ISO-27001 for Law Firms LegalSEC Summit 2014 Thursday, 6/12/2014, 9:30 – 10:30 am ISO-27001 for Law Firms LegalSEC Summit 2014 Thursday, 6/12/2014, 9:30 – 10:30 am Introduction
Andreas Antoniou Chief Information Officer Paul, Weiss, Rifkind, Wharton & Garrison LLP
Jeff Franchetti Chief Information Officer Cravath, Swaine & Moore LLP
Peter Kaomea Chief Information Officer Sullivan & Cromwell LLP
3 Agenda
Why get ISO 27001 certified?
What is ISO 27001?
How to get ISO 27001 certified?
4 Why get ISO 27001 certified? ISO-27001 for Law Firms LegalSEC Summit 2014
5 Benefits of ISO 27001
Security Compliance
6 Benefits: Security
• Law firms have high concentrations of Preventing Law Firm Data Breaches confidential information spanning Volume 38 Number 1 … hundreds or thousands of clients Shane Sims, a security practice director at Pricewaterhouse-Coopers, has said, “Absolutely • We are facing increasing data privacy we’ve seen targeted attacks against law firms in the regulation (EU-Data Protection Act, last 12 to 24 months because hackers, including state sponsors, are realizing there’s economic US Privacy laws in 46 states, PIPEDA, intelligence in those networks especially related to HIPAA Omnibus) business deals, mergers and acquisitions.” • Clients are increasingly interested in information security in Requests for Proposals, Engagement Letters, Audits, etc. • National security organizations have engaged many firms about the importance of protecting client confidences and about specific breaches
7
Protecting information helps protect firm brand
8 Benefits of ISO 27001
• ISO 27001 is: • Compliance •an internationally recognized, •externally certifiable standard • Security •that specifies a risk-based framework to •initiate, implement, maintain, and continuously mature information security within an organization.
9 Benefits: Demonstrates Due Care & Infosec Process Maturity
10 Benefits: Helps with Client Audits
“…In addition, if your company is in possession of any Information Security certification (e.g. BSI, SSAE 16 CSA CCM, ISO 27001, PCI DSS) or audit reports, please provide them before filling out the questionnaire as they may be sufficient proof of proper Information Security in your company and no further engagement will be required.”
11 Benefits: High “Law” of the Land
SOX
HIPAA SOC2
ISO-27001/2 The Universe of Controls
Privacy NIST / Laws FISMA
12 Benefits: Growing as Industy Standard
Requests for 27001 Certification are and will continue to escalate rapidly
* Certification counts do not only show law firms
13 ISO-27001 Momentum in the Legal Industry
ISO 27001 Working Towards or Certified Investigating Certification Allen & Overy Buckley Sandler Bond Dickinson Cleary Gottlieb Steen & Hamilton Clifford Chance Davis Polk & Wardwell Cravath, Swaine & Moore Debevoise & Plimpton Hogan Lovells Fried, Frank, Harris, Shriver Irwin Mitchell Holland & Knight Linklaters Jones Day Orrick, Herrington & Sutcliffe Kramer Levin Paul, Weiss, Rifkind, Wharton & Proskauer Garrison Ropes & Gray Simpson Thacher & Bartlett Shearman & Sterling Sullivan & Cromwell Skadden, Arps, Slate, Meagher & Flom White & Case Taft Stettinius & Hollister von Briesen & Roper Wilmer Hale Winston & Strawn ISO-27001 is also used extensively in e-Discovery service providers (e.g., CDS, RVM, Daegis, Espion) 14 ISO 27001 is a superset of frameworks and regulations
SOX
HIPAA SOC2
ISO-27001/2 The Universe of Controls
Privacy NIST / Laws FISMA
15 Benefits of ISO 27001 Certification
• ISO 27001 is an internationally recognized, certifiable standard that specifies a risk-based framework to initiate, implement, maintain, and manage information security within an organization. Accordingly, it can help us to rationalize and prioritize our security initiatives and investments.
• Information security is required to protect the confidentiality, integrity, and availability of client, firm, and personal data and by doing that protect brand and reputation. • Some clients are requesting it to augment or replace parts of their own audits. • An increasing number of law firms are achieving ISO certification and are reporting that it helps with information security audits by clients. • ISO 27001 is a “superset” of many other information security frameworks and regulatory controls.
16 What is ISO 27001? ISO-27001 for Law Firms LegalSEC Summit 2014
17 ISO Myths
• It’s just a bunch of documents • It requires a huge investment in technology • It is only applicable to “big law” • It is something we can just pass off to our Security Manager
18 What is ISO 27001?
• ISO 27001 is
• an internationally recognized,
• certifiable standard
• that specifies a risk-based framework
• to initiate, implement, maintain, & manage information security within an organization.
19 Maturity Models
I.T.
Value Predictive > Operational Proactive Excellence > automate Reactive > fight fires
Chaotic > ad hoc > undocumented > unpredictable
20 PWC US Cybercrime report (June 2014)
#1 issue that should concern you Spending on cybersecurity with a misaligned (or without a) strategy isn’t smart • Must prioritize security investments based on risk and impact to the business. • Must classify the business value of data assets. • Must have senior executive engagement and commitment.
Need a System, Structure, Framework
21 ISO Standard documents http://www.iso.org ($130)
First Edition – 2005
1. Scope 2. Normative references 3. Terms & definitions 4. ISMS 12 pages 5. Management Responsibility Setting up your System 6. Internal ISMS audits 7. Management Review 8. ISMS improvement
Annex A – Control objectives • 11 Domains “Sister Document” • 39 Control Objectives ISO 27002 • 133 Controls 22 ISMS (Information Security Management System)
First Edition – 2005
1. Scope Treatment ISMS 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits Risk Mgt 7. Management Review Assessment Review 8. ISMS improvement
Annex A – Control objectives • 11 Domains • 39 Control Objectives ISO 27002 • 133 Controls 23 Example: Laptop stolen from car
• You can protect your laptop with a password • You can also encrypt your disk • You can add a policy that you can not leave your laptop in your car. • You can also ask your employees to sign a TOU statement • You can also train and make your employees aware of these risks (best practices)
The controls are never just IT related. And only with these combined controls Easy? can we be confident in our security
24 ISO 27001
First Edition – 2005
1. Scope Treatment ISMS 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits Risk Mgt 7. Management Review Assessment Review 8. ISMS improvement
Annex A – Control objectives • 11 Domains • 39 Control Objectives • 133 Controls 25 Formal Process - Documentation
26 The (1st) standard contains 11 domains
Standard Areas: Security Policy Domain Areas – 11 Control Objectives – 39 Organization Asset of Management Controls - 133 Security Human Resources Security Communica- Physical & tions & Environment Operations Security Management Information Access Security Control Incident Management Info.Systems Business Acquisition, Continuity Dev & Maint Management
Risk & Compliance
27 Example: Security Policy
Organization Human Physical & Comm & InfoSystems Info Security Business Security Asset Access Risk & of Resources Environment Operations Acquisition, Incident Continuity Policy Management Control Compliance Security Security Security Management Dev & Maint Management Management
Domain
Objective
Control
Control
28 Example: Human Resources Security
Organization Human Physical & Comm & InfoSystems Info Security Business Security Asset Access Risk & of Resources Environment Operations Acquisition, Incident Continuity Policy Management Control Compliance Security Security Security Management Dev & Maint Management Management
A 8.1 Prior to employment A 8.3 Termination or change of employment - Roles & Responsibilities - Screening - Termination responsibilities - Terms & Conditions of employment - Return of assets - Removal of access rights A 8.2 During Employment
- Management responsibilities - Information security awareness, education & training - Disciplinary process 27002 29 ISO 27001
First Edition – 2005
1. Scope Treatment ISMS 2. Normative references 3. Terms & definitions 4. ISMS 5. Management Responsibility 6. Internal ISMS audits Risk Mgt 7. Management Review Assessment Review 8. ISMS improvement
Annex A – Control objectives • 11 Domains • 39 Control Objectives • 133 Controls 30 Additional Details
Who is involved? What does it cost? How long does it take?
It4 –depends… 18Law months Firm dependentConsultant upon Registrar (optional) Senior• ScopeScope, Management Gap, Resource Availability CIO/• Budget,CurrentCSO Clientgap Demand DMS• Firm Admin capacity to efficiently make necessaryExample: changes Network• ScheduleISMS Admin expertise System• Willingness Admin to disrupt BAU Practice Lead Estimates http://www.bsigroup.org Human• Certification Resources Costs ($10K - $15K) Legal/ComplianceEducation & Risk Gap Analysis • Ongoing “Post-Certification”Remediation Costs: ($ 3KCertification – $5K) PhysicalAssessment Security & Planning 1-10 months 1-2 months 1 – 2 months 1 – 3 months • Consulting Costs ($0 – $80K) - optional Prepare & Validate Audit/Certify
31 © 2010 Pivot Point Security, Inc. How to get ISO 27001 certified? ISO-27001 for Law Firms LegalSEC Summit 2014
32 ISO-27001 “Road Map” to Certification
The 12 Steps 1. We admitted we were powerless over alcohol—that our lives had become unmanageable. 2. Came to believe that a power greater than ourselves could restore us to sanity. 3. Made a decision to turn our will and our lives over to the care of God as we understood Him. 4. Made a searching and fearless moral inventory of ourselves. 5. Admitted to God, to ourselves, and to another human being the exact nature of our wrongs. 6. Were entirely ready to have God remove all these defects of character. 7. Humbly asked Him to remove our shortcomings. 8. Made a list of all persons we had harmed, and became willing to make amends to them all. 9. Made direct amends to such people wherever possible, except when to do so would injure them or others. 10. Continued to take personal inventory, and when we were wrong, promptly admitted it. 11. Sought through prayer and meditation to improve our conscious contact with God as we understood Him, praying only for knowledge of His will for us and the power to carry that out. 12. Having had a spiritual awakening as the result of these steps, we tried to carry this message to alcoholics, and to practice these principles in all our affairs. 33 ISO-27001 “Road Map” to Certification
The 12 Steps to ISO Certification 1. We admitted we were powerless over security—that our lives had become unmanageable. 2. Came to believe that a power greater than ourselves could restore us to sanity. 3. Made a decision to turn our will and our lives over to the care of ISO 27001. 4. Made a searching and fearless moral inventory of systems. 5. Admitted to ISO, to ourselves, and to another human being the exact nature of our wrongs. 6. Were entirely ready to have ISO remove all these defects of character. 7. Humbly asked ISO to remove our shortcomings. 8. Made a list of all systems we had harmed, and became willing to make amends to them all. 9. Made direct amends to such people wherever possible, except when to do so would injure them or others. 10. Continued to take personal inventory, and when we were wrong, promptly admitted it. 11. Sought through corrective and preventative actions to improve our conscious contact with ISO, praying only for knowledge of ISO’s will for us and the power to carry that out. 12. Having had a spiritual awakening as the result of these steps, we tried to carry this message to other law firms, and to practice these principles in all our affairs. 34 ISO-27001 “Road Map” to Certification
1. Obtain Management Buy-in Cravath, Swaine & Moore LLP SCOPE: A framework of information security 2. Apply a Project Management Framework management processes, practices and controls that ensure the confidentiality, integrity, and availability of firm wide IT infrastructure and services that enable the 3. Perform Gap Analysis business processes and activities supported by Document Management Service (DMS), Email Services 4. Define Scope (EMS), Litigation Document Storage Service (LDSS) & Remote Access Services (RAS).
5. Publish an ISMS Policy Paul, Weiss, Rifkind, Wharton & Garrison, LLP SCOPE: Information Security Management System 6. Perform Risk Assessment (ISMS): a framework of processes and control specifications to the configuration, provision, and 7. Develop a Risk Treatment Plan management of Document Management Service (DMS), Email Service (EMS), Remote Access Services (RAS), and Mobile Device Management Services (MDMS) 8. Publish a Statement of Applicability protecting client and firm information assets globally. These activities take place in the SunGard co-location 9. Implement Controls and Procedures data center located in New Jersey and within the Paul Weiss offices located in NY, NY.
10. Operate, Monitor and Measure the ISMS Sullivan & Cromwell LLP The ISMS (Information Security Management System) 11. Perform an Internal Audit supports and protects the security of Sullivan & Cromwell LLP client and firm data and associated 12. Certification confidential information residing in NY, NY. 35 Questions?
Are you ready to pitch ISO 27001 within your own firms?
Visit the ILTA Knowledge Bank to download a consolidated version of this presentation. ADDITIONAL SLIDES
37 ISO 27001:2013 – Second Edition http://www.iso.org ($130)
First Edition – 2005 Second Edition – 2013
1. Scope 1. Scope 2. Normative references 2. Normative references 3. Terms & definitions 3. Context of the organization 4. ISMS 4. Leadership 5. Management Responsibility 5. Planning Support 6. Internal ISMS audits 6. Operation 7. Management Review 7. Performance Evaluation 8. ISMS improvement 8. Improvement
Annex A – Control objectives Annex A – Reference controls • 11 Domains • 14 Domains • 39 Control Objectives • 35 Control Objectives • 133 Controls • 114 Controls 38