American Conference Institute Outsourcing in Financial Services Developing and Implementing Information Security Policies to Protect Financial Institution Data Eric J. Sinrod Partner Duane Morris LLP One Market Spear Tower, Suite 2000 San Francisco, CA 94105 (415) 371-2219 ejsinrod@duanemorris.com Henry L. Judy Of Counsel Kirkpatrick & Lockhart LLP 1800 Massachusetts Avenue, NW Washington, DC 20036 Phone: 202-778-9032 hjudy@kl.com Michael J. Silverman Partner Duane Morris LLP 227 West Monroe Street, Suite 3400 Chicago, Illinois 60606 (312) 499-6700 mjsilverman@duanemorris.com CONTENTS I II III IV V VI VII VIII IX X XI XII March 9, 2004 Policies Authentication and Identity Management Monitoring/Access (Outsourcer’s Access To Service Provider’s Systems) Personnel (May Be Point Of Greatest Vulnerability) Incident Reporting and Response Disaster Recovery Planning Cross-Border Issues Network/Logical Security Physical Security Records Retention and Archiving Reverse Migration/Transition Audit Process and Certifications 2 POLICIES Whose Policies control? Default position, such as whichever party’s policy is more protective of information should be the controlling policy. Practical issues in negotiating to merge the gap between service provider and Outsourcer policies. Changes to Policies Over Time Changes arising out of new technologies Changes required by law Other changed circumstances March 9, 2004 3 POLICIES (Cont’d.) Process for implementing changes • Notice of proposed changes – – – – Mutual? Opportunity to comment Allocation of costs Ability to terminate relationship due to changes in policies and practices. Approach for dealing with third parties or downstream contractors March 9, 2004 4 AUTHENTICATION AND IDENTITY MANAGEMENT Control of persons Technology • User ID and password • Other controls – Tokens – Biometric – Other March 9, 2004 5 AUTHENTICATION AND IDENTITY MANAGEMENT (Cont’d.) Control of documents Permissions Encryption and other security Who is responsible for administration (changes, updating, lost passwords, etc.)? Liability for failure March 9, 2004 6 MONITORING/ACCESS (OUTSOURCER’S ACCESS TO SERVICE PROVIDER’S SYSTEMS) How to define “systems” for these purposes Installation of outsourcer’s monitoring technologies on Service Provider’s systems Cost allocation March 9, 2004 7 MONITORING/ACCESS (Cont’d.) Requirements that Outsourcer must follow Access control Use of appropriate technologies Training Outsourcer security procedures March 9, 2004 8 PERSONNEL (MAY BE POINT OF GREATEST VULNERABILITY) Screening requirements Compliance with Codes of Conduct Monitoring of employees Temporary personnel Transitional (rotating) personnel Remote access Telecommuting personnel of Service Provider Confidentiality Agreements March 9, 2004 9 PERSONNEL (Cont’d.) Training Treatment of Personnel Records Identity management (i.e., use of technology to support rules re: enterprise wide access to systems based on unified source of information about employee) Limitations on right to change/remove personnel (including Outsourcer’s right to request changes). March 9, 2004 10 INCIDENT REPORTING AND RESPONSE Severity level definitions Trouble tickets Dispute resolution Defined escalation path Internal dispute resolution processes Suspension of Service Notice requirements Emergency/Incident response team Cooperation with internal and external investigations March 9, 2004 11 DISASTER RECOVERY PLANNING Security aspects of disaster recovery plan Use of hot sites, backup tapes, mirrored sites. Application of contract requirements re: security to 3d parties providing disaster recovery services Service provider testing, updating and maintenance of plan. Notice to Outsourcer of service provider changes to disaster recovery plans. Code escrows for mission critical systems Outsourcer’s right to access control systems if Service Provider fails. 12 March 9, 2004 CROSS-BORDER ISSUES Need for enhanced security in jurisdictions with weak IP protection Data protection (another panel) Impact of local laws on Outsourcer, 3d party access to Outsourcer data (e.g., ability of US litigant to obtain Outsourcer’s data from the service provider located in a foreign jurisdiction) March 9, 2004 13 NETWORK/LOGICAL SECURITY Firewall management Patch management Periodic (annual) re-certification of network information Audit right Obligation to update technology Service provider’s requirements re: Outsourcer use, access to service provider’s systems and Outsourcer’s obligation to use certain technologies and processes. Service provider does not want to create weaknesses in its systems because its Outsourcers are not using appropriate technologies or processes or are circumventing security requirements. March 9, 2004 14 PHYSICAL SECURITY (as opposed to logical security) Coverage of subcontractors Consideration of Outsourcer’s and Service Provider’s various locations and use of mobile, remote access technology. March 9, 2004 15 RECORDS RETENTION AND ARCHIVING What must Service Provider maintain How long? Outsourcer’s access right, including pre and post-termination Local jurisdiction legal/regulatory environment re: Outsourcer’s, third party’s rights to obtain data. March 9, 2004 16 REVERSE MIGRATION/TRANSITION Upon completion, “sanitize” all Service Provider equipment of Outsourcer’s data Include downstream providers working for Service Provider, employees, others with access to Outsourcer data. Service Provider’s obligation to maintain Outsourcer information confidential Application to Service Provider personnel Audit rights March 9, 2004 17 AUDIT PROCESS AND CERTIFICATIONS Changes to DRP, Security Issues General audit of security issues, requirements Certifications of compliance with ISO Standards Audit of confidentiality requirements, post termination obligations, etc. Audit of downstream providers, third parties. March 9, 2004 18 SPECIAL SITUATIONS Will Service Provider also be developing applications and code for Outsourcer? March 9, 2004 19 LEGAL ISSUES OCC – 2001-47 FTC – Rules Guess, Eli Lilly Decisions Indemnity Representations, Warranties Gramm-Leach-Bliley Basel II Conference March 9, 2004 20 PRACTICAL APPLICATION Hank is a senior in-house technology lawyer at BIG BANK, a financial services conglomerate. BIG BANK is a considering a proposal to outsource to GLOBAL, a multinational service provider, the processing of all of its credit card receivables. The transaction has an estimated value of $550 million in service fees per year for five years. Mike is outside technology legal counsel for GLOBAL. Hank and Mike are negotiating the outsourcing contract and related agreements. March 9, 2004 21 Real time data on all payments will be sent from BIG BANK’s various operations to BIG BANK’S data center in Denver. Data is then sent to a GLOBAL hub across a secure VPN (virtual private network operated across the Internet). GLOBAL will then distribute the processing to different facilities. GLOBAL plans to do a great deal of the work at three different new campuses at which GLOBAL has installed campus-wide wireless networking. The campuses are located in Dhaka (capital of Bangladesh), Costa Rica and Dublin. Among BIG BANK’s clients are certain Federal agencies that have issued credit cards to their employees. BIG BANK also performs a number of functions under contract with the federal Treasury Department and a number of state agencies. March 9, 2004 22 While the negotiation of most of the contract has proceeded smoothly, consideration of certain issues have been deferred as being “harder.” Today is the day they turn to these “harder” issues: BIG BANK’s CIO is very troubled by the extensive use of wireless technology and reports that he has been reading about the relative lack of security of the technology. He has charged Hank with getting “bullet-proof” legal protections in the contract. March 9, 2004 23 BIG BANK wants (a) “regular” reports from GLOBAL on all incidents and disruptions (“trouble tickets’) that are reported on GLOBAL’s systems and GLOBAL’s network carriers; (b) an “immediate” report on all “serious” trouble tickets; and (c) “appropriate” indications of status and resolution of the incidents. Both sides recognize that reporting is necessary but are having a good deal of trouble calibrating a reporting system that meets their respective needs and risks (for example, all hits vs. only hits directly impacting BIG BANK’s data). March 9, 2004 24 BIG BANK wants to share the results of the foregoing reports with certain Federal and State agencies, certain industry consortia and various information security organizations like CERT and SANS. BIG BANK may be willing to so do on an anonymized and aggregated basis, but knows that under the Homeland Security Act, potentially all of this information could be submitted as Critical Infrastructure Information to Federal agencies, which can deliver it in turn to state agencies. GLOBAL has a number of concerns. Mike has been charged with making sure GLOBAL’s interests are protected both legally and reputationally. March 9, 2004 25 GLOBAL wants to be able to subcontract future software development work on the applications that serve BIG BANK to a variety of developers, including developers in Eastern Europe, Malaysia and Israel. BIG BANK’s CIO is extremely nervous about this from a security standpoint and also as a matter of knowing to whom the payments to the vendors are going. He has charged Hank with “covering us totally.” March 9, 2004 26 After extensive effort and responding to enhanced public sensitivity to security issues, BIG BANK has adopted an updated and very thorough incident response for responding to compromises of any of its “critical” information systems. The plan has been reviewed by internal and external legal counsel, a number of information security consultants, several government agencies, internal IT, information security and risk management staff, and other internal staff, such as BIG BANK’s Chief Privacy Officer (disclosures of non-public personal information in credit card files) and HR (for HIPAA compliance), etc. March 9, 2004 27 Two of the fundamental principles in BIG BANK’s plan are (a) extensive and immediate reporting to national governments, including all relevant law enforcement agencies, with as much confidentiality as possible; and (b) prompt and open public disclosure to shareholders of all material incidents as soon as facts can be determined with adequate certainty. GLOBAL’s equally thorough policy adopts what has been described to Mike as “a more cautious policy toward information availability.” Both sides agree that the contract must specify without much ambiguity what disclosures may be made if there is a serious penetration of the network. Each side wants its approach to be followed. CHI/173566.1 March 9, 2004 28