risk management for law firm executive management
TRANSCRIPT
Risk Management for Law Firm
Executive Management
• Dave Cunningham • Chief Information Officer - Winston & Strawn
LLP• Jeffrey Lolley
• Head of Global Information Security - Hogan Lovells
• Lindsay Philiben • Counsel in Attorneys’ Liability Assurance
Society - ALAS• Dan Sheeran
• Chief Financial Officer - Duane Morris LLP
Introductions
Confidentialityo Information securityo Sovereign hackingo Closed vs. open document management environmento Intrusion detection/preventiono Data on mobile devices, including laptops
Integrity / complianceo Regulatory complianceo Electronic client files (beyond records management)o Internal, global e-discoveryo Copyright complianceo Jurisdictional considerations
Availabilityo IT continuityo High availability applications
Risks
Right to Audit Client RFPs, Outside Counsel Guidelines, and
Audits Compliance requirements Business Associate / Vendor Compliance Example of Canadian firms targeted and
breached BYOD considerations Insurance needs analysis
Pressures
We All Know About the Headlines…
5
January 30, 2013
Hackers in China Attacked The Times for Last 4 MonthsNICOLE PERLROTH
SAN FRANCISCO — For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.
After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and security experts have expelled the attackers and kept them from breaking back in.
February 1, 2013
Twitter Hacked: Data for 250,000 Users May Be StolenNICOLE PERLROTH
Twitter announced late Friday that it had been breached and that data for 250,000 Twitter users was vulnerable.
The company said in a blog post that it detected unusual access patterns earlier this week and found that user information — usernames, e-mail addresses and encrypted passwords — for 250,000 users may have been accessed in what it described as a “sophisticated attack.”
February 1, 2013
A Cybersecurity Blanket: New Executive Order Means a Broad Review for Lawyers, ClientsTODD RUGER
The federal government’s new push to bolster cybersecurity will create an array of legal questions and potential pitfalls for companies in the coming months.
Many Specific to Legal
6
And They Have Lead To
• Client mandated security requirements integrated into Outside Counsel Guidelines (OCG’s)
• ABA Rule 1.6 (c)• HIPAA & Various State Regulations• EU Data Protection Directive• Presidential Executive Order on
Cybersecurity
7
Risk Program
Governance at Hogan Lovells
1. Understand the strategic implications and outcomes of initiatives being pursued in the protection of information and assets
2. Appreciate the significance of information security for all major stakeholders and represent their interests
3. Be an advocate for broad support of information security initiatives and projects
Information Security Governance CommitteeThe primary function of the Information Security Governance Committee is to make decisions related to protecting stakeholder information and securing the enterprise that enables the delivery of services to those stakeholders. The committee will also provide strategic direction and oversight over the information security function at Hogan Lovells.
What is Risk Management
• You need a process…whatever it is
• Decisions need to follow that process
• It’s about making informed decisions
CONTEXT ESTABLISHMENT
RISK IDENTIFICATION
RISK ANALYSIS
RISK EVALUATION
RISK TREATMENT
MO
NIT
ORI
NG
AN
D R
EVIE
W
COM
MU
NIC
ATIO
N A
ND
CO
NSU
LTAT
ION
RISK ASSESSMENT
Risk management process (ISO 27002/5)Must have a consistent and repeatable process for assessment and decision making relative to security risk in order to:
– Ensure compliance with all applicable laws– Protect information and assets– Protect the brand
• New Projects
• Assessments
• Regulatory Constraints
• Someone must analyze and quantify risks
• Input should be gathered from all impacted stakeholders and presented as part of the decision process
• Actions with limited fiscal or business process impact are made outside of governance
• All impacting decisions are inclusive of governance
• All open and accepted risks are tracked and reported regularly
Step 1: Identify Risks
Step 2: Analyze & Quantify
Step 3: Determine Action
Step 4: Track & Report
Yearly re-analysis and quantification
How You Make the DecisionTreatments and Controls Decision
Description of Risk Description of ImpactLikelihood Rating
Impact Rating
Risk Rating Risk Treatment Actions
Likelihood Rating
Impact Rating
Risk Rating
Risk Accepted Y/N
Data stored or transmitted to devices in a way that is less secure than established “due care”
Compromise of data leading to sanctions, fines or loss of business 3 4 7
1) Technical controls2) Policies3) Procedures
2 3 5 N
Loss, theft or misuse of devices leading to a data compromise
Compromise of data leading to sanctions, fines or loss of business 2 4 6
1) Technical controls2) Policies3) Procedures
1 4 5 N
Use of remote devices in a way that violates client requirements, ethics rules or jurisdictional regulations
Compromise of data leading to sanctions, fines or loss of business 2 3 5
1) Technical controls2) Policies3) Procedures
0 2 2 Y
If BYOD, not having access to data stored on a personal device
Inability to comply with discovery notice 4 4 8
1) Technical controls2) Policies3) Procedures
2 2 4 N
Residual Risk RatingInitial Risk RatingRisk Identification
• Risk was identified and rated• Controls were applied• Risk was re-evaluated• Decision was made
Policy StructureDefines the firms commitment to Information Security and management processes
Outlines policies covering the entire firm
Outlines policies covering an local country or office
Provides technical guidelines for configuring products to meet policies
The goal of the structure of Information Security Policies for Hogan Lovells is to provide a hierarchical set of policy documents that allow for both overarching policies that cover the entire firm and policies unique to operating locations.
Policy Statement
Global Security Operating Standards
Local Security Operating Standards
Configuration Guidelines
Identifying and Managing Policies?
Publish Policy
Need Identified
Develop/Refine Policy
Educate
Review & Evaluate
Policies must be evaluated on a yearly basis to insure a continued need and determine if defined controls are adequate. Refinement must be made if necessary.
Impacted parties must be educated on both the existence and need for a new policy.
Policy development must incorporate all stakeholders and have buy-in at the highest levels of the company.
A need must exist before any policy is created.
Policies must be published in a consistent manor and readily available to stakeholders.
1
2
34
5
Example Policy Issues
• Texting as a Client Record• Security of Personal Devices• Unique Passwords• Retention / Destruction of Paper and
Electronic Records
15
Certifications/Best Practices/Regulations
• ISO 27000• HIPAA• EU DPD
It’s a process, not a one-time activity!
Use assessments to drive your program!
•As a table group, discuss the question “What to do when a PC is lost?”
•Talk about developing roles, processes, communications, and timing to react appropriately. (10 minutes)
•A few tables will be asked to share their comments
Audience Exercise
Q & A