrepare RecommendationsGather / Provide DataCustomize Survey, based on Customer Specifics JurInnov Launches the Employee Awareness Survey 2013 JurInnov, Ltd. All Rights Reserved25Confirm Prioritized Action Items 27. CONFIDENTIALDeliverable: Example, Metric Description Template One page per metric within each of the 5 confidence areas Describes the metrics used to determine risk within the area Access Controls ChecklistAudit Log RetentionFirewall FirmwareEncrypted Mobile DevicesSystem AvailabilityCalculation: Percentage of items indicating secure practicesApplication: Provides general measurement for access controlRecommended Target: Aim to meet all controlsData Source: Interview to complete the checklist 2013 JurInnov, Ltd. All Rights Reserved26 28. CONFIDENTIALDeliverable: Example, Results Template Describes the results for each confidence area (total 5 pages) The specific metrics listed depend on the results foundRankMetricRiskHighlights1Average days for retaining server audit logsLowDisk - 60 days Tape - 1 year2Availability % of key information systems in the last 6 monthsLow99.96%3Access Controls ChecklistLow81%4Average days to apply firmware to firewallsHigh4705Percentage of mobile devices that are properly encryptedHighLaptops - yes Blackberries - no 2013 JurInnov, Ltd. All Rights Reserved27 29. CONFIDENTIALDeliverable: Example, Recommendations Template Describes the recommendations for each confidence area (total 5 pages) The specific recommendations listed depend on the results foundNo.Recommended PriorityRecommendationEffort Needed1Encrypt Blackberries and require passwordsHighLow2Update firewall firmwareHighLow3Check firewall security advisories regularlyMediumLow 2013 JurInnov, Ltd. All Rights Reserved28 30. CONFIDENTIALProject Description 1Step Launch Project2Collect Preliminary Information and Prepare for Interviews3Conduct Telephone Interviews4Analyze Results for Final Report5Present ReportActivities Determine interviewees and questionnaire recipients Schedule up to five telephone interviews Distribute questionnaires and employee awareness surveys Receive completed questionnaires Analyze preliminary data to prepare for interviewsDeliverables Interview scheduleConduct one interview for each confidence area: Access Controls: o Physical security staff o Server administrator(s) o Datacenter administrator(s) Business Continuity: o Risk manager(s) o Information technology staff Application Security: o Information technology staff o Software development staff Security Governance: o Management personnel o Compliance officers o Privacy officers Security Awareness: o Human resource staff o Compliance officers Analyze inputs from questionnaires , interviews and awareness surveys Calculate metrics and identify recommendations Rank recommendations by risk level (low, medium, high) and effort required (low, medium, high) Present project findings, recommendations, and next steps (via Webex)Inputs to information security analysisCustomized interview questions based on preliminary dataSurvey findings and recommendationsCommunicated survey findings and recommended action itemsPRICE: $6,000 2013 JurInnov, Ltd. All Rights Reserved29 31. CONFIDENTIALNext Steps1. Determine and complete changes to standard project plan, as needed 2. Determine and complete additional proposal documentation, as needed 2013 JurInnov, Ltd. All Rights Reserved30 32. CONFIDENTIALCybersecurity Solutions Cybersecurity Survey Training: Cybersecurity, Breach Response and Computer Forensic Breach Investigation Incident Response Planning Cybersecurity Assessment / Audit Cybersecurity Risk Management and Strategic Planning Cybersecurity Policy Review and Development 2013 JurInnov, Ltd. All Rights Reserved31 33. CONFIDENTIALContact Information Timothy M. Opsitnick, Esq. Founder and General Counsel [email protected] 216-664-0900Eric A. Vanderburg, MBA, CISSP Director, Cybersecurity and Information Systems [email protected] 216-664-1100 2013 JurInnov, Ltd. All Rights Reserved32 34. CONFIDENTIALCyberSecurity: Protecting Law Firms April 22, 2013 2013 JurInnov, Ltd. All Rights Reserved