iso myth #4: beyondilta.personifycloud.com/webfiles/productfiles/3189014/... · · 2015-04-06iso...

ISO-27001 and BeyondLegalTech 2015 – New York

February 3, 201410:30 am – 11:45 am

ISO Myth #1: It’s just a bunch of documents

ISO Myth #2: It is something we have to do, but

it doesn’t actually add value

ISO Myth #3: It requires a huge investment in

technology

ISO Myth #4: It is only applicable to

“big law”

ISO Myth #5: It is just an “I.T.” thing

ISO Myth #6: It is a waste of time because NIST

is coming

ISO Myth #7: I’m a legal vendor. This doesn’t

apply to me

ISO Myth #8: It will take years

ISO Myth #9: Clients don’t care about

certification

2LEGALTECH NEW YORK / FEBRUARY 3‐5 2015

Introduction

Andreas AntoniouChief Information OfficerPaul, Weiss, Rifkind, Wharton & Garrison LLP

Jeff FranchettiChief Information OfficerCravath, Swaine & Moore LLP

Peter KaomeaChief Information OfficerSullivan & Cromwell LLP

Rachelle RennagelDirector of Research & Information ServicesWhite & Case LLP

Session Moderator


Agenda

Why get ISO 27001 certified? Make the case!

How to get ISO 27001 certified? Do it!

What’s beyond ISO certification? Live it!

4

Why get ISO 27001 certified?LegalTech 2015 – New York


Why get ISO 27001 certified?

Improve Security to Protecting Client Interests & Firm Reputation

Demonstrate Due Care

Client and RegulatoryCompliance


Why: Information security helps protect client interests and firm reputation

Reputation Management for Law Firms


Benefits of ISO 27001

• ISO 27001:• Security

•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature

information security within an organization.


Why: Demonstrates Due Care & Infosec Process Maturity






• Due Care•is an internationally recognized, •externally certifiable standard.


Why: Worldwide Trend & International Recognition

0

5000

10000

15000

20000

25000

2007 2008 2009 2010 2011 2012 2013 2014

Worldwide ISO Certifications


Why: Momentum in Legal

ISO 27001 Certified

Addleshaw GoddardAllen & OveryBird & BirdBerwin Leighton PaisnerBond DickinsonClifford ChanceCravath, Swaine & MooreEvershedsHogan LovellsIrwin MitchellLinklatersMilbankNorton Rose FulbrightOrrick, Herrington & SutcliffePaul, WeissPinsent MasonsRopes & GraySimpson Thacher & BartlettSullivan & CromwellWhite & Case

Working Towards or Investigating Certification

Arnold & PorterAlston & BirdBaker & McKenzieBaker DonelsonBryan CaveBuckleySandlerCleary GottliebDavis Polk & WardwellDavis Write TremaineDebevoise & PlimptonDorsey & WhitneyDuane MorrisEpstein Becker & GreenFaegre Baker DanielsFoley & LardnerFried, FrankGoodwin ProcterGray Robinson

Greenberg TrauigHolland & KnightHughes HubbardHunton & WilliamsJones DayKing & SpaldingKramer LevinMcDermott Will & EmeryMorrison FoersterO'Melveny & MyersPerkins CoieProskauerSeyfarth ShawShearman & Sterling Skadden, ArpsTaft Stettinius & HollisterTroutman SandersVinson & Elkinsvon Briesen & RoperWachtell, LiptonWilmer Hale Winston & Strawn


Why: Momentum in Legal Vendors

ISO 27001 Certified

AlphaLitBigHandCapital NovusComplete Discovery SourceConsilioeMag Solutions LimitedHuron ConsultingIntegreonIntelliteach, Inc.KierstedLDM GlobalQuisLexRenew DataRVM, Inc.TechLaw SolutionsXerox Litigation Services

Working Towards Certification

Chrome River TechnologiesIris Data ServiceNetDocumentsTruShield Security Solutions


Why: ISO 27001 is a superset of frameworks and regulations

HIPAA

SOX

SOC2

Privacy Laws

ISO-27001/2The Universe of Controls

NIST / FISMA






• Due Care•is an internationally recognized, •externally certifiable standard.

• Compliance• can expand to include a wide range of legal, regulatory,

and security guidelines and frameworks•… and it helps with client audits.


Why: Helps with Client Audits

“…In addition, if your company is in possession of any

Information Security certification (e.g. BSI, SSAE 16 CSA

CCM, ISO 27001, PCI DSS) or audit reports, please

provide them before filling out the questionnaire as they

may be sufficient proof of proper Information

Security in your company and no further engagement

will be required.”


Why get ISO 27001 certified?

Improve Security to Protecting Client Interests & Firm Reputation

Demonstrate Due Care

Client and RegulatoryCompliance

17

How to get ISO 27001 certified?LegalTech 2015 – New York


Introduction to ISO 27001

FRAMEWORK CONTROLS


Introduction to ISO 27001

“Sister Document”

ISO 27002

http://www.iso.org ($130)

Second Edition – 2013

1. Scope2. Normative references3. Context of the organization4. Leadership5. Planning Support6. Operation7. Performance Evaluation8. Improvement

Annex A – Reference controls• 14 Domains• 35 Control Objectives• 114 Controls

9 pages

Setting up your System


The ISMSInformation Security Management System

ISMS

ManagementReview

Risk Assessment

Treatment

Scope

21LEGALTECH NEW YORK / FEBRUARY 3‐5 2015 21

The standard contains 14 domains

Information Security Policies

Domains – 14Categories – 35Controls – 114

2

Organization ofInformation Security

Human ResourcesSecurity

Asset Management

7

6

10

AccessControl

Cryptography

14

2

Physical andEnvironmental 15

OperationsSecurity 14

CommunicationsSecurity

System Acquisition,Dev & Maintenance

SupplierRelationships

7

13

5

IncidentManagement

BusinessContinuity Mgt

7

4

ComplianceInternal & External 8


Example: Security Policies


Information SecurityPolicies


AccessControl

AssetManagement Cryptography Physical and

Environmental


OperationsSecurity

System Acquisition,Dev & Meintenance

IncidentManagement



ComplianceInternal & External

ISO 27002 (additional detail)

a) access controlb) information classification (and handling)c) physical and environmental securityd) end user oriented topics such as:

1) acceptable use of assets2) clear desk and clear screen3) information transfer4) mobile devices and teleworking5) restrictions on software installations & use

e) backupf) information transferg) protection from malwareh) management of technical vulnerabilitiesi) cryptographic controlsj) communications securityk) privacy and protection of PIIl) supplier relationships


A.7 Human resources security

Example: Human Resources Security


Information SecurityPolicies


AccessControl

AssetManagement Cryptography Physical and

Environmental


OperationsSecurity

System Acquisition,Dev & Meintenance

IncidentManagement



ComplianceInternal & External

A 7.1 Prior to employment

- Screening- Terms & Conditions of employment

A 7.2 During Employment

- Management responsibilities- Information security awareness, education & training- Disciplinary process

A 7.3 Termination or change of employment

- Termination responsibilities

ISO 27002 - Screening

ControlBackground verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Implementation guidanceVerification should take into account all relevant privacy, protection of personally identifiableinformation and employment based legislation, and should, where permitted, include the following:

a) availability of satisfactory character references, e.g. one business and one personal;b) a verification (for completeness and accuracy) of


The Documentation


ISO 27001

ISMS

Mgt Review

Risk Assessment

Treatment

Second Edition – 2013

1. Scope2. Normative references3. Context of the organization4. Leadership5. Planning Support6. Operation7. Performance Evaluation8. Improvement

Annex A – Reference controls• 14 Domains• 35 Control Objectives• 114 Controls


Certification details

Who is involved?

What does it cost?

How long does it take?

Law Firm: Senior ManagementCIO/CSODMS/Network/System AdministratorsPractice LeadHuman ResourcesLegal/CompliancePhysical Security

Consultant: (optional)securitygrc2.compivotsecurity.com

Registrar: bsigroup.org



Who is involved?

What does it cost?


Depends on:ScopeCurrent gapFirm capacity for changeSchedule

Estimate:Consulting ($0 - $80k)Certification ($10k)Ongoing costs ($3k-$5k)



Who is involved?

What does it cost?


Depends on: ScopeGapResource availabilityBudgetClient demandPrior ISO expertiseWillingness for change

Estimate:6– 12 months

Education & Risk Assessment

1 – 2 months

Gap Analysis & Planning

1 – 2 months

Remediation

3 – 6 months

Certification

1 – 2 months

29

What’s beyondISO certification?LegalTech 2015 – New York


Beyond ISO certification

“Keep Coming Back, it Works if You Work it…”



Realizing IT Operational Maturity



Reactive

Compliance(Required)

ManagementSystems Focus

Risk Integration

• Ad Hoc • Dependent on

heroics

• Repeatable• Limited to IT• Focus on

meeting client inquiries

• Proactive• Includes Finance,

HR, Operations• Formal risk-based

approach to security management

• Continuous feedback and improvement

• “Best of Class” process

• Fully integrated into overall operations strategy

• Competitive advantage




Streamlined Assessments & Compliance




Q: Do you have a technology asset management policy or program that has been approved by management to maintain inventory of hardware, software, information assets (e.g., databases) and physical assets? Please describe if the program includes periodic asset recertification.

Q: Is there a published and management approved information asset and data classification policy?

Q: Is there a procedure for handling of information assets? If so, is it reviewed at least annually?

CLIENT QUESTIONNAIREA.8.1.1 Inventory of Assets:

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Asset Management

ISO/ICE 27001:2013

• CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

• CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS

• CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE

NIST 800-53, Rev 4

• Â§ 164.310 (d) (1) Standard: Device and media controls

• Â§ 164.310 (d) (2) (iii) Accountability (Addressable)

HIPAA



Q: Do you have a process for granting and documenting access, including access for subcontractors and remote access? List the person(s)/group(s) responsible for granting access. Please describe the process, including any tools utilized

Q: Do security policies include policies on the creation and management of all types of accounts (e.g., system, user etc.)?

Q: Is there an information security policy that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy? If so, does the policy contain access control policies?

CLIENT QUESTIONNAIRE9.1.1 Access Control Policy:

An access control policy shall be established, documented and reviewed based on business and information security requirements.

AccessControl

ISO/ICE 27001:2013

• AC-1 ACCESS CONTROL POLICY AND PROCEDURES

• AC-2 ACCOUNT MGT• AC-3 ACCESS

ENFORCEMENT• AC-3 (1) ACCESS

ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS

• AC-5 SEPARATION OF DUTIES

• AC-6 LEAST PRIVILEGE

NIST 800-53, Rev 4

• Â§ 164.308 (a) (3) (i) Standard: Workforce security

• Â§ 164.308 (a) (3) (ii) (A) Authorization and/or supervision (Addressable) Â§164.308 (a) (3) (ii) (B) Workforce clearance procedure (Addressable) Â§164.308 (a) (4) (i) Standard: Information access management)

HIPAA



Q: Do you have documented and tested incident response process and procedures? Please describe if you utilize external intelligence to keep up to date on security incidents (e.g., CSIRT, Bug Track, UNIRES - UK)

Q: Are incident response procedures for information security incidents defined and documented (e.g., network outages, abuse of access privileges)?

Q: Is there an information security policy that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy? If so, does the policy contain:Security incident and privacy event management?

CLIENT QUESTIONNAIREA.16.1.1 Responsibilities

and Procedures: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

IncidentManagement

ISO/ICE 27001:2013

• IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES

• IR-5 INCIDENTMONITORING• IR-8 INCIDENT RESPONSE

PLAN• SE-2 PRIVACY INCIDENT

RESPONSE

NIST 800-53, Rev 4

• Â§ 164.308 (a) (1) (i)Standard: Security management process

• Â§ 164.308 (a) (6) (i)Standard: Security incident procedures

HIPAA



Q: Do you have a process to review subcontractor performance relative to service-level agreements, determine if contractual terms and conditions are being met and evaluate the need for revisions to service-level agreements?

Q: Is there a process to conduct an information security review during contracting due diligence of your potential Vendor(s) that will have access to [CLIENT] data and/or systems?

Q: Do external parties have access to Scoped Systems and Data or processing facilities? If so, is a risk assessment performed on third parties?

CLIENT QUESTIONNAIREA.15.2.1 Monitoring and

Review of Supplier Services: Organizations shall regularly monitor, review and audit supplier service delivery.


ISO/ICE 27001:2013

• SA-9 EXTERNAL INFORMATION SYSTEM SERVICES

NIST 800-53, Rev 4

• Â§ 164.308 (b) (1) Standard: Business associate contracts and other arrangements

• Â§ 164.314 (a) (1) (i) The contract or other arrangement

• Â§ 164.314 (a) (2) (i) (A)Implement administrative, physical, and technical safeguards

HIPAA



Streamlined Assessments & Compliance


Improved Security

ISO Myth #1: It’s just a bunch of documents

ISO Myth #2:It is something we have to do,

but it doesn’t actually add valueISO Myth #3:

It requires a huge investment in technology

ISO Myth #4:It is only applicable to

“big law”

ISO Myth #5:It is just an “I.T.” thing

ISO Myth #6:It is a waste of time because NIST is coming

ISO Myth #9:Clients don’t care about certification

ISO Myth #7:I’m a legal vendor.

This doesn’t apply to me

ISO Myth #8:It will take years


Call to Action

• Get ISO 27001 certified

• Live the process

• Join the industry movement

Questions?