ISO-27001 and Beyond LegalTech 2015 – New York February 3, 2014 10:30 am – 11:45 am ISO Myth #1: It’s just a bunch of documents ISO Myth #2: It is something we have to do, but it doesn’t actually add value ISO Myth #3: It requires a huge investment in technology ISO Myth #4: It is only applicable to “big law” ISO Myth #5: It is just an “I.T.” thing ISO Myth #6: It is a waste of time because NIST is coming ISO Myth #7: I’m a legal vendor. This doesn’t apply to me ISO Myth #8: It will take years ISO Myth #9: Clients don’t care about certification
41
Embed
ISO Myth #4: Beyondilta.personifycloud.com/webfiles/productfiles/3189014/... · · 2015-04-06ISO Myth #1: It’s just a bunch of documents ... BigHand Capital Novus Complete Discovery
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ISO-27001 and BeyondLegalTech 2015 – New York
February 3, 201410:30 am – 11:45 am
ISO Myth #1: It’s just a bunch of documents
ISO Myth #2: It is something we have to do, but
it doesn’t actually add value
ISO Myth #3: It requires a huge investment in
technology
ISO Myth #4: It is only applicable to
“big law”
ISO Myth #5: It is just an “I.T.” thing
ISO Myth #6: It is a waste of time because NIST
is coming
ISO Myth #7: I’m a legal vendor. This doesn’t
apply to me
ISO Myth #8: It will take years
ISO Myth #9: Clients don’t care about
certification
2LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Introduction
Andreas AntoniouChief Information OfficerPaul, Weiss, Rifkind, Wharton & Garrison LLP
Jeff FranchettiChief Information OfficerCravath, Swaine & Moore LLP
Peter KaomeaChief Information OfficerSullivan & Cromwell LLP
Rachelle RennagelDirector of Research & Information ServicesWhite & Case LLP
Session Moderator
3LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Agenda
Why get ISO 27001 certified? Make the case!
How to get ISO 27001 certified? Do it!
What’s beyond ISO certification? Live it!
4
Why get ISO 27001 certified?LegalTech 2015 – New York
5LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why get ISO 27001 certified?
Improve Security to Protecting Client Interests & Firm Reputation
Demonstrate Due Care
Client and RegulatoryCompliance
6LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Information security helps protect client interests and firm reputation
Reputation Management for Law Firms
7LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Benefits of ISO 27001
• ISO 27001:• Security
•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature
information security within an organization.
8LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Demonstrates Due Care & Infosec Process Maturity
9LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Benefits of ISO 27001
• ISO 27001:• Security
•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature
information security within an organization.
• Due Care•is an internationally recognized, •externally certifiable standard.
Chrome River TechnologiesIris Data ServiceNetDocumentsTruShield Security Solutions
13LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: ISO 27001 is a superset of frameworks and regulations
HIPAA
SOX
SOC2
Privacy Laws
ISO-27001/2The Universe of Controls
NIST / FISMA
14LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Benefits of ISO 27001
• ISO 27001:• Security
•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature
information security within an organization.
• Due Care•is an internationally recognized, •externally certifiable standard.
• Compliance• can expand to include a wide range of legal, regulatory,
and security guidelines and frameworks•… and it helps with client audits.
15LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Helps with Client Audits
“…In addition, if your company is in possession of any
Information Security certification (e.g. BSI, SSAE 16 CSA
CCM, ISO 27001, PCI DSS) or audit reports, please
provide them before filling out the questionnaire as they
may be sufficient proof of proper Information
Security in your company and no further engagement
will be required.”
16LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why get ISO 27001 certified?
Improve Security to Protecting Client Interests & Firm Reputation
Demonstrate Due Care
Client and RegulatoryCompliance
17
How to get ISO 27001 certified?LegalTech 2015 – New York
18LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Introduction to ISO 27001
FRAMEWORK CONTROLS
19LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Introduction to ISO 27001
“Sister Document”
ISO 27002
http://www.iso.org ($130)
Second Edition – 2013
1. Scope2. Normative references3. Context of the organization4. Leadership5. Planning Support6. Operation7. Performance Evaluation8. Improvement
Annex A – Reference controls• 14 Domains• 35 Control Objectives• 114 Controls
9 pages
Setting up your System
20LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
The ISMSInformation Security Management System
ISMS
ManagementReview
Risk Assessment
Treatment
Scope
21LEGALTECH NEW YORK / FEBRUARY 3‐5 2015 21
The standard contains 14 domains
Information Security Policies
Domains – 14Categories – 35Controls – 114
2
Organization ofInformation Security
Human ResourcesSecurity
Asset Management
7
6
10
AccessControl
Cryptography
14
2
Physical andEnvironmental 15
OperationsSecurity 14
CommunicationsSecurity
System Acquisition,Dev & Maintenance
SupplierRelationships
7
13
5
IncidentManagement
BusinessContinuity Mgt
7
4
ComplianceInternal & External 8
22LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Example: Security Policies
Organization ofInformation Security
Information SecurityPolicies
Human ResourcesSecurity
AccessControl
AssetManagement Cryptography Physical and
Environmental
CommunicationsSecurity
OperationsSecurity
System Acquisition,Dev & Meintenance
IncidentManagement
SupplierRelationships
BusinessContinuity Mgt
ComplianceInternal & External
ISO 27002 (additional detail)
a) access controlb) information classification (and handling)c) physical and environmental securityd) end user oriented topics such as:
1) acceptable use of assets2) clear desk and clear screen3) information transfer4) mobile devices and teleworking5) restrictions on software installations & use
e) backupf) information transferg) protection from malwareh) management of technical vulnerabilitiesi) cryptographic controlsj) communications securityk) privacy and protection of PIIl) supplier relationships
23LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
A.7 Human resources security
Example: Human Resources Security
Organization ofInformation Security
Information SecurityPolicies
Human ResourcesSecurity
AccessControl
AssetManagement Cryptography Physical and
Environmental
CommunicationsSecurity
OperationsSecurity
System Acquisition,Dev & Meintenance
IncidentManagement
SupplierRelationships
BusinessContinuity Mgt
ComplianceInternal & External
A 7.1 Prior to employment
- Screening- Terms & Conditions of employment
A 7.2 During Employment
- Management responsibilities- Information security awareness, education & training- Disciplinary process
A 7.3 Termination or change of employment
- Termination responsibilities
ISO 27002 - Screening
ControlBackground verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Implementation guidanceVerification should take into account all relevant privacy, protection of personally identifiableinformation and employment based legislation, and should, where permitted, include the following:
a) availability of satisfactory character references, e.g. one business and one personal;b) a verification (for completeness and accuracy) of
24LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
The Documentation
25LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
ISO 27001
ISMS
Mgt Review
Risk Assessment
Treatment
Second Edition – 2013
1. Scope2. Normative references3. Context of the organization4. Leadership5. Planning Support6. Operation7. Performance Evaluation8. Improvement
Annex A – Reference controls• 14 Domains• 35 Control Objectives• 114 Controls
26LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Certification details
Who is involved?
What does it cost?
How long does it take?
Law Firm: Senior ManagementCIO/CSODMS/Network/System AdministratorsPractice LeadHuman ResourcesLegal/CompliancePhysical Security
Depends on: ScopeGapResource availabilityBudgetClient demandPrior ISO expertiseWillingness for change
Estimate:6– 12 months
Education & Risk Assessment
1 – 2 months
Gap Analysis & Planning
1 – 2 months
Remediation
3 – 6 months
Certification
1 – 2 months
29
What’s beyondISO certification?LegalTech 2015 – New York
30LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
“Keep Coming Back, it Works if You Work it…”
31LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Realizing IT Operational Maturity
32LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Reactive
Compliance(Required)
ManagementSystems Focus
Risk Integration
• Ad Hoc • Dependent on
heroics
• Repeatable• Limited to IT• Focus on
meeting client inquiries
• Proactive• Includes Finance,
HR, Operations• Formal risk-based
approach to security management
• Continuous feedback and improvement
• “Best of Class” process
• Fully integrated into overall operations strategy
• Competitive advantage
Realizing IT Operational Maturity
33LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Streamlined Assessments & Compliance
Realizing IT Operational Maturity
34LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Q: Do you have a technology asset management policy or program that has been approved by management to maintain inventory of hardware, software, information assets (e.g., databases) and physical assets? Please describe if the program includes periodic asset recertification.
Q: Is there a published and management approved information asset and data classification policy?
Q: Is there a procedure for handling of information assets? If so, is it reviewed at least annually?
CLIENT QUESTIONNAIREA.8.1.1 Inventory of Assets:
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
Asset Management
ISO/ICE 27001:2013
• CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
• CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS
• CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE
NIST 800-53, Rev 4
• § 164.310 (d) (1) Standard: Device and media controls
Q: Do you have a process for granting and documenting access, including access for subcontractors and remote access? List the person(s)/group(s) responsible for granting access. Please describe the process, including any tools utilized
Q: Do security policies include policies on the creation and management of all types of accounts (e.g., system, user etc.)?
Q: Is there an information security policy that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy? If so, does the policy contain access control policies?
CLIENT QUESTIONNAIRE9.1.1 Access Control Policy:
An access control policy shall be established, documented and reviewed based on business and information security requirements.
AccessControl
ISO/ICE 27001:2013
• AC-1 ACCESS CONTROL POLICY AND PROCEDURES
• AC-2 ACCOUNT MGT• AC-3 ACCESS
ENFORCEMENT• AC-3 (1) ACCESS
ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS
• § 164.308 (a) (3) (ii) (A) Authorization and/or supervision (Addressable) §164.308 (a) (3) (ii) (B) Workforce clearance procedure (Addressable) §164.308 (a) (4) (i) Standard: Information access management)
HIPAA
36LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Q: Do you have documented and tested incident response process and procedures? Please describe if you utilize external intelligence to keep up to date on security incidents (e.g., CSIRT, Bug Track, UNIRES - UK)
Q: Are incident response procedures for information security incidents defined and documented (e.g., network outages, abuse of access privileges)?
Q: Is there an information security policy that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy? If so, does the policy contain:Security incident and privacy event management?
CLIENT QUESTIONNAIREA.16.1.1 Responsibilities
and Procedures: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.
IncidentManagement
ISO/ICE 27001:2013
• IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
• IR-5 INCIDENTMONITORING• IR-8 INCIDENT RESPONSE
PLAN• SE-2 PRIVACY INCIDENT
RESPONSE
NIST 800-53, Rev 4
• § 164.308 (a) (1) (i)Standard: Security management process
Q: Do you have a process to review subcontractor performance relative to service-level agreements, determine if contractual terms and conditions are being met and evaluate the need for revisions to service-level agreements?
Q: Is there a process to conduct an information security review during contracting due diligence of your potential Vendor(s) that will have access to [CLIENT] data and/or systems?
Q: Do external parties have access to Scoped Systems and Data or processing facilities? If so, is a risk assessment performed on third parties?
CLIENT QUESTIONNAIREA.15.2.1 Monitoring and
Review of Supplier Services: Organizations shall regularly monitor, review and audit supplier service delivery.
SupplierRelationships
ISO/ICE 27001:2013
• SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
NIST 800-53, Rev 4
• § 164.308 (b) (1) Standard: Business associate contracts and other arrangements
• § 164.314 (a) (1) (i) The contract or other arrangement