Protecting Law Firms and their Clients: The Role of the Virtual Chief Security Officer - Eric Vanderburg - JurInnov

  • 254 views
Uploaded on

Protecting Law Firms and their Clients: The Role of the Virtual Chief Security Officer - Eric Vanderburg - JurInnov

Protecting Law Firms and their Clients: The Role of the Virtual Chief Security Officer - Eric Vanderburg - JurInnov

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
254
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • MessagesIt is a scary world out thereYou are at riskyour client’s data is at riskYou have ethical obligations and possibly regulatory requirementsMany firms do not know where they standKnow where you are todayMake your people awareBe ready to respondBe aware of your obligations and requirementsA virtual CSO can helpDefineOther JurInnov servicesAttendeesLaw firm managing partnersTiming30 minutes plus questions
  • Hello, my name is Janet Gosche and I want to welcome you to todays session, where we will talk about protecting your firm from cybersecurity threats, data breaches, non-compliance. We will cover new standards for lawyers, including expanded ethical obligations and HIPAA requirements. And, we will talk about the role of the Chief Security Officer in protecting law firms – and then also specifically the virtual CSO – sometimes called outsourced or managed services. I want to encourage you to raise your hand throughout the discussion whenever you have a question or would like to get more information. We will save the questions for the end of our discussion and will follow up with you for other requests later today. OK – so let’s practice – everybody raise your hand so I know you are listening! Great start!!
  • Next I would like to introduce you to our speakers. Tim Opsitnick founded JurInnov in the year 2000, after spending 15 years at Jones Day as a lawyer in their Litigation and Product Liability sections. His credentials includean advisor and contributor to the book, Information Security for Lawyers and Law Firmsa Founding member, Sedona Conference’s Working Group Series on Best Practices for Electronic Document Retention and ProductionContributor and Editor to the publication, “The Sedona Guidelines: Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age” Member of the Advisory Board for Georgetown University Law Center’s Continuing Legal Education for the development of programs for its E-Discovery InstituteMember of Advisory Board for the American College of e-Neutrals an organization dedicated to the education, training, credentials, and use third party referees—mediators, arbitrators, masters, judges, liaisons and magistrates—committed to resolving disputes arising from electronically stored information Founder, ESIBytes.com which provides free audio broadcasts from attorneys, technical experts and judges regarding emerging issues concerning electronic discoveryFounder, of the Cleveland EDiscovery RoundtableEric Vanderburg will join Tim in the question and answer session at the end of the topic. Eric leads JurInnov’s Cybersecurity practice. He holds many certifications, including CISSP, Certified Information Systems Security Professional, HISP, Holistic Information Security Practitioner and CWSP, Certified Wireless Security Professional. He has been invited to speak on many occasions, has published numerous articles and blogs on security topics via JurInnov’s Security Spotlight.Let’s take a quick moment – if anyone would like to receive a list of Tim’s and Eric’s available articles and presentation topics, please raise your hand, and we will send those to you.Now – I will turn you over to Tim.
  • AP
  • Tim – use your statistic here, is it… “Statistics show that about 1/3 of data breaches are due to employee error, 1/3 from an outside hacker and 1/3 caused by a malicious employees.”So for each cyberattack we read about in the news, we know there are more that are not reported, and then all the others that are not newsworthy hacking. In addition, non-compliance fines and fees are not typically in the news.Every law firm needs a designated Chief Security Officer. If the role is not defined – the firm is very likely not meeting compliance requirements and has a significant risk. (And, the role is more than IT.) We will talk more about that as we go. Again, raise yoru hand if you would like an email with the reference to the article.There are a lot of reasons law firms are targeted
  • Most breaches and non-compliance issues are caused by bad human behavior. Not technology. Another reason why the CSO is a C-level position with responsibility and authority across the entire organization.
  • Most breaches and non-compliance issues are caused by bad human behavior. Not technology. Another reason why the CSO is a C-level position with responsibility and authority across the entire organization.
  • AP
  • AP
  • AP
  • Raise your hand and we will send you the Executive Order.
  • This quote was transcribed from a video interview with PayPal’s Chief Information Security Officer, Michael Barrett, where he makesthe point that many executives mistakenly focus on regulations and compliance. When the focus must be on security. And, if you have a solid security program in placeyou will be well on yoru way to being compliant. If anyone is interested in watching the entire video, which is about xx minutes long, raise your hand and we will send you the link.http://searchfinancialsecurity.techtarget.com/video/PayPal-CISO-Laws-must-foster-better-cybersecurity-information-sharing“We start with the principle that says you build a good program, do the right things in terms of constructing the controls that are appropriate for your enterprise and then at the end of that process you go back and say now what have we missed from a regulation perspective and what do we need to do and you close those gaps. You don’t start from the perspective of saying what does the regulation say I must do and then only do those things. That can be an issue in the financial services industry because unfortunately too often people have turned off their brains and let tehir external regulators tell them what they should be doing rather than construct a good program themselves.”
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • AP
  • Add picture of tim and eric and a general email address and phone number
  • http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml#
  • IT person is not the CSO
  • The Chief Security Officer (CSO) is a key leadership position responsible for planning, implementing and maintaining the information security program and the physical security plans at JB&R. The information security program is designed to ensure the confidentiality, integrity, and availability of the information technology environment in compliance with industry regulations. The physical security plans are designed to ensure the well-being of employees and visitors. The CSO will work closely with Information Technology professionals at JB&R as well as stakeholders in business units who rely on technology for operations. The Information Security program involves several team members, who are responsible for ongoing risk assessment, evaluation of appropriate security controls, development and monitoring of policies and standards, security awareness, project and product development consultation, incident response program management, and proactive compliance with industry regulations related to information security.  As the CSO is responsible for the organization's entire security posture, both physical and digital, CSO will also own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. The CSO reports to the Executive Leadership Team (ELT), and is a high profile position requiring the ability to be proactive and lead cross-functional teams to achieve security objectives.
  • The Chief Security Officer (CSO) is a key leadership position responsible for planning, implementing and maintaining the information security program and the physical security plans at JB&R. The information security program is designed to ensure the confidentiality, integrity, and availability of the information technology environment in compliance with industry regulations. The physical security plans are designed to ensure the well-being of employees and visitors. The CSO will work closely with Information Technology professionals at JB&R as well as stakeholders in business units who rely on technology for operations. The Information Security program involves several team members, who are responsible for ongoing risk assessment, evaluation of appropriate security controls, development and monitoring of policies and standards, security awareness, project and product development consultation, incident response program management, and proactive compliance with industry regulations related to information security.  As the CSO is responsible for the organization's entire security posture, both physical and digital, CSO will also own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. The CSO reports to the Executive Leadership Team (ELT), and is a high profile position requiring the ability to be proactive and lead cross-functional teams to achieve security objectives.
  • The Chief Security Officer (CSO) is a key leadership position responsible for planning, implementing and maintaining the information security program and the physical security plans at JB&R. The information security program is designed to ensure the confidentiality, integrity, and availability of the information technology environment in compliance with industry regulations. The physical security plans are designed to ensure the well-being of employees and visitors. The CSO will work closely with Information Technology professionals at JB&R as well as stakeholders in business units who rely on technology for operations. The Information Security program involves several team members, who are responsible for ongoing risk assessment, evaluation of appropriate security controls, development and monitoring of policies and standards, security awareness, project and product development consultation, incident response program management, and proactive compliance with industry regulations related to information security.  As the CSO is responsible for the organization's entire security posture, both physical and digital, CSO will also own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. The CSO reports to the Executive Leadership Team (ELT), and is a high profile position requiring the ability to be proactive and lead cross-functional teams to achieve security objectives.

Transcript

  • 1. CONFIDENTIAL Protecting Law Firms and their Clients The Role of the Virtual Chief Security Officer © 2013 JurInnov, Ltd. All Rights Reserved.
  • 2. CONFIDENTIAL Welcome 1. Cyber Threats: Real World Examples • • Breach Non-compliance 2. Cybersecurity Maturity: Where is Your Firm? 3. Virtual Chief Security Officer (CSO) 4. Q&A © 2013 JurInnov, Ltd. All Rights Reserved. 1
  • 3. CONFIDENTIAL Protecting Law Firms and Their Clients The Role of the Virtual Chief Security Officer Timothy M. Opsitnick Founder and General Counsel tim.opsitnick@jurinnov.com Eric A. Vanderburg Director, Information Systems and Security eric.vanderburg@jurinnov.com Tim founded JurInnov in 2000. He is at the forefront of practitioners addressing issues involved in the security and discovery of electronically stored information. His consulting practice focuses on electronic discovery, information governance, cybersecurity, computer forensics, and cloudbased document management systems. His clients include United States and international law firms and companies. He has also conducted numerous continuing legal education seminars regarding electronic discovery, cybersecurity, and other technology issues. In addition, he has served as a court-appointed Special Master and as an expert witness. Finally, he was with the law firm of Jones Day from 1986 until 2000, where he was a member of the Litigation and Product Liability sections. His practice concentrated in the management of complex, multi-district litigation. Eric joined JurInnov in 2006 and leads the company’s information systems and security team. Eric holds more than 30 certifications in networking and systems engineering, including Certified Information Systems Security Professional, Holistic Information Security Practitioner, and Certified Wireless Security Professional. He has been invited to speak at many organizations and campuses on technology and information security and has published more than a dozen technical articles. Most recently, he was a professor of computer networking at Remington College where he taught courses on information security, database systems, and computer networking. He is also an Adjunct Professor of Computer Information Systems at Lorain County Community College. Ohio Wesleyan University, 1978-82 Bachelor of Arts, Political Science and Psychology Phi Beta Kappa Case Western Reserve University, School of Law, 1982-85 © 2013 JurInnov, Ltd. All Rights Reserved. Doctor of Information Assurance (Exp. 2013) The University of Fairfax, Vienna, Virginia East Asian Studies (Non-degree) Kansai Gaidai University, Osaka, Japan MBA with an Information Systems Concentration Kent State University, Kent, Ohio Bachelor of Science, Technology Kent State University, Kent, Ohio Assoc of Applied Business, Computer Information Systems Lorain County Community College, Elyria, Ohio 2 Janet Gosche Chief Strategy & Operations Officer janet.gosche@jurinnov.com Janet leads JurInnov’s business operations and supports the managed services practice. Janet honed her skills at Accenture, the global management consulting, technology services and outsourcing company, where she spent 25 years helping clients improve their business operations and results. During this time, Janet was a pioneer in Accenture's emerging outsourcing practice. She is an alumni member of the FBI Citizens’ Academy. She taught experienced professionals for Accenture and was a Covey Principle Centered Leadership facilitator.She currently coaches students at the Baldwin-Wallace Center for Innovation and Growth and Mathematics Department. Baldwin-Wallace College 1978-82 Bachelor of Science in Mathematics Magna Cum Laude, General Honors Honors in Economics
  • 4. CONFIDENTIAL How Do You Measure Success? Risk Management and Compliance Areas (U.S. and Global) • • • • • • • • • • • • • • • Anti-money laundering (AML) Bribery / FCPA / UKBA Business ethics Code of business conduct Competition / antitrust Country law CYBERSECURITY Department of Transportation (logistics distribution / reverse distribution) Environmental Employment compliance (wage and hour / facility accessibility) Employment practices / workplace rights Export controls / ITAR / dual use technology / military use technology Financial services, banking, insurance Food safety / labeling Government relations © 2013 JurInnov, Ltd. All Rights Reserved. 3 • • • • • • • • • • • • • • Import / customs Information protection Intellectual property Licenses and permits OSHA (health and safety) Product stewardship / product safety Pharmacy and health services Privacy Records and information management Securities law (including insider trading, Dodd Frank) Supply chain / conflict minerals Third party management Trade sanctions / Office of Financial Assets Control (OFAC) Government boycotts / Bureau of Industry and Security
  • 5. CONFIDENTIAL Cyberattacks Against Law Firms Are on the Rise We have seen over the last three years an increase in the targeting of law firms.” Trent Teyema, FBI Cyber Crimes, Washington, D.C. National Law Journal, 04/23/12 The Wall Street Journal, 06/26/12 Mary Galligan FBI NY Special Agent, Cyber/Special Ops Law Technology News, 02/01/13 “Law firms have incredibly valuable and sensitive information… the Internet just provides a whole other methodology through which the information can be accessed and pilfered.” “The more mobility you have, the more documents you’re sending through the Internet, the more likely you are to be the victim of a cyber attack, and that’s what we’re seeing at law firms.” “…some of the most vulnerable targets are law firms, which hold so much information of their clients and serve as “gates” to their clients.” © 2013 JurInnov, Ltd. All Rights Reserved. 4 Laurel Bellows, ABA President Law Practice Today, 04/13
  • 6. CONFIDENTIAL Data Breaches Grow in Number and Scale “This past year saw major hacks at: – Zappos (24M customer accounts) – Statfor (private U.S. intelligence firm; 5M e-mails) – Global Payments (1.5M credit card numbers) – LinkedIn (6.5M passwords) – eHarmony (1.5M passwords) – Yahoo (0.5M passwords) – Nationwide Mutual (1.1M customer accounts) – Wyndham Worldwide (600K credit card numbers) Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13 © 2013 JurInnov, Ltd. All Rights Reserved. 5
  • 7. CONFIDENTIAL Data Breaches Grow in Number and Scale “This past year saw major hacks at: – Zappos (24M customer accounts) – Statfor (private U.S. intelligence firm; 5M e-mails) – Global Payments (1.5M credit card numbers) – LinkedIn (6.5M passwords) – eHarmony (1.5M passwords) – Yahoo (0.5M passwords) – Nationwide Mutual (1.1M customer accounts) – Wyndham Worldwide (600K credit card numbers) …many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.” Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13 © 2013 JurInnov, Ltd. All Rights Reserved. 6
  • 8. CONFIDENTIAL What are Cybercriminals After? Access to: – Lists of confidential witnesses – Patent applications – Financial information – M&A documents – Intellectual property – Drug study results – Client correspondence – Possible litigation claims © 2013 JurInnov, Ltd. All Rights Reserved. Business disruption of: – Calendar system – Billing system – Website Why? – Money – Political motives – Sport 7
  • 9. CONFIDENTIAL ABA Ethics Rule: Lawyers’ Obligation Rule 1.6 Confidentiality Comment 16 “…act competently to safeguard information to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons…” ABA Formal Ethics Opinion 95-398 “[a] lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information.” 2013 HIPAA Omnibus Rules Law firms having contact with PHI must revisit policies, practices, enforce information security controls, protect confidential info, monitor workforce info access, track compliance. © 2013 JurInnov, Ltd. All Rights Reserved. 8
  • 10. CONFIDENTIAL New ABA Ethics Rule: Lawyers’ Obligation August, 2012, change to Rule 1.1 Comment, shown below in italics Rule 1.1 Competence A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. Comment to the Rule: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. © 2013 JurInnov, Ltd. All Rights Reserved. 9
  • 11. CONFIDENTIAL “Improving Critical Infrastructure Cybersecurity” Executive Order, Federal Register 13636: February 19, 2013 WASHINGTON (Reuters) - U.S. President Barack Obama on Tuesday signed an executive order seeking better protection of the country's critical infrastructure from cyber attacks that are a growing concern to the economy and national security. Reuters, 02/12/13 "We know hackers steal people's identities and infiltrate private e-mail.” “We know foreign countries and companies swipe our corporate secrets.” “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.” “Cyber threat is one of the most serious economic and national security challenges we face as a nation.” “America's economic prosperity in the 21st century will depend on cybersecurity.” We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.“ U.S. President Barack Obama, State of the Union Speech, 02/12/13 © 2013 JurInnov, Ltd. All Rights Reserved. 10
  • 12. CONFIDENTIAL U.S. Cyberspace Policy Review Near Term Actions What are Yours? 1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities. 2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. 3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics. 4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. 5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues. 6. Initiate a national awareness and education campaign to promote cybersecurity. 7. Develop an international cybersecurity policy framework and strengthen our international partnerships. 8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships. 9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure. 10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation. Executive Order, “Improving Critical Infrastructure Cybersecurity,” Federal Register 13636 (02/19/13) © 2013 JurInnov, Ltd. All Rights Reserved. 11
  • 13. CONFIDENTIAL Cybersecurity Maturity: Where is Your Organization? Elements of Effective Cybersecurity Culture of Security Legal Requirements Training and Education Policy, Procedure and Controls Monitor and Auditing Response and Documentation Information Management Accountability Leading Optimizing Practicing Developing Ad Hoc • Defined controls • Documented standards • Consistent performance • Likely repeatable • Some consistency • Lacks rigorous process discipline • Informal • Reactive • Inconsistent performance © 2013 JurInnov, Ltd. All Rights Reserved. • Effective controls • Uses process metrics • Targeted improvement 12 • Integrated strategies • Innovative changes • Seamless controls
  • 14. CONFIDENTIAL Security vs. Compliance? If I am compliant, am I secure? maybe © 2013 JurInnov, Ltd. All Rights Reserved. 13
  • 15. CONFIDENTIAL Security vs. Compliance? If I am compliant, am I secure? maybe If I am secure, am I compliant? maybe…… © 2013 JurInnov, Ltd. All Rights Reserved. 14
  • 16. CONFIDENTIAL Compliance and Security “We start with the principle that says build a good program, do the right things [in terms of] controls that are appropriate for your enterprise and at the end of that process you [say] what have we missed from a regulatory perspective and what do we need to do and you close those gaps. You don’t start [by] saying what does the regulation say I must do… That can be an issue in the financial services industry because unfortunately too often people [let] external regulators tell them what they should be doing rather than construct a good program themselves.” Michael Barrett, PayPal CISO Interview at the RSA Conference, April 24, 2013 © 2013 JurInnov, Ltd. All Rights Reserved. 15
  • 17. CONFIDENTIAL How Do You Know Where You Stand? • How does your management team make and implement decisions about information security? • Do lawyers and support staff know and understand your security policies? • Are they disciplined in their daily behaviors? • Are mobile devices and small digital media secure? • Do you know everyone who has access to your systems (network, physical, etc.)? • How would you know if an unauthorized person accessed sensitive data? • Are you certain that you can recover from an unexpected loss? • Have your applications been tested from a security viewpoint? • Are your third party service providers secure? © 2013 JurInnov, Ltd. All Rights Reserved. 16
  • 18. CONFIDENTIAL Who is Responsible for Security? Everyone Know how to confidently use workplace technology without compromising sensitive data or hindering efficiency Information Technology Team Know the risks and the technical controls that can mitigate those risks today’s threat malware email/web safety layers of defense social engineering physical security But, there is more….. © 2013 JurInnov, Ltd. All Rights Reserved. 17
  • 19. CONFIDENTIAL Who is Responsible for Executive Leadership and Decisions? Chief Security Officer Identifying data risks and making informed decisions on how to handle those risks. Understanding how to respond to a breach so it is contained, resolved and documented. Prioritizing the most vital cybersecurity policies and procedures; overseeing their implementation and ensuring awareness and adherence. Understanding and overseeing data classification and ownership. Approving access to critical and data. Being aware of and ensuring existing and new regulatory requirements are followed. Ensuring awareness of and adherence to ethical obligations. Periodically evaluating the security of vendors and ongoing vendor oversight. Stewarding a secure information culture embedded in the organization’s strategy, with a focus on continuous improvement. © 2013 JurInnov, Ltd. All Rights Reserved. 18
  • 20. CONFIDENTIAL But, the Reality Many organizations do not need, cannot afford, and cannot retain a full-time Chief Security Officer! © 2013 JurInnov, Ltd. All Rights Reserved. 19
  • 21. CONFIDENTIAL JurInnov’s Solution Virtual Chief Security Officer aka… Managed Service Outsourced Model On Call As Needed Part Time Resource © 2013 JurInnov, Ltd. All Rights Reserved. 20
  • 22. CONFIDENTIAL The Virtual CSO Why Virtual? What is a Virtual CSO? • Lower cost than a full-time CSO • Strong balance of business acumen and technology knowledge • More effective with a deeply skilled CSO team • Highly skilled • Most law firms do not need a full-time CSO • Varied security-related experiences • Firm benefits from a CSO with varied experiences • Certified, typically CISSP, HISP, CEH, and • Ability to attract and retain the best resources because of the career opportunities at a legal technology company… others • Part-time resource • On staff only when needed • … versus being the only security person at a firm with little or no career progression © 2013 JurInnov, Ltd. All Rights Reserved. 21
  • 23. CONFIDENTIAL Is a Virtual CSO Right for Your Organization? To learn more, send us a chat message or give us a call at 216-664-1100 to set up a meeting to talk it through. Other JurInnov Solutions Breach Investigation Cybersecurity Assessment / Audit Cybersecurity Survey / Gap Analysis Cybersecurity Risk Management and Strategic Planning Training: Cybersecurity, Breach Response and Computer Forensic Cybersecurity Policy Review and Development Incident Response Planning © 2013 JurInnov, Ltd. All Rights Reserved. 22
  • 24. CONFIDENTIAL Questions © 2013 JurInnov, Ltd. All Rights Reserved.