developing and implementing information security policies to protect financial institution data...
TRANSCRIPT
Developing and ImplementingInformation Security Policies to
Protect Financial Institution Data
American Conference InstituteOutsourcing in Financial Services
Michael J. SilvermanPartner
Duane Morris LLP227 West Monroe Street, Suite 3400
Chicago, Illinois 60606(312) 499-6700
Henry L. JudyOf Counsel
Kirkpatrick & Lockhart LLP 1800 Massachusetts Avenue, NW
Washington, DC 20036Phone: 202-778-9032
Eric J. SinrodPartner
Duane Morris LLPOne Market Spear Tower, Suite
2000San Francisco, CA 94105
(415) [email protected]
March 9, 2004 2
CONTENTS
I PoliciesII Authentication and Identity ManagementIII Monitoring/Access (Outsourcer’s Access To Service Provider’s Systems)IV Personnel (May Be Point
Of Greatest Vulnerability)V Incident Reporting and ResponseVI Disaster Recovery Planning VII Cross-Border IssuesVIII Network/Logical SecurityIX Physical SecurityX Records Retention and ArchivingXI Reverse Migration/TransitionXII Audit Process and Certifications
March 9, 2004 3
POLICIESWhose Policies control?
Default position, such as whichever party’s policy is more protective of information should be the controlling policy.Practical issues in negotiating to merge the gap between service provider and Outsourcer policies.
Changes to Policies Over TimeChanges arising out of new technologiesChanges required by lawOther changed circumstances
March 9, 2004 4
POLICIES (Cont’d.)Process for implementing changes• Notice of proposed changes
– Mutual?– Opportunity to comment– Allocation of costs – Ability to terminate relationship due to
changes in policies and practices.
Approach for dealing with third parties or downstream contractors
March 9, 2004 5
AUTHENTICATION AND IDENTITY MANAGEMENT
Control of personsTechnology• User ID and
password• Other controls
– Tokens– Biometric– Other
March 9, 2004 6
AUTHENTICATION AND IDENTITY MANAGEMENT (Cont’d.)
Control of documentsPermissionsEncryption and other security
Who is responsible for administration (changes, updating, lost passwords, etc.)?Liability for failure
March 9, 2004 7
MONITORING/ACCESS (OUTSOURCER’S ACCESS TO SERVICE PROVIDER’S SYSTEMS)
How to define “systems” for these purposesInstallation of outsourcer’s monitoring technologies on Service Provider’s systemsCost allocation
March 9, 2004 8
MONITORING/ACCESS (Cont’d.)
Requirements that Outsourcer must follow
Access controlUse of appropriate technologiesTrainingOutsourcer security procedures
March 9, 2004 9
PERSONNEL (MAY BE POINTOF GREATEST VULNERABILITY)
Screening requirementsCompliance with Codes of ConductMonitoring of employeesTemporary personnelTransitional (rotating) personnelRemote access
Telecommuting personnel of Service Provider Confidentiality Agreements
March 9, 2004 10
PERSONNEL (Cont’d.)
TrainingTreatment of Personnel RecordsIdentity management (i.e., use of technology to support rules re: enterprise wide access to systems based on unified source of information about employee)Limitations on right to change/remove personnel (including Outsourcer’s right to request changes).
March 9, 2004 11
INCIDENT REPORTINGAND RESPONSE
Severity level definitions Trouble ticketsDispute resolution
Defined escalation pathInternal dispute resolution processes
Suspension of ServiceNotice requirementsEmergency/Incident response teamCooperation with internal and external investigations
March 9, 2004 12
DISASTER RECOVERY PLANNINGSecurity aspects of disaster recovery plan
Use of hot sites, backup tapes, mirrored sites.Application of contract requirements re: security to 3d parties providing disaster recovery services
Service provider testing, updating and maintenance of plan.Notice to Outsourcer of service provider changes to disaster recovery plans.Code escrows for mission critical systemsOutsourcer’s right to access control systems if Service Provider fails.
March 9, 2004 13
CROSS-BORDER ISSUES
Need for enhanced security in jurisdictions with weak IP protectionData protection (another panel)Impact of local laws on Outsourcer, 3d party access to Outsourcer data (e.g., ability of US litigant to obtain Outsourcer’s data from the service provider located in a foreign jurisdiction)
March 9, 2004 14
NETWORK/LOGICAL SECURITYFirewall managementPatch managementPeriodic (annual) re-certification of network informationAudit rightObligation to update technologyService provider’s requirements re: Outsourcer use, access to service provider’s systems and Outsourcer’s obligation to use certain technologies and processes.
Service provider does not want to create weaknesses in its systems because its Outsourcers are not using appropriate technologies or processes or are circumventing security requirements.
March 9, 2004 15
PHYSICAL SECURITY (as opposed to logical security)
Coverage of subcontractorsConsideration of Outsourcer’s and Service Provider’s various locations and use of mobile, remote access technology.
March 9, 2004 16
RECORDS RETENTIONAND ARCHIVING
What must Service Provider maintainHow long?Outsourcer’s access right, including pre and post-termination Local jurisdiction legal/regulatory environment re: Outsourcer’s, third party’s rights to obtain data.
March 9, 2004 17
REVERSE MIGRATION/TRANSITION
Upon completion, “sanitize” all Service Provider equipment of Outsourcer’s data
Include downstream providers working for Service Provider, employees, others with access to Outsourcer data.
Service Provider’s obligation to maintain Outsourcer information confidential
Application to Service Provider personnel
Audit rights
March 9, 2004 18
AUDIT PROCESS AND CERTIFICATIONS
Changes to DRP, Security IssuesGeneral audit of security issues, requirementsCertifications of compliance with ISO StandardsAudit of confidentiality requirements, post termination obligations, etc.Audit of downstream providers, third parties.
March 9, 2004 19
SPECIAL SITUATIONS
Will Service Provider also be developing applications and code for Outsourcer?
March 9, 2004 20
LEGAL ISSUES
OCC – 2001-47FTC – RulesGuess, Eli Lilly DecisionsIndemnityRepresentations, WarrantiesGramm-Leach-BlileyBasel II Conference
March 9, 2004 21
PRACTICAL APPLICATION
Hank is a senior in-house technology lawyer at BIG BANK, a financial services conglomerate. BIG BANK is a considering a proposal to outsource to GLOBAL, a multinational service provider, the processing of all of its credit card receivables. The transaction has an estimated value of $550 million in service fees per year for five years. Mike is outside technology legal counsel for GLOBAL. Hank and Mike are negotiating the outsourcing contract and related agreements.
March 9, 2004 22
Real time data on all payments will be sent from BIG BANK’s various operations to BIG BANK’S data center in Denver. Data is then sent to a GLOBAL hub across a secure VPN (virtual private network operated across the Internet). GLOBAL will then distribute the processing to different facilities. GLOBAL plans to do a great deal of the work at three different new campuses at which GLOBAL has installed campus-wide wireless networking. The campuses are located in Dhaka (capital of Bangladesh), Costa Rica and Dublin. Among BIG BANK’s clients are certain Federal agencies that have issued credit cards to their employees. BIG BANK also performs a number of functions under contract with the federal Treasury Department and a number of state agencies.
March 9, 2004 23
While the negotiation of most of the contract has proceeded smoothly, consideration of certain issues have been deferred as being “harder.” Today is the day they turn to these “harder” issues:BIG BANK’s CIO is very troubled by the extensive use of wireless technology and reports that he has been reading about the relative lack of security of the technology. He has charged Hank with getting “bullet-proof” legal protections in the contract.
March 9, 2004 24
BIG BANK wants (a) “regular” reports from GLOBAL on all incidents and disruptions (“trouble tickets’) that are reported on GLOBAL’s systems and GLOBAL’s network carriers; (b) an “immediate” report on all “serious” trouble tickets; and (c) “appropriate” indications of status and resolution of the incidents. Both sides recognize that reporting is necessary but are having a good deal of trouble calibrating a reporting system that meets their respective needs and risks (for example, all hits vs. only hits directly impacting BIG BANK’s data).
March 9, 2004 25
BIG BANK wants to share the results of the foregoing reports with certain Federal and State agencies, certain industry consortia and various information security organizations like CERT and SANS. BIG BANK may be willing to so do on an anonymized and aggregated basis, but knows that under the Homeland Security Act, potentially all of this information could be submitted as Critical Infrastructure Information to Federal agencies, which can deliver it in turn to state agencies. GLOBAL has a number of concerns. Mike has been charged with making sure GLOBAL’s interests are protected both legally and reputationally.
March 9, 2004 26
GLOBAL wants to be able to subcontract future software development work on the applications that serve BIG BANK to a variety of developers, including developers in Eastern Europe, Malaysia and Israel. BIG BANK’s CIO is extremely nervous about this from a security standpoint and also as a matter of knowing to whom the payments to the vendors are going. He has charged Hank with “covering us totally.”
March 9, 2004 27
After extensive effort and responding to enhanced public sensitivity to security issues, BIG BANK has adopted an updated and very thorough incident response for responding to compromises of any of its “critical” information systems. The plan has been reviewed by internal and external legal counsel, a number of information security consultants, several government agencies, internal IT, information security and risk management staff, and other internal staff, such as BIG BANK’s Chief Privacy Officer (disclosures of non-public personal information in credit card files) and HR (for HIPAA compliance), etc.
March 9, 2004 28
Two of the fundamental principles in BIG BANK’s plan are (a) extensive and immediate reporting to national governments, including all relevant law enforcement agencies, with as much confidentiality as possible; and (b) prompt and open public disclosure to shareholders of all material incidents as soon as facts can be determined with adequate certainty. GLOBAL’s equally thorough policy adopts what has been described to Mike as “a more cautious policy toward information availability.” Both sides agree that the contract must specify without much ambiguity what disclosures may be made if there is a serious penetration of the network. Each side wants its approach to be followed.
CHI/173566.1