cybersecurity threats and loss prevention …...cybersecurity threats and loss prevention (medium...
TRANSCRIPT
© 2017 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) Tuesday, May 16 3:00 p.m. – 4:00 p.m.
Every firm needs a cybersecurity program. Is your current plan as comprehensive or robust as it could be? Are you effectively protecting your firm and your clients from threats? This session provides guidance on useful practices for protecting customer information, what to do in the event of a data breach, and tackling other cybersecurity situations. Whether you're just starting out or updating a well-documented approach, this session provides strong, actionable practices, and highlights in-depth tools to help you strengthen your cybersecurity program. Moderator: David Kelley Surveillance Director FINRA Kansas City District Office Panelists: Richard Hannibal Assistant Director, Office of Compliance Inspections and Examinations U.S. Securities and Exchange Commission (SEC) Stephanie Mumford Chief Compliance Officer and Senior Legal Counsel T. Rowe Price Investment Services, Inc. Andy Zolper Senior Vice President and Chief Information Security Officer Raymond James Financial, Inc.
© 2017 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) Panelist Bios: Moderator: Dave Kelley is the Surveillance Director based out of FINRA’s Kansas City District office, and has been with FINRA for six years. Mr. Kelley also leads FINRA’s Sales Practice exam program for cybersecurity and the Regulatory Specialist team for Cyber Security, IT Controls and Privacy. Prior to joining FINRA, he worked for more than 19 years at American Century Investments in various positions, including Chief Privacy Officer, Director of IT Audit and Director of Electronic Commerce Controls. He led the development of website controls, including customer application security, ethical hacking programs and application controls. Mr. Kelley is a CPA and Certified Internal Auditor, and previously held the Series 7 and 24 licenses. Panelists: Richard Hannibal has been an Assistant Director in the SEC’s Office of Compliance Inspections and Examinations for 18 years and has been with the Commission for 22 years. After serving 17 years in the Broker-Dealer Examination Program, he recently moved over to OCIE’s Technology Controls Program. Previously, he was a branch chief conducting inspections of the Self-Regulatory Organizations. Prior to coming to the Commission, Mr. Hannibal spent five years at the Legal Services Corporation (government funded legal aid) in a senior regulatory position and seven years as a litigator with a small DC law firm. Mr. Hannibal is a graduate of Wheaton College (Illinois) and Georgetown University Law Center (JD). Stephanie Mumford is the Chief Compliance Officer and Senior Legal Counsel of T. Rowe Price Investment Services, Inc., within the Legal Division of T. Rowe Price. In this role, Ms. Mumford provides legal counsel and guidance related to T. Rowe Price Investment Services, Inc., and distribution-related initiatives and business activities in the U.S. Intermediaries and the Individual & Retirement Plan Services divisions. Prior to joining T. Rowe Price in 2013, Ms. Mumford served as special counsel for the Securities and Exchange Commission (SEC) in the Division of Trading and Markets. She previously held the position of senior counsel in SEC’s Office of Compliance Inspections and Examinations. Before her experience at the SEC, Ms. Mumford worked at the Financial Industry Regulatory Authority (FINRA) as counsel in FINRA’s Market Regulation Department. In addition, she previously held compliance positions at Linsco/Private Ledger and The Vanguard Group. Ms. Mumford received her B.A. from Washington and Jefferson College, her M.B.A. from Clemson University and her J.D. from the University of San Diego School of Law. She is a Series 4, 7, 24, and 53 registered representative and is a member of the New York State Bar Association. Andy Zolper is Chief Information Security Officer for Raymond James Financial, Inc., a diversified financialservices provider with subsidiaries engaged in investment and financial planning, investment banking and asset management. Through its three broker-dealer subsidiaries, Raymond James Financial has more than 6,300 financial advisers, serving more than 2.5 million accounts in more than 2,500 locations throughout the United States, Canada and overseas. As CISO, Mr. Zolper provides strategic direction to identify appropriate security measures, sponsors implementation of security solutions, manages daily security operations and provides governance to manage technology risk—all in order to help Raymond James achieve its business objectives. Mr. Zolper was previously at UBS as CISO of its Wealth Management Americas division, and later as global head of IT Risk Management. Prior to joining UBS, he led teams in IT risk management, global program management and business process reengineering at JPMorgan Chase. Before working at JPMC, Mr. Zolper was responsible for application development at Sterling Resources Inc., and developed the company's process reengineering, e-learning and knowledge management software products. Before joining Sterling Resources, he served in various management roles at Verizon, ranging from staff director of competitive intelligence analysis to field management of "fiber to the curb" deployment. Mr. Zolper graduated from the Virginia Military Institute. He is a U.S. Marine Corps veteran, having served as a communications and signals intelligence officer. He is a graduate of SIFMA's Securities Industry Institute at The Wharton School, a Registered Operations Professional (Series 99), a certified Six Sigma Black Belt and a Certified Information Security Manager (CISM). He represents Raymond James on the Advisory Council of BITS, the technology policy division of The Financial Services Roundtable, and is a member of SIFMA’s Cyber Security Working Group.
FINRA Annual ConferenceMay 16-18, 2017 • Washington, DC
Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus)
FINRA Annual Conference © 2017 FINRA. All rights reserved.
Moderator David Kelley, Surveillance Director, FINRA Kansas City District
Office
Panelists Richard Hannibal, Assistant Director, Office of Compliance
Inspections and Examinations, U.S. Securities and Exchange Commission (SEC) Stephanie Mumford, Chief Compliance Officer and Senior Legal
Counsel, T. Rowe Price Investment Services, Inc. Andy Zolper, Senior Vice President and Chief Information Security
Officer, Raymond James Financial, Inc.
1
Panelists
FINRA Annual Conference © 2017 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) session,
Click on the polling icon:
2
To Access Polling
FINRA Annual Conference © 2017 FINRA. All rights reserved.
1. How would you rate your firm’s Cybersecurity Proa. Program is robust and up to date
b. Program exists, but needs enhancements
c. Currently working on establishing a Program
d. Do not have a Program gram (“Program”) today?
3
Polling Question 1
FINRA Annual Conference © 2017 FINRA. All rights reserved.
2. What is your firm’s biggest challenge in building a robust Program?
a. Inadequate resources or expertise
b. Engagement of senior management support
c. Achieving employee awareness
d. Need for better IT tools/systems
e. Insufficient sharing of information among BD peers and/or regulators
4
Polling Question #2
FINRA Annual Conference © 2017 FINRA. All rights reserved.
Phishing / Spear Phishing
Third Party Wires
Stolen Credentials – Customers, Employees and Reps.
Ransomware
DDOS (Distributed Denial-of-Service) Attacks
Internal Fraud
5
Cybersecurity Issues
FINRA Annual Conference © 2017 FINRA. All rights reserved.
3. Has your firm experienced a cyber related incident in the past year?
a. Yes – Phishing
b. Yes – 3rd Party Wire
c. Yes – Internal Fraud
d. Yes – DDOS
e. Yes – Other Incident
f. Multiple Incidents
g. No
6
Polling Question #3
FINRA Annual Conference © 2017 FINRA. All rights reserved. 7
FINRA Cybersecurity Exam Program
Examinations are being conducted by FINRA examiners and may address the following areas:
Governance Risk Management
Internal Risk Assessment (IA) Vendor Management
Asset Management Secure Configuration
Access Control and Physical Security Training and Security Awareness
Infrastructure Controls (Tech Controls) Vulnerability Management
Website controls Data Protection
External Risk Assessments Incident Response
Cloud Branch Controls
FINRA Annual Conference © 2017 FINRA. All rights reserved. 8
The Basics
Encryption
Passwords / Remote Access
Virus / Malware Protection / Spam Filters
Operating System Patching
Hand Held Devices
Incident Response Management
Insurance
Internal Audit’s Role
FINRA Annual Conference © 2017 FINRA. All rights reserved. 9
Governance
Firms should establish Information Security frameworks that support informed decision-making and escalation at appropriate levels within the organization. This would include:
Active senior management and, as appropriate, board level oversight of cyber security
Articulated risk appetite that guides firm decision-making with respect to the acceptance, mitigation, avoidance or transfer of risks
Defined accountabilities, structures, policies and procedures to support decision-making based on risk appetite and industry effective practices
Use of appropriate metrics and thresholds
FINRA Annual Conference © 2017 FINRA. All rights reserved. 10
Risk Assessment
Firms should conduct regular risk assessments to identify vulnerabilities and prioritize risk remediation activities.
As defined by the International Organization for Standardization (ISO), risk assessment is a systematic approach to estimating the magnitude of risks (risk analysis) and comparing risk to risk criteria (risk evaluation). It is an ongoing process, not a single point-in-time review
Scope of a risk assessment would include:
Critical asset inventory and vulnerability assessment of these assets
Threat & Risk evaluation (external & internal) and prioritization
Vendors and their Affiliates
FINRA Annual Conference © 2017 FINRA. All rights reserved. 11
Cybersecurity Training
Firms should provide CYBERSECURITY TRAINING to their staff and provide additional training based on staff’s role. Appropriate types of training are driven by:
Experience with cyber security incidents
Risk assessment
Awareness and intelligence about threats the firm may face
Phishing training
Password tips
Annual compliance meeting and periodic email alerts
FINRA Annual Conference © 2017 FINRA. All rights reserved. 12
Access ManagementAccess to information, physical assets and associated facilities is
limited to authorized users, processes, or devices, and to authorized activities and transactions.
Access is granted based on role within the organization, incorporating the principles of least privilege and separation of duties
Employee, contractor, third party, and customer entitlement management
Physical access to assets is managed and protected
Both access to information and physical assets is reviewed and approved on a regular basis.
Multi-Factor Authentication
FINRA Annual Conference © 2017 FINRA. All rights reserved. 13
Branch Controls
Firms should have policies and procedures dealing with cybersecurity issues at branch locations. Topics include:
Processes in place to verify controls have been implemented and are functioning as intended.
• Physical Security • Encryption
• Virus and Malware Protection • Reporting of lost/stolen assets
• Patching • The Use of Passwords
• Training and Awareness • Business continuity Planning/Testing
• Vendor / Cloud Usage • Representative Certifications
FINRA Annual Conference © 2017 FINRA. All rights reserved. 14
Vendor Management
Vendor management covers the lifecycle of the relationship, from initiation through termination, and should be risk-based, i.e., there is greater due diligence and oversight on vendors who have access to sensitive data or processes.
Onboarding: establish controls and associated contractual terms/conditions
Operational Oversight: annual audit and testing along with contingency planning
Termination: access and disposal of sensitive / confidential data
FINRA Annual Conference © 2017 FINRA. All rights reserved. 15
Use of the Cloud
Use of cloud computing, if done right, can provide many benefits to a firm including delivery of strong security controls…(converse also true). Types of cloud usage includes:
Document storage, for instance Drop Box or Google Drive
Software as a Service (SaaS) such as Salesforce, Red Tail or Smarsh
Infrastructure as a Service (IaaS), Amazon AWS or Azure
Controls and processes for monitoring mirror vendor management.
FINRA Annual Conference © 2017 FINRA. All rights reserved.
FINRA Report on Cybersecurity: www.finra.org/file/report-cybersecurity-practicesFINRA Small Firm Cybersecurity Checklist:
www.finra.org/industry/cybersecurityNIST: www.nist.gov/cyberframework/index.cfmSIFMA Cybersecurity Resource Center:
www.sifma.org/issues/operations-and-technology/cybersecurity/overview/SANS 20 Critical Security Controls: www.sans.org/critical-
security-controls
16
Supplemental Guidance
FINRA Annual Conference © 2017 FINRA. All rights reserved.
SEC, National Examination Program (NEP) Risk Alert, Cybersecurity Examination Sweep Summary (February 3, 2015) www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
SEC, Division of Investment Management, Guidance Update –Cybersecurity Guidance (April 2015) www.sec.gov/investment/im-guidance-2015-02.pdf
Department of Justice, Cybersecurity Unit, Computer Crime & Intellectual Property Section, Criminal Division, Best Practices for Victim Response and Reporting of Cyber Incidents(April 2015) www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf
17
Supplemental Guidance
© 2017 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Cybersecurity Threats and Loss Prevention (Medium and Large Firm Focus) Tuesday, May 16 3:00 p.m. – 4:00 p.m. Resources FINRA Resources
• 2015 Report on Cybersecurity Practices (February 2015)
www.finra.org/file/report-cybersecurity-practices • FINRA Small Firm Cybersecurity Checklist
www.finra.org/industry/cybersecurity
SEC Resources
• SEC, National Examination Program (NEP) Risk Alert, Cybersecurity Examination Sweep
Summary (February 2015)
www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf • SEC, Division of Investment Management, Guidance Update – Cybersecurity Guidance (April
2015)
www.sec.gov/investment/im-guidance-2015-02.pdf
Other Resources
• National Institute of Standards and Technology (NIST): Framework for Improving Critical Infrastructure Cybersecurity (February 2014)
www.nist.gov/cyberframework/index.cfm
• SIFMA Cybersecurity Resource Center:
www.sifma.org/issues/operations-and-technology/cybersecurity/overview/ • SANS 20 Critical Security Controls
www.sans.org/critical-security-controls
© 2017 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
• Department of Justice, Cybersecurity Unit, Computer Crime & Intellectual Property Section, Criminal Division, Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015)
www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/04/30/04272015reporting-cyber-incidents-final.pdf
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 1
The Association of Corporate Counsel (ACC) and a group of its members have developed this
Model Information Protection and Security Controls for Outside Counsel Possessing Company
Confidential Information (“Model Controls”) to help in-house counsel as they set expectations
with their outside vendors, including outside counsel, regarding the types of data security controls
these vendors should employ to protect their company ‘s confidential information. The Model
Controls provide a list of baseline security measures and controls some legal departments may
consider requiring from outside vendors. It is ACC’s hope that the Model Controls offer in-house
counsel a streamlined and consistent approach to setting expectations with respect to the data
security practices of their outside vendors.
This document does not constitute legal advice or legal opinion on specific facts, and it is not
intended to be a definitive statement on the subject but rather serves as a resource providing
practical information to in-house counsel. This document is not a substitute for corporate
counsel’s own legal analysis and good judgment; company’s internal requirements and policies;
or regulatory provisions. Further, this document is not intended to establish any industry standards
for any purpose for either the company client or the outside vendor, including, but not limited to,
contract, professional malpractice, or negligence.
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 2
MODEL INFORMATION PROTECTION AND SECURITY CONTROLS FOR OUTSIDE
COUNSEL POSSESSING COMPANY CONFIDENTIAL INFORMATION
Definition of “Company Confidential Information”:
“Company Confidential Information” is defined as any information that is proprietary to Company
and is not publicly available including, without limitation, information that is:
• Attorney-client privileged;
• Confidential information, which, if disclosed, could cause damage to the interests of
Company;
• Material non-public information concerning publicly traded corporations;
• Personally Identifiable Information (“PII*”) for any Company employee, contractor,
customer, or supplier. For the purpose of this document, PII is defined as information
that can be used to identify, contact, or locate a natural person, including, without
limitation, a Company customer or website user, natural person’s name, IP address,
email address, postal address, telephone number, account numbers, date of birth,
driver’s license or other government-issued identification card numbers and social
security numbers, or any other information that is linked or linkable to an individual.
• Protected Health Information (“PHI”) shall have the same meaning as the term “protected
health information” at 45 C.F.R.§160.103;
• Information relating to the physical security of Company operations;
• Information relating to the Company’s cyber security;
• Information from any source that may tend to incriminate the Company, subject the
company to fines or penalties, form the basis for litigation against the company, or which
may tend to damage the Company’s reputation or the reputation of its officers, directors,
employees, or agents;
• Information that is legally required to be protected under the laws applicable to the
company data.
1. Policies and Procedures
Outside Counsel shall have in place appropriate organizational and technical measures
to protect Company Confidential Information or other information of a similar nature
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 3
against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or
access, and which provide a level of security appropriate to the risk represented by the
processing and nature of the information to be protected. Outside Counsel shall have in
place internal security and privacy policies designed to protect the security,
confidentiality, and integrity of Company Confidential Information or other information of a
similar nature that include: security policy; organization of information security; asset
management; human resources security; physical and environment security;
communications and operations management; access control; information systems
acquisition, development, and maintenance; information security incident management;
business continuity management; personnel training; and compliance.
Outside Counsel shall have incident and problem management procedures that allow for
the reasonable investigation, response, mitigation, and notification of events that
implicate the confidentiality, integrity, and availability of Outside Counsel’s technology
and information assets, or events that cause the unauthorized or unintentional disclosure
of Company Confidential Information. Outside Counsel will review at least annually its
incident response and problem management procedures to ensure they are fit for
purpose.
Outside Counsel shall have adequate resources and management oversight to ensure
the proper development and maintenance of information security and technology policies,
procedures, and standards throughout the course of their relationship with Company.
Outside Counsel shall provide and maintain information security training for all employees
and provide a summary of such training to Company upon request.
2. Retention and Return/Destruction
2.1 Retention
Outside Counsel shall retain Company Confidential Information only for as long as
specified by Company for the matter(s) on which Outside Counsel is working or as
otherwise necessary to satisfy the purposes for which it was provided to Outside
Counsel, except to the extent that longer retention is required by applicable law,
regulations, or professional ethical rules.
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 4
2.2 Return/Destruction
At the conclusion of the engagement and as instructed by Company, Outside Counsel
shall (at its sole cost) return, delete, or destroy Company Confidential Information then in
its possession or under its control including, without limitation, originals and copies of
such Company Confidential Information. The following types of information are excluded
from this requirement: (i) day-to-day exchanges of emails, except for those containing
attachments that contain Company Confidential Information; (ii) Outside Counsel work
product; (iii) Company Confidential Information that becomes a part of the public domain,
including through court filings; and (iv) Company Confidential Information that Outside
Counsel is required to maintain, by law, regulations, or professional ethical rules but for
only the time period required. With respect to (i) herein, excluded emails should be
handled consistently with Outside Counsel’s professional duty of confidentiality. For the
avoidance of doubt, anything that is stored on routine back-up media solely for the
purpose of disaster recovery will be subject to destruction in due course rather than
immediate return or destruction pursuant to this paragraph, provided that employees are
precluded from accessing such information in the ordinary course of business prior to
destruction. Notwithstanding the foregoing, latent data such as deleted files, and other
non-logical data types, such as memory dumps, swap files temporary files, printer spool
files, and metadata that can only be retrieved by computer forensics experts and is
generally considered inaccessible without the use of specialized tools and techniques will
not be within the requirement for return or destruction of Company Confidential
Information as set forth by this provision.
2.3 Certification
Outside Counsel agrees to certify that Company Confidential Information has been
returned, deleted, or destroyed from its systems, servers, off-site storage facilities, office
locations, and any other location where Outside Counsel maintains Company
Confidential Information within 30 days of receiving Company’s request that the
information be returned, deleted, or destroyed.
3. Data Handling
3.1 Encryption
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 5
3.1.1 Encryption in Transit
When transferring Company Confidential Information, and in communications between
Company and Outside Counsel, Outside Counsel will use encryption based on guidance
provided by Company, if any.
The Company reserves the right to request implementation of Transport Layer Security to
automatically encrypt emails between Company and Outside Counsel.
Note: Section 3.1.2 below is highly recommended. Minimally, law firms should have
mechanisms in place that provide for technologically equivalent mitigations in the absence of
encryption at rest.
3.1.2 Encryption at Rest
Outside Counsel will encrypt all Company Confidential Information that resides on
Outside Counsel’s systems, servers, backup tapes, etc., including Company Confidential
Information that resides on the systems and servers of any third party with which Outside
Counsel has subcontracted to store electronic data. Outside Counsel shall encrypt at
rest using solutions that are certified against U.S. Federal Information Processing
Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption
keys and any keying material are not stored with any associated data.
3.1.3 Encryption of Data Stored on Portable Devices or Transmitted Over Non-Secure
Communication Channels
Outside Counsel will encrypt all Company Confidential Information when stored on
portable devices and media or when transmitted over non-secure communication channels
(e.g., internet email, or wireless transmission) including remote connectivity using
solutions that are certified against the U.S. Federal Information Processing Standard 140-
2, Level 2, or equivalent industry standard, and verify that the encryption keys and any
keying material are not stored with any associated data.
3.1.4 Encryption of Company Confidential Information Transferrable to Removable
Media and Mobile Devices
In the event that Company Confidential Information could be transferred to removable
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 6
media, a mobile device, tablet, or laptop, Outside Counsel will implement, monitor, and
maintain encryption and information leakage prevention tools using solutions that are
certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or
equivalent industry standard, and verify that the encryption keys and keying material are
not stored with any associated data. Moreover, two-factor authentication should be
employed for remote connectivity using a mobile device, tablet, or laptop.
3.2 Data Security Breach Reporting
Upon discovering any suspected or actual unauthorized disclosure, loss, or theft of Company
Confidential Information (a “Data Security Breach”), Outside Counsel will promptly (within 24
hours of discovering an actual or suspected event) send an e-mail to (insert email address
of company contact). Outside Counsel shall fully cooperate with Company to provide all
information in a timely manner and shall fully cooperate with Company, as directed by
Company, to make any notifications required by applicable law. Outside Counsel will fully
cooperate with Company to identify a root cause and remediate any Data Security Breach at
their sole cost. Outside Counsel shall designate an individual who will serve as Company’s
ongoing single point of contact for purposes of addressing issues with respect to the use and
security of Company Confidential Information during the term and following the termination or
expiration of these standards. Such individual shall be accessible to Company on a 24X7
basis. Outside Counsel shall certify that this individual can obtain relevant information
specific to any incidents within 48 hours. This individual is to also have access to or direct
knowledge of Outside Counsel’s network architecture and information technology system.
3.3 Compliance with Laws
Outside Counsel will comply with all laws, regulations, statutes, and ordinances (“Laws”)
applicable to its business or the performance of its obligations pursuant to Company’s
engagement of Outside Counsel, as such Laws may be revised from time to time.
4. Physical Security
4.1 General
Company Confidential Information must be physically secured against unauthorized
access.
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 7
Note: The Physical Security Protections in Section 4.2 are recommended for law firms that host
Company Confidential Information on its systems and servers.
4.2 Physical Security Protections
Outside Counsel will implement at least the following:
1. Picture identification badges issued through Outside Counsel’s formal approval
processes.
2. Processes to remove leaver (i.e., departing staff member) personnel from facility
access within 24 hours of notification or within one hour in emergency/priority
situations.
3. 24x7 security guards monitoring entrance(s) to the facility where Company
Confidential Information is accessed, or comparable controls where Company
Confidential Information is stored, processed, or destroyed.
4. Identity verification using government-issued IDs prior to entry to a facility where
Company Confidential Information is accessed, stored, processed, or destroyed for all
visitors, and visitors are supervised by a formal escort while on-site.
5. Electronic access control to any facility where Company Confidential Information is
accessed, stored, processed, or destroyed using badge/access cards.
6. Enhanced access control for access to computer rooms within a facility that houses
information systems hardware (“computer room”) (e.g., biometric safeguards such as
palm readers, iris recognition, or fingerprint readers).
7. Camera surveillance (CCTV) with active monitoring or integration into a detection
system.
8. A perimeter intruder alarm system (e.g., open door alarms).
9. No exterior access points (e.g., windows, exterior doors) are present within a computer
room.
10. Backups are physically secured against unauthorized access.
11. Procedures are in place to verify that receiving/delivery of/removal of hardware and
other equipment are authorized.
12. Physical access to facilities where Company Confidential Information is accessed,
stored, processed, or destroyed must be logged. Logs must be retained for at least
ninety days.
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 8
5. Logical Access Controls
Outside Counsel must have logical access controls designed to manage access to
Company Confidential Information and system functionality on a least privilege and need-to-
know basis, including through the use of defined authority levels and job functions, unique
IDs and passwords, two-factor or stronger authentication for its employee remote access
systems (and elsewhere where appropriate). These controls shall enable Outside Counsel
to promptly revoke or change access in response to terminations or changes in job functions
as applicable. Outside Counsel will encrypt all passwords, passphrases, and PINs using
solutions that are certified against U.S. Federal Information and Processing Standard 140-2,
Level 2, or equivalent industry standard, and verify that the encryption keys and keying
material are not stored with any associated data. Outside Counsel will implement any
Company request to revoke or modify user access within twenty-four hours of receipt of
Company’s request. Outside Counsel will disable user accounts after at most 10
consecutive invalid authentication attempts.
6. Monitoring
Unless prohibited by applicable law, Company expects Outside Counsel to continuously
monitor its networks and employees, subcontractors, and contingent workers for malicious
activity and other activity that may cause damage or vulnerability to Company Confidential
Information.
7. Vulnerability Controls and Risk Assessments
At least annually, Outside Counsel will perform vulnerability tests and assessments of all
systems that contain Company Confidential Information. Outside Counsel must have
application security software development controls designed to eliminate and minimize the
introduction of security vulnerabilities. For any of Outside Counsel’s applications that
process Company Confidential Information, such testing must also include manual ethical
hacking/penetration tests using intercept proxies to identify security vulnerabilities that
cannot be discovered using automated tools, and code review or other manual verifications
to occur at least annually or upon any major software change, including customizations for
Company.
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 9
8. System Administration and Network Security
Outside Counsel must have operational procedures and controls designed to ensure that
technology and information systems are configured and maintained according to prescribed
internal standards and consistent with applicable Industry Standard Safeguards. Examples
of Industry Standard Safeguards are ISO/IEC 27002:2005, NIST 800-44, Microsoft Security
Hardening Guidelines, OWASP Guide to Building Secure Web Applications and the various
Center for Internet Security Standards. Moreover, Outside Counsel must have application
security and software development controls designed to eliminate and minimize the
introduction of security vulnerabilities.
Antivirus protection shall be installed and configured to automatically search for and
download updates (daily, at a minimum) and perform continuous virus scans. Malware
and threat detection is to be updated continuously, and software patches provided by
vendors shall be downloaded and implemented in a timely manner. If Outside Counsel is
unable to implement these controls in a timely manner, Outside Counsel shall notify the
Company in writing.
Outside Counsel shall have vulnerability management and regular application, operating
system and other infrastructure patching procedures and technologies reasonably designed
to identify, assess, mitigate, and protect against new and existing security vulnerabilities
and threats, including viruses, bots, and other malicious code.
Outside Counsel shall have, shall implement, and shall maintain network security controls,
including the use of firewalls, layered DMZs and updated intrusion, intrusion detection and
prevention systems, reasonably designed to protect systems from intrusion or limit the
scope or success of any attack or attempt at unauthorized access to Company Confidential
Information.
9. Security Review Rights
Company and its agents, auditors (internal and external), regulators, and other
representatives as Company may designate, may inspect, examine, and review the
facilities, books, systems, records, data, practices, and procedures of Outside Counsel (and
any subcontractors that Outside Counsel may use) that are used in rendering services to
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 10
Company to verify the integrity of Company Confidential Information and to monitor
compliance with the confidentiality and security requirements for Company Confidential
Information.
Note: Section 10 below is recommended but optional. ISO Certifications reduce the time and
effort required by in-house IT security departments to perform security assessments on third
parties in possession of Company Confidential Information.
10. Industry Certification/Additional Security Requirements
If Outside Counsel has not achieved ISO27001 certification, Company may request that
Outside Counsel undertake the certification process and provide Company with evidence of
certification when attained. Outside Counsel agrees to implement additional security
requirements reasonably requested by Company, and provide Company with relevant
additional information that Company may request such as SOC audits or other evidence that
Outside Counsel has in place appropriate policies and procedures regarding information
protection and security.
11. Background Screening of Outside Counsel Employees, Subcontractors, and
Contingent Workers
Unless precluded by law or regulation, Outside Counsel agrees to conduct background
screening for all of its employees, subcontractors, and contingent workers who work with or
come into contact with Company Confidential Information. Outside Counsel will certify
annually to Company that all of Outside Counsel’s employees, subcontractors, and
contingent workers that work with or come into contact with Company’s Confidential
Information have successfully passed Company’s background screening requirements unless
such background screening is precluded by law or regulation in a specific jurisdiction.
12. Cyber Liability Insurance
Without limiting its responsibilities set out in herein, in countries where cyber liability
insurance coverage is available, Outside Counsel will obtain and maintain in force at all times
cyber liability insurance with an insurance company having a minimum credit rating of A- from
Standard and Poors or other equivalent rating agency, with a minimum coverage level of
$10,000,000. All responsibility for payment of sums under any deductible or self-insured
Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information
© 2017 Association of Corporate Counsel 11
retention provisions of the policy or policies remains with Outside Counsel. It is expressly
understood and agreed that Company does not in any way represent that the above specified
minimum coverage limit is sufficient or adequate to protect Outside Counsel’s interests or
liabilities. Outside Counsel shall name Company as an additional insured and provide a copy
of its cyber-insurance certificate to Company upon written request.
13. Subcontractors
Outside Counsel shall be responsible for all subcontractors used by Outside Counsel that
have access to Company Confidential Information. Where Outside Counsel subcontracts its
obligations to Company to a third party, it shall do so only by way of written agreement
imposing Company’s Model Information Protection and Security Controls for Law Firms
Possessing Company Confidential Information which pertains to all of Outside Counsel’s
subcontractors that possess or access Company Confidential Information. For the avoidance
of doubt, this section pertains to, without limitation, reprographics vendors, off-site storage
vendors, and cloud server hosting facilities.