The Benefits of ISO-27001 for Legal Firms
advertisement
The Benefits of ISO27001 for Legal Firms Is it right for your firm? 2 Today’s Agenda 1) What is ISO-27001? Why are you hearing so much about it? 2) What problems does it solve? Other benefits? 3) What does the process look like? 4) How much ? How fast ? How painful? 5) Why is it relevant to the Legal Vertical? © 2010 Pivot Point Security, Inc. 3 Quick Clarification • ISO-27000 is a “series” of information security standards • ISO-27001 “uses” ISO-27002 • ISO-27002 used to be called ISO17799 © 2010 Pivot Point Security, Inc. 4 Should we be thinking about 27001? How Bad is Your Pain? We need to prove to many of our clients that we are “secure” We need to prove that many of our service providers keep our data secure We need to prove we are compliant with different regulations/standards We are struggling with regards to Information Security © 2010 Pivot Point Security, Inc. 5 Law Firm Pain is (similar but) Different • Highly diverse levels of very sensitive data in a single firm • Diverse Client/Vendor Risk Management (VRM) practices • National/International Client Base • International attestation • PII Data Protection laws (EU-DPA, 46 State PII, PIPEDA) • Partner Model can be divergent with F500 security requirements • “Brand” is a priority © 2010 Pivot Point Security, Inc. 6 Law Firm Pain is (similar but) Different © 2010 Pivot Point Security, Inc. 7 Law Firm Client Contract Pain: “Blame the Cloud” SAAS/IAAS/PAAS • The “Cloud Attestation Vortex” • As VRM practices rapidly mature/evolve contractual “expectations” do as well Secure ? • Prove to me your “secure” • Pen Tests, SOC2, ISO27001, FedRAMP • Prove to me your “compliant” Increasing ability of vendors to prove they are secure & compliant © 2010 Pivot Point Security, Inc. • HIPAA, PCI, PII, etc. 8 Companies Asking for ISO-27001 Certifcation © 2010 Pivot Point Security, Inc. 9 Growth of ISO-27001 Certifcation Requests for 27001 Certification are and will continue to escalate rapidly 10 Law Firm Regulatory Pain: “Thanks' CMS!!” • HIPAA • Covered Entities (CE) are beholden • HIPAA HITECH • Business Associate Agreement (BAA) signers are beholden • HIPAA Omnibus Rule • Implicit BAA via data Store, Process, Transit • Key Impacts • Need to apply the “Principle of Least Privilege” • Document Management System • Develop Breach Risk/Impact Assessment mechanism to mitigate Breach Notification Risk on un-authorized disclosure (even by a lawyer in same practice area) © 2010 Pivot Point Security, Inc. 11 Law Firm Cyber Security Pain: Targeted Attacks China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on the Canadian law firms handling the deal. Mary Galligan, head of FBI’s NYC cyber division convened a meeting with the top 200 law firms in New York City last November to deal with the rising number of law firm intrusions. © 2010 Pivot Point Security, Inc. 12 Law Firm Pain: Unique Culture © 2010 Pivot Point Security, Inc. 13 Law Firm Operational Pain: Mobility & BYOD © 2010 Pivot Point Security, Inc. 14 Law Firm Practice Pain: Paper (lots of it) © 2010 Pivot Point Security, Inc. 15 Law Firm Pain: Desired (& un-desired) Use © 2010 Pivot Point Security, Inc. 16 Good News: Freud would have liked 27001 … In Freudian psychology, people seek pleasure and avoid pain … © 2010 Pivot Point Security, Inc. 17 Should we be thinking about 27001? How Much Success Can You Handle? "Our recent ISO 27001 and ISO 20000 We are always certifications provide looking us with afor competitive differentiators competitive differentiator in the market place.We are always proactive and looking to stay ahead of the “It also provides us with further curve validation that our approach to managing service delivery and security risk is comprehensive and effective -- an important consideration for our business and customers …” © 2010 Pivot Point Security, Inc. 18 A Competitive Differentiator (for now) 19 More Good News … ISO-27001 will address each of the pain points, differentiate your firm in the near term, and position you to keep/win business with organization with mature Vendor Risk Management programs, and significantly simplify security & compliance … 20 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” 21 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” 22 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” 23 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” 24 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” 25 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” 26 What is ISO-27001 ? “ISO27001 is an internationally recognized, certifiable, Information Security Standard that formally specifies an Information Security Management System (ISMS) to bring Information Security under explicit management control.” ISO-27001 “Road Map” • • • • • • • • • Determine Your Scope Understand Your Risks Determine Best Way to Manage The Risks Find Gap Between Desired & Current State Close the Gaps Certify the ISMS Monitor & Respond Improve the ISMS Repeat © 2010 Pivot Point Security, Inc. 28 Determine Your Scope Pharmaceutical Client Data Flow User LAN Zone 1 2 XX Smith St Submission of Docs, Disks & Drives (Scanner & Physical Media) 3 Worker machines SMB? SMB? 4a S-FTP submission S-FTP Server Unknown Email submission Mail Server SMB? 4 XXX App for Research Services SMB? MS SQL DB Unknown XXX App For Pharmaceutical Research, Production & Hosting Services Smith I NAS 4b SMB? EDP LAN Zone Pharma Clients SSL XXX & YYY Hosting Systems SQL? XXX & ZZZ Hosting Systems MS SQL Server DBs IIS Web Servers External © 2010 Pivot Point Security, Inc. DMZ Zone Out-of-Scope Deliverable 6 7 XXX London Paper ZZZ (CC Export System) For Production Services SQL? Apache(?) Web Server Oracle DB SSL 5 VPN Zone 5a Servers LAN Zone Client 29 Understand Risk - Risk Assessment • Identify, Assess, & Decide on Risks • Risks that are not “acceptable” will need to be “remediated” (next slide) • Risk Assessment is simplified by focusing on information/ processes • Secure Data Flow Diagramming is intuitive and management inclusive • Asset Centric Risk Assessment is painful © 2010 Pivot Point Security, Inc. 30 Managing Risk – Risk Treatment Plan • Your manage risk by applying controls • Controls are mechanisms which reduce risk • ISO-27001 defines the process • Determines which of the ~ 114 ISO 27002 controls we should implement in our environment • The controls inherent in 27001 all have to be implemented • There is a possibility that you will need to use controls outside of 27002 © 2010 Pivot Point Security, Inc. 31 Gap Assess & Remediate • Gap assess current implementation vs. Risk Treatment Plan • Develop Prioritized Remediation Plan © 2010 Pivot Point Security, Inc. Get Certified !! Celebrate Your Success © 2010 Pivot Point Security, Inc. 27001 Benefits: Improved Risk Management • Applies a structured risk management approach • Integrates/aligns with corporate ERM • Greater, more positive exposure to management for CSO/CIO • Rationalizing budgetary requirements in a language management understands = More Money Applying only those controls required reduces costs • Rationalizing strategic and security direction based on customer mandate = Greater Acceptance © 2010 Pivot Point Security, Inc. 33 27001 Benefits: Reduces the Burden of Compliance • Reduces Complexity of Dealing with Multiple Standards • Attest once to a single standard then map to disparate standards • Inputs now become outputs (HIPAA, NIST/FISMA, PII) © 2010 Pivot Point Security, Inc. 34 27001 Benefits: Reduces the Burden of Attestation • Attestation can be Painful • Replaces SOC1/2 at a notably lower cost • Provide 27001 instead of answering endless questionnaires • 27001 “derivatives” may be helpful for certain industries © 2010 Pivot Point Security, Inc. 35 27001 Benefits: Simplifies Vendor Risk Management • Gain attestation that their control environment is compliant with the world’s leading Info-Sec Standard © 2010 Pivot Point Security, Inc. 36 27001 Benefits: Complex Problem – A Simple Approach 37 • A “recipe” that has been vetted by thousands over the last 15 years • International standard usable and accepted world wide • 27001 mandates Continuous Improvement 27001 Benefits: Demonstrate Thought Leadership © 2010 Pivot Point Security, Inc. 38 39 FAQ’s: The Six W’s of ISO-27001 1) Who? 2) What? 3) Why? 4) When? 5) Where? 6) How? © 2010 Pivot Point Security, Inc. 40 Who is Involved? Law Firm Consultant (optional) Prepare & Validate Audit/Certify © 2010 Pivot Point Security, Inc. Registrar 41 Who is Involved? • • • • • • • • • CIO/CSO DMS Admin Network Admin System Admin Practice Lead Human Resources Legal/Compliance Physical Security Senior Management © 2010 Pivot Point Security, Inc. Most firms appoint a project lead who engages relevant personnel as required 42 What: ISMS Scope Where is sensitive information that clients want assurance on? • Multiple offices? • Multiple regions? 43 What Does it Cost? Four Key Factors • Scope • Current Gap • Firm’s Capacity • Execute: facilitate ratio • Schedule 44 Why: ISO-27001 vs. Alternatives • Superset of Regulatory & Information Security Frameworks • Internationally Accepted • Dovetails with ERM • Basis of most VRM programs & other standards (Shared Assessment, HITRUST) • Clients are asking for it • Simplifies life SOX HIPAA SOC2 PII Laws NIST/FISMA 45 When: Typical Timeline? 4 – 18 months dependent upon Scope, Gap, Resource Availability, ISMS Expertise, Budget, Client Demand, & Willingness to disrupt BAU 46 Where is ISO-27001 Leveraged? Everywhere !! 47 How Does ISO-27001 Work? Unless you have been sleeping … or I did a terrible job … you should have a pretty good idea by now … :>) 48 Q &A Any Questions ? © 2010 Pivot Point Security, Inc. 49 Did we Accomplish Our Agenda? 1) ISO-27001 is an internationally accepted information security risk management program 2) It addresses the unique challenges in law firms and positions them with discerning cleints 3) The process is relatively simple and straightforward (although involved) 4) We discussed time-lines, costs, & resourcing 5) Its highly relevant to the Legal Vertical because its highly relevant to the legal verticals clients © 2010 Pivot Point Security, Inc.
