Your SlideShare is downloading. ×
0
CONFIDENTIAL

CyberSecurity: Protecting Law Firms
April 22, 2013

© 2013 JurInnov, Ltd. All Rights Reserved
CONFIDENTIAL

Agenda

The World Around Us

How JurInnov Helps
Recommended Service

© 2013 JurInnov, Ltd. All Rights Reserv...
CONFIDENTIAL

The World Around Us

© 2013 JurInnov, Ltd. All Rights Reserved
CONFIDENTIAL

How Do You Measure Success?
Risk Management and Compliance Areas (U.S. and Global)
•
•
•
•
•
•
•
•

•
•
•
•
...
CONFIDENTIAL

Data Breaches Grow in Number and Scale
“This past year saw major hacks at:
– Zappos (24M customer accounts)
...
CONFIDENTIAL

New ABA Ethics Rule: Lawyers’ Obligation
August, 2012, change to Rule 1.1 Comment, shown below in italics
Ru...
CONFIDENTIAL

Additional Obligations
Rule 1.6 Confidentiality Comment 16
“…act competently to safeguard information to the...
CONFIDENTIAL

“Cyberattacks Against Law Firms Are on the Rise”
We have seen over the last three years an increase
in the t...
CONFIDENTIAL

Why Law Firms?
“The more mobility you have,
the more documents you’re sending through the Internet,
the more...
CONFIDENTIAL

What are Cybercriminals After?
Access to:
– Lists of confidential witnesses
– Patent applications
– Financia...
CONFIDENTIAL

“Improving Critical Infrastructure Cybersecurity”
Executive Order, Federal Register 13636: February 19, 2013...
CONFIDENTIAL

President Obama: Cyber Threats
"We know hackers steal people's identities and infiltrate private e-mail.”

“...
CONFIDENTIAL

President Obama: Cyber Threats
“Cyber threat is one of the most serious economic and national security
chall...
CONFIDENTIAL

Cyberspace Policy Review Near Term Actions
What are Yours?
1.

Appoint a cybersecurity policy official respo...
CONFIDENTIAL

Cybersecurity Maturity: Where are You?
Elements of Effective Cybersecurity
Culture of Security
Legal Require...
CONFIDENTIAL

How JurInnov Helps

© 2013 JurInnov, Ltd. All Rights Reserved
CONFIDENTIAL

Cybersecurity Solutions
• Cybersecurity Survey

• Training: Cybersecurity, Breach Response and Computer Fore...
CONFIDENTIAL

Recommended Service

© 2013 JurInnov, Ltd. All Rights Reserved
CONFIDENTIAL

Where to Start: The Cybersecurity Survey
• A quick assessment of meaningful performance indicators to take t...
CONFIDENTIAL

The Cybersecurity Survey
• Objective:
– Identify areas where the company is performing well and areas
where ...
CONFIDENTIAL
Access Controls
Business Continuity
Application Security

Access Control Indicators

Security Governance
Secu...
CONFIDENTIAL
Access Controls
Business continuity
Application Security

Business Continuity Indicators

Security Governance...
CONFIDENTIAL
Access Controls
Business Continuity
Application Security

Application Security Indicators

Security Governanc...
CONFIDENTIAL
Access Controls
Business Continuity
Application Security

Security Governance Indicators

Security Governance...
CONFIDENTIAL
Access Controls
Business Continuity
Application Security

Security Awareness Indicators

Security Governance
...
CONFIDENTIAL

The Approach Taken
3-5 Weeks

Joint Team

Customer

JurInnov

Joint Team

Kick-off the Project

Complete Emp...
CONFIDENTIAL

Deliverable:
Example, Metric Description Template
• One page per metric within each of the 5 confidence area...
CONFIDENTIAL

Deliverable:
Example, Results Template
• Describes the results for each confidence area (total 5 pages)
• Th...
CONFIDENTIAL

Deliverable:
Example, Recommendations Template
• Describes the recommendations for each confidence area (tot...
CONFIDENTIAL

Project Description
1

Step
Launch Project

2

Collect Preliminary
Information and
Prepare for Interviews

3...
CONFIDENTIAL

Next Steps

1. Determine and complete changes to standard project plan,
as needed
2. Determine and complete ...
CONFIDENTIAL

Cybersecurity Solutions
• Cybersecurity Survey

• Training: Cybersecurity, Breach Response and Computer Fore...
CONFIDENTIAL

Contact Information
Timothy M. Opsitnick, Esq.
Founder and General Counsel
tmo@jurinnov.com
216-664-0900

Er...
CONFIDENTIAL

CyberSecurity: Protecting Law Firms
April 22, 2013

© 2013 JurInnov, Ltd. All Rights Reserved
Upcoming SlideShare
Loading in...5
×

CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov

79

Published on

Timothy Opsitnick, Senior Partner, and Eric Vanderburg, Director of Information Systems and Security at JurInnov, explain how to implement information security at Law Firms.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
79
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • Transcript of "CyberSecurity: Protecting Law Firms - Vanderburg - JurInnov"

    1. 1. CONFIDENTIAL CyberSecurity: Protecting Law Firms April 22, 2013 © 2013 JurInnov, Ltd. All Rights Reserved
    2. 2. CONFIDENTIAL Agenda The World Around Us How JurInnov Helps Recommended Service © 2013 JurInnov, Ltd. All Rights Reserved 1
    3. 3. CONFIDENTIAL The World Around Us © 2013 JurInnov, Ltd. All Rights Reserved
    4. 4. CONFIDENTIAL How Do You Measure Success? Risk Management and Compliance Areas (U.S. and Global) • • • • • • • • • • • • • • Anti-money laundering (AML) Bribery / FCPA / UKBA Business ethics Code of business conduct Competition / antitrust Country law CYBERSECURITY Department of Transportation (logistics distribution / reverse distribution) Environmental Employment compliance (wage and hour / facility accessibility) Employment practices / workplace rights Export controls / ITAR / dual use technology / military use technology Food safety / labeling Government relations © 2013 JurInnov, Ltd. All Rights Reserved 3 • • • • • • • • • • • • • • Import / customs Information protection Intellectual property Licenses and permits OSHA (health and safety) Product stewardship / product safety Pharmacy and health services Privacy Records and information management Securities law (including insider trading, Dodd Frank) Supply chain / conflict minerals Third party management Trade sanctions / Office of Financial Assets Control (OFAC) Government boycotts / Bureau of Industry and Security
    5. 5. CONFIDENTIAL Data Breaches Grow in Number and Scale “This past year saw major hacks at: – Zappos (24M customer accounts) – Statfor (private U.S. intelligence firm; 5M e-mails) – Global Payments (1.5M credit card numbers) – LinkedIn (6.5M passwords) – eHarmony (1.5M passwords) – Yahoo (0.5M passwords) – Nationwide Mutual (1.1M customer accounts) – Wyndham Worldwide (600K credit card numbers) …many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.” Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13 © 2013 JurInnov, Ltd. All Rights Reserved 4
    6. 6. CONFIDENTIAL New ABA Ethics Rule: Lawyers’ Obligation August, 2012, change to Rule 1.1 Comment, shown below in italics Rule 1.1 Competence A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. Comment to the Rule: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. © 2013 JurInnov, Ltd. All Rights Reserved 5
    7. 7. CONFIDENTIAL Additional Obligations Rule 1.6 Confidentiality Comment 16 “…act competently to safeguard information to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons…” ABA Formal Ethics Opinion 95-398 “[a] lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information.” 2013 HIPAA Omnibus Rules Law firms having contact with PHI must revisit policies, practices, enforce information security controls, protect confidential info, monitor workforce info access, track compliance © 2013 JurInnov, Ltd. All Rights Reserved 6
    8. 8. CONFIDENTIAL “Cyberattacks Against Law Firms Are on the Rise” We have seen over the last three years an increase in the targeting of law firms.” Trent Teyema, FBI Cyber Crimes, Washington, D.C. National Law Journal, 04/23/12 “Law firms have incredibly valuable and sensitive information… the Internet just provides a whole other methodology through which the information can be accessed and pilfered.” The Wall Street Journal, 06/26/12 © 2013 JurInnov, Ltd. All Rights Reserved 7
    9. 9. CONFIDENTIAL Why Law Firms? “The more mobility you have, the more documents you’re sending through the Internet, the more likely you are to be the victim of a cyber attack, and that’s what we’re seeing at law firms.” Mary Galligan, FBI NY Special Agent, Cyber/Special Ops Law Technology News, 02/01/13 “…some of the most vulnerable targets are law firms, which hold so much information of their clients and serve as “gates” to their clients.” Laurel Bellows, ABA President Law Practice Today, 04/13 © 2013 JurInnov, Ltd. All Rights Reserved 8
    10. 10. CONFIDENTIAL What are Cybercriminals After? Access to: – Lists of confidential witnesses – Patent applications – Financial information – M&A documents – Intellectual property – Drug study results – Client correspondence – Possible litigation claims © 2013 JurInnov, Ltd. All Rights Reserved Business disruption of: – Calendar system – Billing system – Website 9
    11. 11. CONFIDENTIAL “Improving Critical Infrastructure Cybersecurity” Executive Order, Federal Register 13636: February 19, 2013 WASHINGTON (Reuters) - U.S. President Barack Obama on Tuesday signed an executive order seeking better protection of the country's critical infrastructure from cyber attacks that are a growing concern to the economy and national security. Reuters, 02/12/13 © 2013 JurInnov, Ltd. All Rights Reserved 10
    12. 12. CONFIDENTIAL President Obama: Cyber Threats "We know hackers steal people's identities and infiltrate private e-mail.” “We know foreign countries and companies swipe our corporate secrets.” “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.” U.S. President Barack Obama, State of the Union Speech, 02/12/13 Continued… © 2013 JurInnov, Ltd. All Rights Reserved 11
    13. 13. CONFIDENTIAL President Obama: Cyber Threats “Cyber threat is one of the most serious economic and national security challenges we face as a nation.” “America's economic prosperity in the 21st century will depend on cybersecurity.” We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.“ U.S. President Barack Obama, State of the Union Speech, 02/12/13 © 2013 JurInnov, Ltd. All Rights Reserved 12
    14. 14. CONFIDENTIAL Cyberspace Policy Review Near Term Actions What are Yours? 1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities. 2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. 3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics. 4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. 5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues. 6. Initiate a national awareness and education campaign to promote cybersecurity. 7. Develop an international cybersecurity policy framework and strengthen our international partnerships. 8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships. 9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure. 10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation. Executive Order, “Improving Critical Infrastructure Cybersecurity,” Federal Register 13636 (02/19/13) © 2013 JurInnov, Ltd. All Rights Reserved 13
    15. 15. CONFIDENTIAL Cybersecurity Maturity: Where are You? Elements of Effective Cybersecurity Culture of Security Legal Requirements Training and Education Policy, Procedure and Controls Monitor and Auditing Response and Documentation Information Management Accountability Leading Optimizing Practicing Developing Ad Hoc • Defined controls • Documented standards • Consistent performance • Likely repeatable • Some consistency • Lacks rigorous process discipline • Informal • Reactive • Inconsistent performance © 2013 JurInnov, Ltd. All Rights Reserved • Effective controls • Uses process metrics • Targeted improvement 14 • Integrated strategies • Innovative changes • Seamless controls
    16. 16. CONFIDENTIAL How JurInnov Helps © 2013 JurInnov, Ltd. All Rights Reserved
    17. 17. CONFIDENTIAL Cybersecurity Solutions • Cybersecurity Survey • Training: Cybersecurity, Breach Response and Computer Forensic • Breach Investigation • Incident Response Planning • Cybersecurity Assessment / Audit • Cybersecurity Risk Management and Strategic Planning • Cybersecurity Policy Review and Development © 2013 JurInnov, Ltd. All Rights Reserved 16
    18. 18. CONFIDENTIAL Recommended Service © 2013 JurInnov, Ltd. All Rights Reserved
    19. 19. CONFIDENTIAL Where to Start: The Cybersecurity Survey • A quick assessment of meaningful performance indicators to take the pulse of the organization’s cybersecurity environment. Access Controls Business Continuity Application Security Security Governance Security Awareness © 2013 JurInnov, Ltd. All Rights Reserved 18
    20. 20. CONFIDENTIAL The Cybersecurity Survey • Objective: – Identify areas where the company is performing well and areas where information security can be improved • Scope: – Conduct a high level security review, gain insight into the current level of information security and develop recommendations • Deliverable: – Acknowledges elements that are appropriately secured – Provides confidential recommendations and workable action items – Priorities based on acceptable risk profile, effort and budget © 2013 JurInnov, Ltd. All Rights Reserved 19
    21. 21. CONFIDENTIAL Access Controls Business Continuity Application Security Access Control Indicators Security Governance Security Awareness Access Controls Checklist Audit Log Retention Firewall Firmware Encrypted Mobile Devices System Availability Do you know everyone who has access to your systems? How would you know if an unauthorized person accessed sensitive data? © 2013 JurInnov, Ltd. All Rights Reserved 20
    22. 22. CONFIDENTIAL Access Controls Business continuity Application Security Business Continuity Indicators Security Governance Security Awareness Uninterruptable Power Restore Testing Disaster Recovery Planning Business Continuity Testing Are you certain that you can recover from an unexpected loss? © 2013 JurInnov, Ltd. All Rights Reserved 21 Scheduled Maintenance
    23. 23. CONFIDENTIAL Access Controls Business Continuity Application Security Application Security Indicators Security Governance Security Awareness Security Patching Malicious Programs Application Security Review Antivirus Software Have your applications been tested from a security viewpoint? © 2013 JurInnov, Ltd. All Rights Reserved 22 Virus Updates
    24. 24. CONFIDENTIAL Access Controls Business Continuity Application Security Security Governance Indicators Security Governance Security Awareness Configuration Management Incident Response Media Sanitation Documented Security Controls Vulnerability Mitigation How does your management team make and implement decisions about information security? © 2013 JurInnov, Ltd. All Rights Reserved 23
    25. 25. CONFIDENTIAL Access Controls Business Continuity Application Security Security Awareness Indicators Security Governance Security Awareness Password Awareness Data Storage Awareness Mobile Awareness Software Awareness Do your employees know and understand your security policies? Are they disciplined in their daily behaviors? © 2013 JurInnov, Ltd. All Rights Reserved 24 Email Awareness
    26. 26. CONFIDENTIAL The Approach Taken 3-5 Weeks Joint Team Customer JurInnov Joint Team Kick-off the Project Complete Employee Awareness Survey Analyze Inputs Discuss Recommendations Discuss Environment and Data Requests Prepare Recommendations Gather / Provide Data Customize Survey, based on Customer Specifics JurInnov Launches the Employee Awareness Survey © 2013 JurInnov, Ltd. All Rights Reserved 25 Confirm Prioritized Action Items
    27. 27. CONFIDENTIAL Deliverable: Example, Metric Description Template • One page per metric within each of the 5 confidence areas • Describes the metrics used to determine risk within the area Access Controls Checklist Audit Log Retention Firewall Firmware Encrypted Mobile Devices System Availability Calculation: Percentage of items indicating secure practices Application: Provides general measurement for access control Recommended Target: Aim to meet all controls Data Source: Interview to complete the checklist © 2013 JurInnov, Ltd. All Rights Reserved 26
    28. 28. CONFIDENTIAL Deliverable: Example, Results Template • Describes the results for each confidence area (total 5 pages) • The specific metrics listed depend on the results found Rank Metric Risk Highlights 1 Average days for retaining server audit logs Low Disk - 60 days Tape - 1 year 2 Availability % of key information systems in the last 6 months Low 99.96% 3 Access Controls Checklist Low 81% 4 Average days to apply firmware to firewalls High 470 5 Percentage of mobile devices that are properly encrypted High Laptops - yes Blackberries - no © 2013 JurInnov, Ltd. All Rights Reserved 27
    29. 29. CONFIDENTIAL Deliverable: Example, Recommendations Template • Describes the recommendations for each confidence area (total 5 pages) • The specific recommendations listed depend on the results found No. Recommended Priority Recommendation Effort Needed 1 Encrypt Blackberries and require passwords High Low 2 Update firewall firmware High Low 3 Check firewall security advisories regularly Medium Low © 2013 JurInnov, Ltd. All Rights Reserved 28
    30. 30. CONFIDENTIAL Project Description 1 Step Launch Project 2 Collect Preliminary Information and Prepare for Interviews 3 Conduct Telephone Interviews 4 Analyze Results for Final Report 5 Present Report Activities Determine interviewees and questionnaire recipients Schedule up to five telephone interviews Distribute questionnaires and employee awareness surveys Receive completed questionnaires Analyze preliminary data to prepare for interviews Deliverables Interview schedule Conduct one interview for each confidence area: Access Controls: o Physical security staff o Server administrator(s) o Datacenter administrator(s) Business Continuity: o Risk manager(s) o Information technology staff Application Security: o Information technology staff o Software development staff Security Governance: o Management personnel o Compliance officers o Privacy officers Security Awareness: o Human resource staff o Compliance officers Analyze inputs from questionnaires , interviews and awareness surveys Calculate metrics and identify recommendations Rank recommendations by risk level (low, medium, high) and effort required (low, medium, high) Present project findings, recommendations, and next steps (via Webex) Inputs to information security analysis Customized interview questions based on preliminary data Survey findings and recommendations Communicated survey findings and recommended action items PRICE: $6,000 © 2013 JurInnov, Ltd. All Rights Reserved 29
    31. 31. CONFIDENTIAL Next Steps 1. Determine and complete changes to standard project plan, as needed 2. Determine and complete additional proposal documentation, as needed © 2013 JurInnov, Ltd. All Rights Reserved 30
    32. 32. CONFIDENTIAL Cybersecurity Solutions • Cybersecurity Survey • Training: Cybersecurity, Breach Response and Computer Forensic • Breach Investigation • Incident Response Planning • Cybersecurity Assessment / Audit • Cybersecurity Risk Management and Strategic Planning • Cybersecurity Policy Review and Development © 2013 JurInnov, Ltd. All Rights Reserved 31
    33. 33. CONFIDENTIAL Contact Information Timothy M. Opsitnick, Esq. Founder and General Counsel tmo@jurinnov.com 216-664-0900 Eric A. Vanderburg, MBA, CISSP Director, Cybersecurity and Information Systems eav@jurinnov.com 216-664-1100 © 2013 JurInnov, Ltd. All Rights Reserved 32
    34. 34. CONFIDENTIAL CyberSecurity: Protecting Law Firms April 22, 2013 © 2013 JurInnov, Ltd. All Rights Reserved
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×