Procuring Software and Information Technology

The Legal and Business Issues Presented

The Computer Forensics ShowHotel Pennsylvania, New York, NY

April 19, 2011

An Initial Risk AssessmentSecurity Risk Management Guidance

Impact

Probability High (3) Medium (2) Low (1)

High (3) 9 6 3

Medium (2) 6 4 2

Low (1) 3 2 1

The Risk Matrix is a classification tool used to rate security risks based on impact and probability

Cloud Legal RisksLegal Risk

Description Probability Impact Risk StatementSubpoena and E-Discovery

High Medium High

Risk From Changes of Jurisdiction

Very High High High

Data Protection Risks

High High High

Licensing Risk Medium Medium Medium

ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices

Key legal questions the customer should ask the cloud provider

ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices

• In what country is the cloud provider located? • Is the cloud provider’s infrastructure located in the same country or in

different countries? • Will the cloud provider use other companies whose infrastructure is

located outside that of the cloud provider? • Where will the data be physically located? • Will jurisdiction over the contract terms and over the data be divided? • Will any of the cloud provider’s services be subcontracted out? • Will any of the cloud provider’s services be outsourced? • How will the data provided by the customer and the customer’s

customers, be collected, processed and transferred? • What happens to the data sent to the cloud provider upon termination of

the contract?

Key legal Recommendations for Cloud Computing

ENISA (European Network and Information Security Agency) ) and Cloud Security Alliance Leading Practices

• Customers and cloud providers must have a mutual understanding of each other’s roles and responsibilities related to electronic discovery, including such activities as litigation hold, discovery searches, who provides expert testimony, etc.

• Cloud providers are advised to assure their information security systems are responsive to customer requirements to preserve data as authentic and reliable, including both primary and secondary information such as metadata and log files.

• Data in the custody of cloud service providers must receive equivalent guardianship as in the hands of their original owner or custodian.

• Plan for both expected and unexpected termination of the relationship in the contract negotiations, and for an orderly return or secure disposal of assets.

• Pre-contract due diligence, contract term negotiation, post-contract monitoring, and contract termination, and the transition of data custodianship are components of the duty of care required of a cloud services client.

• Knowing where the cloud service provider will host the data is a prerequisite to implementing the required measures to ensure compliance with local laws that restrict the cross-border flow of data.

• As the custodian of the personal data of its employees or clients, and of the company’s other intellectual property assets, a company that uses Cloud Computing services should ensure that it retains ownership of its data in its original and authenticable format.

• Numerous security issues, such as suspected data breaches, must be addressed in specific provisions of the service agreement that clarify the respective commitments of the cloud service provider and the client.

• The cloud service provider and the client should have a unified process for responding to subpoenas, service of process, and other legal requests.

• The cloud services agreement must allow the cloud services client or designated third party to monitor the service provider’s performance and test for vulnerabilities in the system.

• The parties to a cloud services agreement should ensure that the agreement anticipates problems relating to recovery of the client’s data after their contractual relationship terminates.

The Selection Process• Stakeholders• Using Risk Assessment• Establishing a Governance Process At the Outset

Strate

gic

Alignm

ent Value Delivery

Ris

k M

anagem

ent

Resource Management

Perform

ance

Measu

rem

ent

IT IT GovernanceGovernance

DomainsDomains

Strate

gic

Alignm

ent Value Delivery

Ris

k M

anagem

ent

Resource Management

Perform

ance

Measu

rem

ent

IT GovernanceFocus Areas

Selection Process

• Requests for Proposal– Establishing technical requirements– Establishing security requirements: Gap analysis

between vendor policies and customer requirements

– Requesting comments on contract terms during RFP process

• Upgrading Vendor’s Security Policies

Products and Services

• Pricing– MFN provisions, pass-throughs of cost savings

• Change Control– How are disagreements about change

requirements managed?• Acceptance/Rejection• Service Levels

Intellectual Property Rights

• Will any new intellectual property be created? If so, who will own it? What rights will the non-owner retain?

• Will licenses survive termination?

Representations and Warranties

Sophisticated customers will require a number of representations and warranties and also require indemnification if they are breached:

• Ownership of all IP rights;• Compliance with all applicable law;• Employees with appropriate skills and background;• Systems are secure and properly maintained;• Industry standard disaster recovery and back-up measures

are in place;• Data is not stored or maintained in a manner other than

described to customer.

Liability and Remedies

• Scope of possible injuries for which vendor may be liable

• Monetary Limits• Indemnification• Service Level Credits• Repair/Replacement

Governance and Dispute Resolution

• Relationship Governance– Designated project managers and key employees

• Escalation clauses• Arbitration vs. Court• Fast track arbitration mechanisms• Continuing payments and work during

disputes

Term and Termination• Typical duration of a contract

– Vendors will rarely want contracts that extend more than 3-4 years.• Termination for cause• Right of customer to terminate for convenience

– Often means termination fees.• Exit Assistance

– Demand the creation of a plan at the outset that provides for transfer of data, equipment, and knowledge

– May be the most important item for customer’s leverage, it is important that vendor know customer can end the agreement without too much pain

• Escrow Provisions/Step-In– This is customer’s best protection in the event of a bankruptcy or major failure, but it

requires a commitment to make sure escrow is maintained and can be used by customer.

– It is also important to avoid the potential to get “gummed up” by arbitration over whether it is properly triggered.

Appendices

• Appendix A: Identifying Constituencies and What Matters to Them

• Appendix B: Governmental, Regulatory, and Privacy Touch Points

• Appendix C: What Do We Examine When Assessing ‘Security?’

Appendix A: Identifying Constituencies and What Matters to Them

Constituencies What They Care About

I.T. Department Delivering good service. Jobs and budgets. Technical success and efficiency. Security.

Company Perform core business functions with maximum profit and long-term stability and value. Usually NOT I.T.

Company’s Customers Getting service - - better, faster, cheaper. Often NOT I.T.

Company’s Customers’ Customers

Effectiveness. Results. Avoidance of delay, loss or other pain. Removed from immediate tactical goals of Company’s IT department. NOT Company’s IT problems.

Regulatory Bodies / Government

Compliance. Privacy. Protection of Network and shared resources and the “commons”, including security. Enforcement of non-I.T. laws.

Appendix A: Identifying Constituencies and What Matters to Them (continued)Constituencies What They Care About

Company’s Employees Support and resource. Keeping jobs and looking good. Privacy.

Risk Management group within Company

No losses, no lawsuits, no increase in compliance costs, no insurance claims.

Company’s Owners Short- and mid-term Profits and long term value.

Company’s Management Employment and compensation. Company performance. Usually I.T. as a means, not end.

Appendix B: Governmental and Regulatory Touch Points

Rule or Scheme Implications for Cloud, Outsourcing and Enterprise Software and Systems

Sarbanes-Oxley (“SOX”)Section 404 - -evaluation and assessment of internal controls of public companies. Includes record keeping and, thus, I.T. issues. Also Section 302 disclosure controls and other parts.

Cloud Security (“CSA”) Statement of Best Practices

Extensive output on security and GRC ((Governance, Risk Management and Compliance) work.

Cloud AuditSome objective assessment of certain features of an enterprise’s cloud interfaces Best known is A6 (Automated Audit, Assertion, Assessment, and Assurance API)

SAS 70 - - Statement on Auditing Standards from the

AICPA.

Report to the effect of “In our opinion, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization’s policies and procedures that had been placed in operation as of __________. Also, in our opinion, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily. . . .”

Appendix B: Governmental and Regulatory Touch Points (continued)

Rule or Scheme Implications for Cloud, Outsourcing and Enterprise Software and Systems

Payment Card Industry - Date Security Standard (PCI DSS)

PCI Security Standards Council. Transactional Security and Payment industry issues.

Red Flag Rules FTC - - applies to financial institutions and related “covered persons” - - focused on identity theft. Can apply to creditors who may not consider themselves financial institutions; some cut backs in scope in December 2010.STATES - - almost all states have laws requiring disclosure of suspected privacy or security breaches

Lawyer Rules - - bar and court restrictions on outsourcing

Multiple requirement relating to patient confidentiality and files

Forensics, e-Discovery and other court and trial related

rules

e-Discovery. Record-keeping. Operation of trial. Requirements for access to old files and emails.

FISMA (Federal Information Security Management Act of

2002)

Important. Establishes: a “framework for managing information security that must be followed for all information systems used or operated by a federal government agency or by a contractor or other organization on behalf of a federal agency. This framework is further defined by the standards and guidelines developed by NIST.”

Appendix B (continued): Privacy Law Touch Points

Rule or Scheme Implications for Cloud, Outsourcing and Enterprise Software and Systems

Gramm-Leach-Bliley Requires financial institutions to provide consumers privacy notices explaining the institutions' information-sharing practices.

HIPAA (Health Insurance Portability and Accountability Act)

Practices and rules for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Significant privacy elements.

FERPA (Family Educational Rights and Privacy Act) Protects the privacy of students’ education records.

COPPA (Children's Online Privacy Protection Act ) Rules for the online collection of personal information from children under 13.

European Privacy Directive Rules relating to the confidentiality of electronic data and the notification of regulatory authorities and subscribers for data security breaches.

Other international regimes Rules and regulations relating to privacy.

Appendix C: What We Examine When Assessing “Security”

NIST SP 800-53 defines the security controls required by FISMA (as summarized by SecureIT at: www.secureit.com/resources/WP_FISMA_and_SAS_70.pdf):

- Risk Assessment - Personnel Security - Awareness and Training

- Certification and Accreditation

- Configuration Management

- System and Information Integrity

- System Services and Acquisition

- Physical and Environmental Protection

- System Protection

- Security Planning - Media Protection - Incident Response- Maintenance - Contingency

Planning- Access Control

- Identification and Authentication

- Accountability and Audit

- Communications Protection

Presenters

Howard WettanWhite & Case LLPhwettan@whitecase.com(650) 213 0354

Peter LabereeLaberee Law PClabereelaw@verizon.net(609) 654 0003

Michael AtkinsManaging DirectorDFLabsmatkins@smvbpo.com(540) 349 8888

Brian PeisterPresidentiSecure LLCbrianpei62@gmail.com(201) 240-9819