POLICIES - Duane Morris LLP

advertisement
American Conference Institute
Outsourcing in Financial Services
Developing and Implementing
Information Security Policies to
Protect Financial Institution Data
Eric J. Sinrod
Partner
Duane Morris LLP
One Market Spear Tower, Suite 2000
San Francisco, CA 94105
(415) 371-2219
ejsinrod@duanemorris.com
Henry L. Judy
Of Counsel
Kirkpatrick & Lockhart LLP
1800 Massachusetts Avenue, NW
Washington, DC 20036
Phone: 202-778-9032
hjudy@kl.com
Michael J. Silverman
Partner
Duane Morris LLP
227 West Monroe Street, Suite 3400
Chicago, Illinois 60606
(312) 499-6700
mjsilverman@duanemorris.com
CONTENTS
I
II
III
IV
V
VI
VII
VIII
IX
X
XI
XII
March 9, 2004
Policies
Authentication and Identity Management
Monitoring/Access (Outsourcer’s Access To Service
Provider’s Systems)
Personnel (May Be Point
Of Greatest Vulnerability)
Incident Reporting and Response
Disaster Recovery Planning
Cross-Border Issues
Network/Logical Security
Physical Security
Records Retention and Archiving
Reverse Migration/Transition
Audit Process and Certifications
2
POLICIES
Whose Policies control?
Default position, such as whichever party’s policy
is more protective of information should be the
controlling policy.
Practical issues in negotiating to merge the gap
between service provider and Outsourcer policies.
Changes to Policies Over Time
Changes arising out of new technologies
Changes required by law
Other changed circumstances
March 9, 2004
3
POLICIES (Cont’d.)
Process for implementing changes
• Notice of proposed changes
–
–
–
–
Mutual?
Opportunity to comment
Allocation of costs
Ability to terminate relationship due to changes in
policies and practices.
Approach for dealing with third parties or
downstream contractors
March 9, 2004
4
AUTHENTICATION AND IDENTITY
MANAGEMENT
Control of persons
Technology
• User ID and password
• Other controls
– Tokens
– Biometric
– Other
March 9, 2004
5
AUTHENTICATION AND IDENTITY
MANAGEMENT (Cont’d.)
Control of documents
Permissions
Encryption and other security
Who is responsible for administration
(changes, updating, lost passwords,
etc.)?
Liability for failure
March 9, 2004
6
MONITORING/ACCESS
(OUTSOURCER’S ACCESS TO
SERVICE PROVIDER’S SYSTEMS)
How to define “systems” for these
purposes
Installation of outsourcer’s monitoring
technologies on Service Provider’s
systems
Cost allocation
March 9, 2004
7
MONITORING/ACCESS (Cont’d.)
Requirements that
Outsourcer must
follow
Access control
Use of appropriate
technologies
Training
Outsourcer security
procedures
March 9, 2004
8
PERSONNEL (MAY BE POINT
OF GREATEST VULNERABILITY)
Screening requirements
Compliance with Codes of Conduct
Monitoring of employees
Temporary personnel
Transitional (rotating) personnel
Remote access
Telecommuting personnel of Service
Provider
Confidentiality Agreements
March 9, 2004
9
PERSONNEL (Cont’d.)
Training
Treatment of Personnel Records
Identity management (i.e., use of technology
to support rules re: enterprise wide access to
systems based on unified source of
information about employee)
Limitations on right to change/remove
personnel (including Outsourcer’s right to
request changes).
March 9, 2004
10
INCIDENT REPORTING
AND RESPONSE
Severity level definitions
Trouble tickets
Dispute resolution
Defined escalation path
Internal dispute resolution processes
Suspension of Service
Notice requirements
Emergency/Incident response team
Cooperation with internal and external investigations
March 9, 2004
11
DISASTER RECOVERY PLANNING
Security aspects of disaster recovery plan
Use of hot sites, backup tapes, mirrored sites.
Application of contract requirements re: security to
3d parties providing disaster recovery services
Service provider testing, updating and
maintenance of plan.
Notice to Outsourcer of service provider
changes to disaster recovery plans.
Code escrows for mission critical systems
Outsourcer’s right to access control systems if
Service Provider fails.
12
March 9, 2004
CROSS-BORDER ISSUES
Need for enhanced security in
jurisdictions with weak IP protection
Data protection (another panel)
Impact of local laws on Outsourcer, 3d
party access to Outsourcer data (e.g.,
ability of US litigant to obtain
Outsourcer’s data from the service
provider located in a foreign jurisdiction)
March 9, 2004
13
NETWORK/LOGICAL SECURITY
Firewall management
Patch management
Periodic (annual) re-certification of network
information
Audit right
Obligation to update technology
Service provider’s requirements re: Outsourcer use,
access to service provider’s systems and
Outsourcer’s obligation to use certain technologies
and processes.
Service provider does not want to create weaknesses in its
systems because its Outsourcers are not using appropriate
technologies or processes or are circumventing security
requirements.
March 9, 2004
14
PHYSICAL SECURITY (as opposed to
logical security)
Coverage of
subcontractors
Consideration of
Outsourcer’s and
Service Provider’s
various locations and
use of mobile, remote
access technology.
March 9, 2004
15
RECORDS RETENTION
AND ARCHIVING
What must Service Provider maintain
How long?
Outsourcer’s access right, including pre
and post-termination
Local jurisdiction legal/regulatory
environment re: Outsourcer’s, third
party’s rights to obtain data.
March 9, 2004
16
REVERSE MIGRATION/TRANSITION
Upon completion, “sanitize” all Service
Provider equipment of Outsourcer’s data
Include downstream providers working for Service
Provider, employees, others with access to
Outsourcer data.
Service Provider’s obligation to maintain
Outsourcer information confidential
Application to Service Provider personnel
Audit rights
March 9, 2004
17
AUDIT PROCESS AND
CERTIFICATIONS
Changes to DRP, Security Issues
General audit of security issues, requirements
Certifications of compliance with ISO
Standards
Audit of confidentiality requirements, post
termination obligations, etc.
Audit of downstream providers, third parties.
March 9, 2004
18
SPECIAL SITUATIONS
Will Service Provider also be developing
applications and code for Outsourcer?
March 9, 2004
19
LEGAL ISSUES
OCC – 2001-47
FTC – Rules
Guess, Eli Lilly Decisions
Indemnity
Representations, Warranties
Gramm-Leach-Bliley
Basel II Conference
March 9, 2004
20
PRACTICAL APPLICATION
Hank is a senior in-house technology lawyer at BIG
BANK, a financial services conglomerate. BIG
BANK is a considering a proposal to outsource to
GLOBAL, a multinational service provider, the
processing of all of its credit card receivables. The
transaction has an estimated value of $550 million
in service fees per year for five years. Mike is
outside technology legal counsel for GLOBAL.
Hank and Mike are negotiating the outsourcing
contract and related agreements.
March 9, 2004
21
Real time data on all payments will be sent from
BIG BANK’s various operations to BIG BANK’S data
center in Denver. Data is then sent to a GLOBAL
hub across a secure VPN (virtual private network
operated across the Internet). GLOBAL will then
distribute the processing to different facilities.
GLOBAL plans to do a great deal of the work at
three different new campuses at which GLOBAL
has installed campus-wide wireless networking.
The campuses are located in Dhaka (capital of
Bangladesh), Costa Rica and Dublin. Among BIG
BANK’s clients are certain Federal agencies that
have issued credit cards to their employees. BIG
BANK also performs a number of functions under
contract with the federal Treasury Department
and a number of state agencies.
March 9, 2004
22
While the negotiation of most of the
contract has proceeded smoothly,
consideration of certain issues have
been deferred as being “harder.” Today
is the day they turn to these “harder”
issues:
BIG BANK’s CIO is very troubled by the
extensive use of wireless technology and
reports that he has been reading about
the relative lack of security of the
technology. He has charged Hank with
getting “bullet-proof” legal protections
in the contract.
March 9, 2004
23
BIG BANK wants (a) “regular” reports from
GLOBAL on all incidents and disruptions
(“trouble tickets’) that are reported on
GLOBAL’s systems and GLOBAL’s network
carriers; (b) an “immediate” report on all
“serious” trouble tickets; and (c) “appropriate”
indications of status and resolution of the
incidents. Both sides recognize that reporting
is necessary but are having a good deal of
trouble calibrating a reporting system that
meets their respective needs and risks (for
example, all hits vs. only hits directly
impacting BIG BANK’s data).
March 9, 2004
24
BIG BANK wants to share the results of the
foregoing reports with certain Federal and
State agencies, certain industry consortia and
various information security organizations like
CERT and SANS. BIG BANK may be willing to
so do on an anonymized and aggregated basis,
but knows that under the Homeland Security
Act, potentially all of this information could be
submitted as Critical Infrastructure
Information to Federal agencies, which can
deliver it in turn to state agencies. GLOBAL
has a number of concerns. Mike has been
charged with making sure GLOBAL’s interests
are protected both legally and reputationally.
March 9, 2004
25
GLOBAL wants to be able to subcontract
future software development work on
the applications that serve BIG BANK to
a variety of developers, including
developers in Eastern Europe, Malaysia
and Israel. BIG BANK’s CIO is
extremely nervous about this from a
security standpoint and also as a matter
of knowing to whom the payments to
the vendors are going. He has charged
Hank with “covering us totally.”
March 9, 2004
26
After extensive effort and responding to
enhanced public sensitivity to security issues,
BIG BANK has adopted an updated and very
thorough incident response for responding to
compromises of any of its “critical” information
systems. The plan has been reviewed by
internal and external legal counsel, a number
of information security consultants, several
government agencies, internal IT, information
security and risk management staff, and other
internal staff, such as BIG BANK’s Chief
Privacy Officer (disclosures of non-public
personal information in credit card files) and
HR (for HIPAA compliance), etc.
March 9, 2004
27
Two of the fundamental principles in BIG
BANK’s plan are (a) extensive and immediate
reporting to national governments, including
all relevant law enforcement agencies, with as
much confidentiality as possible; and (b)
prompt and open public disclosure to
shareholders of all material incidents as soon
as facts can be determined with adequate
certainty. GLOBAL’s equally thorough policy
adopts what has been described to Mike as “a
more cautious policy toward information
availability.” Both sides agree that the
contract must specify without much ambiguity
what disclosures may be made if there is a
serious penetration of the network. Each side
wants its approach to be followed.
CHI/173566.1
March 9, 2004
28
Download