Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov

158 views

Published on

Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
158
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • JustMessages – no content hereOur world todayAre you at risk?Is your client’s data at risk?Do you have ethical obligations and possibly regulatory requirements?Many firms do not know where they standKnow where you are todayMake your people awareBe ready to respondBe aware of your obligations and requirementsA virtual CSO can helpDefineOther JurInnov servicesAttendeesAccounting firm managing partnersTiming20 minutes plus questions
  • Hello, my name is Tim Opsitnick and I want to welcome you to todays session, where we will talk about protecting your firm from cybersecurity threats, data breaches, non-compliance. And, we will talk about the role of the Chief Security Officer in protecting firms – and then also specifically the virtual CSO – sometimes called outsourced or managed services. I want to encourage you to ask questions via the chat function throughout the discussion whenever you have a question or would like to get more information. As you have probably noticed, you only see your own chat. So, we will gather the questions for the end of our discussion and will follow up with you for other requests later today.Before we get started, please call us at 216-664-1100 if you are having any difficulty connecting.Also, I see some returning guests who joined us at our last webinar – welcome back!
  • Next I would like to introduce you to our speakers. Janet Gosche came to work at the company about 7 years ago, after spending 25 years at Accenture, a pioneer in their outsourcing practice. Eric Vanderburg will join Janet in the question and answer session at the end of the topic. Eric leads JurInnov’s Cybersecurity practice. He holds many certifications, including CISSP, Certified Information Systems Security Professional, HISP, Holistic Information Security Practitioner and CWSP, Certified Wireless Security Professional. He has been invited to speak on many occasions, has published numerous articles and blogs on security topics via JurInnov’s Security Spotlight. And I founded JurInnov in the year 2000, after spending 15 years at Jones Day as a lawyer in their Litigation and Product Liability sections. Couple things about my background that might be relevant to what we are talking about today. (Choose couple.)an advisor and contributor to the ABA book, Information Security for Lawyers and Law Firmsa Founding member, Sedona Conference’s Working Group Series on Best Practices for Electronic Document Retention and ProductionContributor and Editor to the publication, “The Sedona Guidelines: Best Practice Guidelines & Commentary for Managing Information & Records in the Electronic Age” Member of the Advisory Board for Georgetown University Law Center’s Continuing Legal Education for the development of programs for its E-Discovery InstituteMember of Advisory Board for the American College of e-Neutrals an organization dedicated to the education, training, credentials, and use third party referees—mediators, arbitrators, masters, judges, liaisons and magistrates—committed to resolving disputes arising from electronically stored information Founder, ESIBytes.com which provides free audio broadcasts from attorneys, technical experts and judges regarding emerging issues concerning electronic discoveryFounder, of the Cleveland EDiscovery Roundtable Let’s take a quick moment – if anyone would like to receive a list of Eric’s or my available articles and presentation topics, please send us a chat message, and we will send those to you.
  • I tired to complete a list of risk and compliance areas. Certainly, not every item on the list applies to your firm [or company]. Nonetheless it is a comprehensive list and intended to give you a sense of our regulated environment. Of course, cybersecurity is included on the list.
  • Create a couple bullet points.OK, so, I know how full your schedules are – why are we spending time today talking about the chief security officer?Accounting firms have increasingly been targeted. Whether you know it or not, statistics show that you know someone who has been affected by a data breach. In fact, it is pretty safe to say that one or more of you on the call today has had a breach at your firm. You might be surprised to hear that – or to see some of these headlines. That is because people tend not to talk about being breached. It is embarrassing. It can damage reputations and credibility when we are in a trusted advisor relationship with our clients. Which all too often results in lost clients and prospective clients. I notice that we have managing partners from larger and smaller firms with us today. This is a problem that affects all size firms.Cloud computing and mobile devices are among the developing technologies opening new communication doors for individuals and organizations. Many of these doors lead to great progress and opportunity. Others, however, could lead to big problems with cybercrime.For CPAs, it’s important to understand the implications of a complex and rapidly evolving universe of cybersecurity threats. Steve Ursillo Jr., CPA/CITP, CGMA, will cover the cyberthreat landscape in a session he is presenting June 10 at the 2013 Practitioners Symposium and Tech+ Conference in Partnership with the Association for Accounting Marketing Summit. Ursillo is a partner and director of technology and assurance services with Sparrow, Johnson & Ursillo, an accounting and technology consulting firm based in Rhode Island. CPA Insider spoke with Ursillo, who offered a number of observations regarding the current cybersecurity climate and what CPAs should be doing to protect themselves and their data. The threats are growingCPAs, their organizations, and their clients should be aware that their data and computing resources are exposed to a growing web of cybercriminals and malicious software designed to penetrate cybersecurity defenses. Ursillo cited several key factors in explaining why the cybersecurity landscape is more treacherous than ever. They have the technologyAdvances in software, particularly in the areas of malware and data scraping and compilation, have increased the number and intensified the effectiveness of cyberattacks. On the data front, cybercriminals now have access to tools that can scour the internet collecting information on people and organizations from myriad websites and social media networks, Ursillo said. The tools can then compile that information into a centralized source.For example, these applications could scrape your username, name, and email from one website, and your username, email, personal address, and financial information from another site. In addition, cybercriminals scouring social networking sites could scrape Facebook to find your birthday, likes and dislikes, and where you hang out. In addition, facial recognition technology can find photos of you online and potentially link you to other sites. “It’s a mini big data concept on your individual profile,” Ursillo said. “So what happens is all that information comes together, and now the hacker has a pretty good profile of a particular individual.”Once that profile is in hand, cybercriminals can use that information to forge fake identities or use the information for targeted social engineering attacks. The criminals are organized Cyberspace has seen a massive invasion of sophisticated, easy-to-use malware. One reason for that is the increased role of organized crime in cybercriminal activities. Software developers now have a market for applications that allow nonprogrammers to create malware, Ursillo said. Organized crime associates are willing to pay for malware creation kits, which are available in storefront-style marketplaces online. The kits allow criminals to create sophisticated malware using essentially a point-and-click approach, Ursillo said. This is particularly dangerous, because the crime organizations bring an in-depth understanding of digital cash flow, business transaction trails, and other processes—knowledge that can be used to design both the malware and the strategy for penetrating the cybersecurity perimeter and stealing cash in electronic transit. Bring your own targetThe rapid rise of mobile devices has created a sea teeming with potential entryways to computer networks, confidential data, and, ultimately, easy money. Hackers are now targeting smartphones and other mobile devices, Ursillo said, to get their foot in the door. For instance, cybercriminals use text messages that link to infected websites to compromise a phone and, ultimately, a computer network. “It’s like the Wild, Wild West,” Ursillo said
  • Results of AICPA 2012 Top Technology Initiatives Survey:The survey found that CPAs, both in public practice and in business and industry, ranked “securing the IT environment” as their top technology priority for 2012. Almost 40% of those CPAs indicated that they were not confident that their organizations were doing a good job in this area. CPAs in Public Accounting firms were even less confident, with about ½ being concerned that their IT environment was not secure.Ask Q1.*********************************
  • You are probably seeing many of your clients making this a priority
  • Make a couple bullet points.Your average plumber or landscaping business might be able to exist in such an environment; your average accounting firm cannot. Accountants and tax preparers must of necessity have and store all of the information that data thieves most want to obtain – personal and financial details that enable them to easily commit identity theft or raid a client company’s bank account.Which only means that tax, accounting and financial planning firms cannot ever afford to be without protection, a plan and a good set of procedures. And that the same goes for many of their clients, making a cybersecurity assessment a critical part of the annual audit of any small or medium-sized business.
  • We have seen these and other on the news.Discuss three buckets: external, intentional and accidental acts of employees and third parties.
  • Most breaches and non compliance issues are cause by accidental and intentional acts of employees. This is another reason why the CSO is a c-level position with responsibility and authority across the entire organization.
  • We all have a lot of data that criminals would like to have – for various reasons.Financial gain.Political.Just for fun.
  • AP
  • Send us a chat message if you want us to send you the Executive Order.How important is your cybersecurity?Above are quotes from last Feb Presidential State of the union Speech. It is stunning to find cybersecurity a subject matter so extensively covered.Moreover, recently the President and Chinese Premier have had meetings. The media and the government reports that cybersecurity was the number one topic. Why not trade? Reduction of nuclear missles?
  • Contemporaneous with the State of the Union speech, the President issues and executive order that identified US policy directives.What are your directives or near term actions with respect to cybersecurity.
  • This slide is the most important one that you will see today.I am often asked, “where am I versus the competition?” This slide facilitates those discussions.With the help of this slide you can answer the question, “Where am I as an orgainzation?”More importantly, where do I want to be as a goal for my organization?We should be practicing at a minimum.Do you want to be a leader.Pass to Janet.
  • Good morning. Glad to be with you today!We are getting some good questions coming in. As a reminder to others, feel free to ask us your questions throughout the session by using your chat function. We will either answer you via chat or hold it and answer it for the group toward the end of the session.We often get asked about security vs. compliance.I am compliant – so I assume I am secure? Well, perhaps you are.We have sound security practices in place – so I am not going to worry about regulatory compliance right now… You have a good starting point.
  • Comment on the slide and then Ask Q7**************************
  • Michael Barrett, PalPay’s top security guy said it very well recently…I am going to read this for anyone just listening to our audio this morning …(Read slide.)By the way, if you want to watch Michael’s video, send me a chat message with your email address and I will send you the link.http://searchfinancialsecurity.techtarget.com/video/PayPal-CISO-Laws-must-foster-better-cybersecurity-information-sharing“We start with the principle that says you build a good program, do the right things in terms of constructing the controls that are appropriate for your enterprise and then at the end of that process you go back and say now what have we missed from a regulation perspective and what do we need to do and you close those gaps. You don’t start from the perspective of saying what does the regulation say I must do and then only do those things. That can be an issue in the financial services industry because unfortunately too often people have turned off their brains and let tehir external regulators tell them what they should be doing rather than construct a good program themselves.”
  • How do you know where you stand? You might start by asking How does leadership prioritize and encourage or enforce security and compliance?Does everyone really understand and follow the policies and procedures?Are all of our devices secure? Are encryption protocols, passwords, authorized users up to date?Do we know who is allowed access – and would we know if an unauthorized user got in?Now – you didn’t read about this one in the paper, however, we were called because one of the largest companies in Cleveland realized they had lost a major chunk of their electronic intellectual property one morning. If that happened to you – do you know how you would respond?And, you know the old saying – only as strong as your weakest link – are your third parties secure?So, who would you ask to get these answers? Who is responsible?
  • An easy answer is everyone. Of course we all need to be aware of and follow good practices when handling data. Another easy answer is IT. When we talk to firms/companies about Cybersecurity, we often hear IT handles it. And they do have a very important role. And, as you know, there is more.
  • And it has to do with executive leadership and high level decision making around security strategies and priorities.Understanding your business risk. Making sure that from a technical and business perspective those responsible know how to best respond to a breach, when it happens. Overseeing not only the implementation of associated policies and procedures, but even more importantly, prioritizing the most critical that must be followed and ensuring that they are communicated in an effective and compelling manner – and hold individuals accountable to follow them. Knowing who has access to data – and approving access for sensitive data. Being on top of regulatory requirements and ethical obligations. And, making sure that 3rd parties have at least the same level of data security as you have, so they do not allow a a data brech or malware to infiltrate your systems. There are more, but probably the most important is (read blue point).Our experience is that some of these responsibilities are typically handled by one or more people across the organization. But, often – too often, when the role is not formalized, we also find that management thinks that these are all covered by “each other” – however, with no formal system in place, some fall through the cracks. That is why, organizationally these responsibilities are defined as the Chief Security Officer role (CSO).
  • CSO more than IT expertise – really must understand the business and business risks in order to balance data availability and risk mitigation.
  • Pragmatically, this function is often spread around multiple people because in many organizations the CSO is not a full time job. CSO’s are expensive and in high demand.
  • JurInnov’s solution to this situation is the Virtual Chief Security Officer.Sometimes called…. (read slide)
  • With a virtual CSO, you have a team of resources that bring a strong balance of business and tech knowledge. (move slide) In fact, this group brings a wider variety of experiences and is better able to maintain the relevant certifications. But the real value is that you have resources – available when and only when you need them.And, at an overall lower cost.
  • What is the real value of the CSO to you – peace of mind. Why? ReadAnd – value to your firm (business). ReadAsk Q 5 and 8 *******************************
  • But - how do you know? By defining goals that are most important to yorubusinesand measuring results.
  • Janet – If you want to learn more about the Virtual Chief Security officer, send us a chat message or give us a call at ….Or perhaps the VCSO is not for your organization, if that is the case, you might be interested in other services we offer. Any questions, send us a chat or give us a call.There is much more we could cover – however, I see that we have questions from the group. So Eric – what questions does our audience have today?
  • Eric…
  • http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml#
  • IT person is not the CSO
  • The Chief Security Officer (CSO) is a key leadership position responsible for planning, implementing and maintaining the information security program and the physical security plans at JB&R. The information security program is designed to ensure the confidentiality, integrity, and availability of the information technology environment in compliance with industry regulations. The physical security plans are designed to ensure the well-being of employees and visitors. The CSO will work closely with Information Technology professionals at JB&R as well as stakeholders in business units who rely on technology for operations. The Information Security program involves several team members, who are responsible for ongoing risk assessment, evaluation of appropriate security controls, development and monitoring of policies and standards, security awareness, project and product development consultation, incident response program management, and proactive compliance with industry regulations related to information security.  As the CSO is responsible for the organization's entire security posture, both physical and digital, CSO will also own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. The CSO reports to the Executive Leadership Team (ELT), and is a high profile position requiring the ability to be proactive and lead cross-functional teams to achieve security objectives.
  • The Chief Security Officer (CSO) is a key leadership position responsible for planning, implementing and maintaining the information security program and the physical security plans at JB&R. The information security program is designed to ensure the confidentiality, integrity, and availability of the information technology environment in compliance with industry regulations. The physical security plans are designed to ensure the well-being of employees and visitors. The CSO will work closely with Information Technology professionals at JB&R as well as stakeholders in business units who rely on technology for operations. The Information Security program involves several team members, who are responsible for ongoing risk assessment, evaluation of appropriate security controls, development and monitoring of policies and standards, security awareness, project and product development consultation, incident response program management, and proactive compliance with industry regulations related to information security.  As the CSO is responsible for the organization's entire security posture, both physical and digital, CSO will also own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. The CSO reports to the Executive Leadership Team (ELT), and is a high profile position requiring the ability to be proactive and lead cross-functional teams to achieve security objectives.
  • The Chief Security Officer (CSO) is a key leadership position responsible for planning, implementing and maintaining the information security program and the physical security plans at JB&R. The information security program is designed to ensure the confidentiality, integrity, and availability of the information technology environment in compliance with industry regulations. The physical security plans are designed to ensure the well-being of employees and visitors. The CSO will work closely with Information Technology professionals at JB&R as well as stakeholders in business units who rely on technology for operations. The Information Security program involves several team members, who are responsible for ongoing risk assessment, evaluation of appropriate security controls, development and monitoring of policies and standards, security awareness, project and product development consultation, incident response program management, and proactive compliance with industry regulations related to information security.  As the CSO is responsible for the organization's entire security posture, both physical and digital, CSO will also own or participate closely in related areas such as business continuity planning, loss prevention and fraud prevention, and privacy. The CSO reports to the Executive Leadership Team (ELT), and is a high profile position requiring the ability to be proactive and lead cross-functional teams to achieve security objectives.
  • Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov

    1. 1. CONFIDENTIAL Protecting Firms and their Clients The Role of the Virtual Chief Security Officer © 2013 JurInnov, Ltd. All Rights Reserved.
    2. 2. CONFIDENTIAL Welcome 1. Cyber Threats: Real World Examples • • Breach Non-compliance 2. Cybersecurity Maturity: Where is Your Firm? 3. Virtual Chief Security Officer (CSO) 4. Q&A © 2013 JurInnov, Ltd. All Rights Reserved. 1
    3. 3. CONFIDENTIAL Protecting Firms and Their Clients The Role of the Virtual Chief Security Officer Timothy M. Opsitnick Founder and General Counsel tim.opsitnick@jurinnov.com Eric A. Vanderburg Director, Information Systems and Security eric.vanderburg@jurinnov.com Tim founded JurInnov in 2000. He is at the forefront of practitioners addressing issues involved in the security and discovery of electronically stored information. His consulting practice focuses on electronic discovery, information governance, cybersecurity, computer forensics, and cloudbased document management systems. His clients include United States and international law firms and companies. He has also conducted numerous continuing legal education seminars regarding electronic discovery, cybersecurity, and other technology issues. In addition, he has served as a court-appointed Special Master and as an expert witness. Finally, he was with the law firm of Jones Day from 1986 until 2000, where he was a member of the Litigation and Product Liability sections. His practice concentrated in the management of complex, multi-district litigation. Eric joined JurInnov in 2006 and leads the company’s information systems and security team. Eric holds more than 30 certifications in networking and systems engineering, including Certified Information Systems Security Professional, Holistic Information Security Practitioner, and Certified Wireless Security Professional. He has been invited to speak at many organizations and campuses on technology and information security and has published more than a dozen technical articles. Most recently, he was a professor of computer networking at Remington College where he taught courses on information security, database systems, and computer networking. He is also an Adjunct Professor of Computer Information Systems at Lorain County Community College. Ohio Wesleyan University, 1978-82 Bachelor of Arts, Political Science and Psychology Phi Beta Kappa Case Western Reserve University, School of Law, 1982-85 © 2013 JurInnov, Ltd. All Rights Reserved. Doctor of Information Assurance (Exp. 2013) The University of Fairfax, Vienna, Virginia East Asian Studies (Non-degree) Kansai Gaidai University, Osaka, Japan MBA with an Information Systems Concentration Kent State University, Kent, Ohio Bachelor of Science, Technology Kent State University, Kent, Ohio Assoc of Applied Business, Computer Information Systems Lorain County Community College, Elyria, Ohio 2 Janet A. Gosche Chief Strategy & Operations Officer janet.gosche@jurinnov.com Janet leads JurInnov’s business operations and supports the managed services practice. Janet honed her skills at Accenture, the global management consulting, technology services and outsourcing company, where she spent 25 years helping clients improve their business operations and results. During this time, Janet was a pioneer in Accenture's emerging outsourcing practice. She is an alumni member of the FBI Citizens’ Academy. She taught experienced professionals for Accenture and was a Covey Principle Centered Leadership facilitator.She currently coaches students at the Baldwin-Wallace Center for Innovation and Growth and Mathematics Department. Baldwin-Wallace College 1978-82 Bachelor of Science in Mathematics Magna Cum Laude, General Honors Honors in Economics
    4. 4. CONFIDENTIAL How Do You Measure Success? Risk Management and Compliance Areas (U.S. and Global) • • • • • • • • • • • • • • • Anti-money laundering (AML) Bribery / FCPA / UKBA Business ethics Code of business conduct Competition / antitrust Country law CYBERSECURITY Department of Transportation (logistics distribution / reverse distribution) Environmental Employment compliance (wage and hour / facility accessibility) Employment practices / workplace rights Export controls / ITAR / dual use technology / military use technology Financial services, banking, insurance Food safety / labeling Government relations © 2013 JurInnov, Ltd. All Rights Reserved. 3 • • • • • • • • • • • • • • Import / customs Information protection Intellectual property Licenses and permits OSHA (health and safety) Product stewardship / product safety Pharmacy and health services Privacy Records and information management Securities law (including insider trading, Dodd Frank) Supply chain / conflict minerals Third party management Trade sanctions / Office of Financial Assets Control (OFAC) Government boycotts / Bureau of Industry and Security
    5. 5. CONFIDENTIAL CPAs must take steps to mitigate cybersecurity risk “CPAs, their organizations, and their clients should be aware that their data and computing resources are exposed to a growing web of cybercriminals and malicious software designed to penetrate cybersecurity defenses” Why? – a host of reasons, including…. » Cybercriminals have the technology » They are organized » You have mobile devices Jeff Drew, CPA Insider, AICPA Newsletter April 29, 2013 © 2013 JurInnov, Ltd. All Rights Reserved. 4
    6. 6. CONFIDENTIAL CPAs Prioritize Tech Security Many not confident that their organization is handling the task appropriately Top Tech Priorities 2012 1. Securing the IT environment (62%) 2. Managing and retaining data (61%) 3. Managing risk and compliance (65%) 4. Ensuring privacy (62%) 5. Leveraging emerging technologies (34%) 6. Managing system implementation (52%) 7. Enabling decision support and managing performance (46%) 8. Governing and managing IT investment/spending (56%) 9. Preventing and responding to fraud (60%) 10. Managing vendors and service providers (56%) Jeff Drew, Journal of Accountancy, May 2012 © 2013 JurInnov, Ltd. All Rights Reserved. 5
    7. 7. CONFIDENTIAL Your Clients are Taking the Lead – Are You? Audit committee chairs and cybersecurity experts agree “that the audit committee should take the lead in elevating cybersecurity as a key enterprise risk priority.” • Clarify cybersecurity roles and responsibilities within the executive team. • Establish metrics to adequately assess cybersecurity. • Meet regularly with the IT expert on the external audit team. • Make sure internal audit has the appropriate skills. • Confirm that due diligence processes incorporate cyberrisk assessments. • Recruit technology experts to join the board. • Engage “ethical hackers.” BoardMatters Quarterly, April 2013 © 2013 JurInnov, Ltd. All Rights Reserved. 6
    8. 8. CONFIDENTIAL Is There a False Sense of Security? Some might be able to withstand a security breach. “Your average accounting firm cannot. Accountants and tax preparers … store all of the information that data thieves most want to obtain…” 73% believe they are protected… 62% confident employees were aware of company’s formal Internet security policies. 77% feel their companies are safe from cyberthreats. 77% describe strong cybersecurity and online safety posture a positive for their brand. HOWEVER… 83% have no formal cybersecurity plan. 87% do not have a formal written Internet policy for employees. 75% have no social media policy governing employee behavior. 59% have no contingency plan how to respond and report data breach losses. BoardMatters Quarterly, April 2013 © 2013 JurInnov, Ltd. All Rights Reserved. 7
    9. 9. CONFIDENTIAL Data Breaches Grow in Number and Scale “This past year saw major hacks at: – Zappos (24M customer accounts) – Statfor (private U.S. intelligence firm; 5M e-mails) – Global Payments (1.5M credit card numbers) – LinkedIn (6.5M passwords) – eHarmony (1.5M passwords) – Yahoo (0.5M passwords) – Nationwide Mutual (1.1M customer accounts) – Wyndham Worldwide (600K credit card numbers) Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13 © 2013 JurInnov, Ltd. All Rights Reserved. 8
    10. 10. CONFIDENTIAL Data Breaches Grow in Number and Scale “This past year saw major hacks at: – Zappos (24M customer accounts) – Statfor (private U.S. intelligence firm; 5M e-mails) – Global Payments (1.5M credit card numbers) – LinkedIn (6.5M passwords) – eHarmony (1.5M passwords) – Yahoo (0.5M passwords) – Nationwide Mutual (1.1M customer accounts) – Wyndham Worldwide (600K credit card numbers) …many large organizations reported that security breaches were caused by their own staff, most commonly through ignorance of security practices.” Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13 © 2013 JurInnov, Ltd. All Rights Reserved. 9
    11. 11. CONFIDENTIAL What are Cybercriminals After? Access to: – Financial information – Tax information – M&A documents – Intellectual property – Client correspondence – Possible litigation claims © 2013 JurInnov, Ltd. All Rights Reserved. Business disruption of: – Calendar system – Billing system – Website Why? – Money – Political motives – Sport 10
    12. 12. CONFIDENTIAL Is this new news? Confirm the inpact? 2013 HIPAA Omnibus Rules Accounting firms having contact with PHI must revisit policies, practices, enforce information security controls, protect confidential info, monitor workforce info access, track compliance. © 2013 JurInnov, Ltd. All Rights Reserved. 11
    13. 13. CONFIDENTIAL “Improving Critical Infrastructure Cybersecurity” Executive Order, Federal Register 13636: February 19, 2013 WASHINGTON (Reuters) - U.S. President Barack Obama on Tuesday signed an executive order seeking better protection of the country's critical infrastructure from cyber attacks that are a growing concern to the economy and national security. Reuters, 02/12/13 "We know hackers steal people's identities and infiltrate private e-mail.” “We know foreign countries and companies swipe our corporate secrets.” “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.” “Cyber threat is one of the most serious economic and national security challenges we face as a nation.” “America's economic prosperity in the 21st century will depend on cybersecurity.” We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.“ U.S. President Barack Obama, State of the Union Speech, 02/12/13 © 2013 JurInnov, Ltd. All Rights Reserved. 12
    14. 14. CONFIDENTIAL U.S. Cyberspace Policy Review Near Term Actions What are Yours? 1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities. 2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. 3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics. 4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. 5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues. 6. Initiate a national awareness and education campaign to promote cybersecurity. 7. Develop an international cybersecurity policy framework and strengthen our international partnerships. 8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships. 9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure. 10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation. Executive Order, “Improving Critical Infrastructure Cybersecurity,” Federal Register 13636 (02/19/13) © 2013 JurInnov, Ltd. All Rights Reserved. 13
    15. 15. CONFIDENTIAL Cybersecurity Maturity: Where is Your Organization? Elements of Effective Cybersecurity Culture of Security Legal Requirements Training and Education Policy, Procedure and Controls Monitor and Auditing Response and Documentation Information Management Accountability Leading Optimizing Practicing Developing Ad Hoc • Defined controls • Documented standards • Consistent performance • Likely repeatable • Some consistency • Lacks rigorous process discipline • Informal • Reactive • Inconsistent performance © 2013 JurInnov, Ltd. All Rights Reserved. • Effective controls • Uses process metrics • Targeted improvement 14 • Integrated strategies • Innovative changes • Seamless controls
    16. 16. CONFIDENTIAL Security vs. Compliance? If I am compliant, am I secure? maybe © 2013 JurInnov, Ltd. All Rights Reserved. 15
    17. 17. CONFIDENTIAL Security vs. Compliance? If I am compliant, am I secure? maybe If I am secure, am I compliant? maybe…… © 2013 JurInnov, Ltd. All Rights Reserved. 16
    18. 18. CONFIDENTIAL Compliance and Security “We start with the principle that says build a good program, do the right things [in terms of] controls that are appropriate for your enterprise and at the end of that process you [say] what have we missed from a regulatory perspective and what do we need to do and you close those gaps. You don’t start [by] saying what does the regulation say I must do… That can be an issue in the financial services industry because unfortunately too often people [let] external regulators tell them what they should be doing rather than construct a good program themselves.” Michael Barrett, PayPal CISO Interview at the RSA Conference, April 24, 2013 © 2013 JurInnov, Ltd. All Rights Reserved. 17
    19. 19. CONFIDENTIAL How Do You Know Where You Stand? • How does your leadership team make and implement decisions about information security? • Do lawyers and support staff know and understand your security policies? • Are they disciplined in their daily behaviors? • Are mobile devices and small digital media secure? • Do you know everyone who has access to your systems (network, physical, etc.)? • How would you know if an unauthorized person accessed sensitive data? • Are you certain that you can recover from an unexpected loss? • Have your applications been tested from a security viewpoint? • Are your third party service providers secure? © 2013 JurInnov, Ltd. All Rights Reserved. 18
    20. 20. CONFIDENTIAL Who is Responsible for Security? Everyone Know how to confidently use workplace technology without compromising sensitive data or hindering efficiency Information Technology Team Know the risks and the technical controls that can mitigate those risks today’s threat layers of defense malware social engineering email/web safety physical security But, there is more….. © 2013 JurInnov, Ltd. All Rights Reserved. 19
    21. 21. CONFIDENTIAL Who is Responsible for Executive Leadership and Decisions? Chief Security Officer Identifying data risks and making informed decisions on how to handle those risks. Understanding how to respond to a breach so it is contained, resolved and documented. Prioritizing the most vital cybersecurity policies and procedures; overseeing their implementation and ensuring awareness and adherence. Understanding and overseeing data classification and ownership. Approving access to critical data. Being aware of and ensuring existing and new regulatory requirements are followed. Ensuring awareness of and adherence to ethical obligations. Periodically evaluating the security of vendors and ongoing vendor oversight. Stewarding a secure information culture embedded in the organization’s strategy, with a focus on continuous improvement. © 2013 JurInnov, Ltd. All Rights Reserved. 20
    22. 22. CONFIDENTIAL CSO – a Strategic Thinker “…Information security executives need to be strategic thinkers, understand the underlying technologies, and be able to calmly and practically assess evolving scenarios. Most security challenges occur at the intersection of people, process and technology.” George Baker, Help Net Security, June 17, 2013 © 2013 JurInnov, Ltd. All Rights Reserved. 21
    23. 23. CONFIDENTIAL But, the Reality Many organizations do not need, cannot afford, and cannot retain a full-time Chief Security Officer! © 2013 JurInnov, Ltd. All Rights Reserved. 22
    24. 24. CONFIDENTIAL JurInnov’s Solution Virtual Chief Security Officer aka… Managed Service Outsourced Model On Call As Needed Part Time Resource © 2013 JurInnov, Ltd. All Rights Reserved. 23
    25. 25. CONFIDENTIAL The Virtual CSO Why Virtual? What is a Virtual CSO? • Lower cost than a full-time CSO • Strong balance of business acumen and technology knowledge • More effective with a deeply skilled CSO team • Highly skilled team • Most law firms do not need a full-time CSO • Varied security-related experiences • Firm benefits from a CSO with varied experiences • Certified, typically CISSP, HISP, CEH, and • Ability to attract and retain the best resources because of the career opportunities at a legal technology company… others • Part-time resources • On staff only when needed • … versus being the only security person at a firm with little or no career progression © 2013 JurInnov, Ltd. All Rights Reserved. 24
    26. 26. CONFIDENTIAL Virtual CSO Value Peace of mind • Understand the gap to be secure / compliant and how to get there • An informed leadership team • Employees better aware of how to be secure / compliant • More time for executives to focus on core business Business Impact • Lower risk • Lower cost • Positive marketing message to customers / clients • Fewer executive distractions / more focus on core business © 2013 JurInnov, Ltd. All Rights Reserved. 25
    27. 27. CONFIDENTIAL How Will You Know? – Customized Metrics • • • • • • • • • • • Executive satisfaction: focus on peace of mind Employee awareness: better behaviors Audits passed System availability Penetration test results Compliance metrics Security improvements implemented Business critical systems recovery tests Change management days Encrypted devices Etc. © 2013 JurInnov, Ltd. All Rights Reserved. 26
    28. 28. CONFIDENTIAL Why JurInnov? • Enterprise-wide view of risk management – Security first – and then compliance • Legal perspective and discretion • Core values • More flexibility – Customized arrangements – What you need when you need it – no more/no less • Over a decade of experience in – – – – Protecting terabytes of sensitive, business critical data Data breach response Computer forensics eDiscovery © 2013 JurInnov, Ltd. All Rights Reserved. 27
    29. 29. CONFIDENTIAL Questions To learn more, send us a chat message or give us a call at 216-664-1100 to set up a meeting to talk it through. Other JurInnov Solutions Breach Investigation Incident Response Planning Computer Forensics Cybersecurity Assessment / Audit Cybersecurity Survey / Gap Analysis Cybersecurity Risk Management and Strategic Planning Training: Cybersecurity, Breach Response and Computer Forensic © 2013 JurInnov, Ltd. All Rights Reserved. Cybersecurity Policy Review and Development 28

    ×