The Benefits of ISO-27001 for Legal Firms

Report
The Benefits of ISO27001 for Legal Firms
Is it right for your firm?
2
Today’s Agenda
1) What is ISO-27001? Why are you hearing so
much about it?
2) What problems does it solve? Other
benefits?
3) What does the process look like?
4) How much ? How fast ? How painful?
5) Why is it relevant to the Legal Vertical?
© 2010 Pivot Point Security, Inc.
3
Quick Clarification
• ISO-27000 is a “series” of
information security standards
• ISO-27001 “uses” ISO-27002
• ISO-27002 used to be called ISO17799
© 2010 Pivot Point Security, Inc.
4
Should we be thinking about 27001?
How Bad is Your Pain?
We need to prove to many of our clients
that we are “secure”
We need to prove that many of our
service providers keep our data secure
We need to prove we are compliant with
different regulations/standards
We are struggling with regards to
Information Security
© 2010 Pivot Point Security, Inc.
5
Law Firm Pain is (similar but) Different
• Highly diverse levels of very sensitive data in a single firm
• Diverse Client/Vendor Risk Management (VRM) practices
• National/International Client Base
• International attestation
• PII Data Protection laws (EU-DPA, 46 State PII, PIPEDA)
• Partner Model can be divergent with F500 security requirements
• “Brand” is a priority
© 2010 Pivot Point Security, Inc.
6
Law Firm Pain is (similar but) Different
© 2010 Pivot Point Security, Inc.
7
Law Firm Client Contract Pain: “Blame the Cloud”
SAAS/IAAS/PAAS
• The “Cloud Attestation Vortex”
• As VRM practices rapidly
mature/evolve contractual
“expectations” do as well
Secure ?
• Prove to me your “secure”
• Pen Tests, SOC2, ISO27001,
FedRAMP
• Prove to me your “compliant”
Increasing ability of vendors to
prove they are secure & compliant
© 2010 Pivot Point Security, Inc.
• HIPAA, PCI, PII, etc.
8
Companies Asking for ISO-27001 Certifcation
© 2010 Pivot Point Security, Inc.
9
Growth of ISO-27001 Certifcation
Requests for 27001
Certification are
and will continue
to escalate rapidly
10
Law Firm Regulatory Pain: “Thanks' CMS!!”
• HIPAA
• Covered Entities (CE) are beholden
• HIPAA HITECH
• Business Associate Agreement (BAA)
signers are beholden
• HIPAA Omnibus Rule
• Implicit BAA via data Store, Process,
Transit
• Key Impacts
• Need to apply the “Principle of Least
Privilege”
• Document Management System
• Develop Breach Risk/Impact Assessment
mechanism to mitigate Breach
Notification Risk on un-authorized
disclosure (even by a lawyer in same
practice area)
© 2010 Pivot Point Security, Inc.
11
Law Firm Cyber Security Pain: Targeted Attacks
China-based hackers looking to derail the $40
billion acquisition of the world’s largest
potash producer by an Australian mining
giant zeroed in on the Canadian law firms
handling the deal.
Mary Galligan, head of FBI’s NYC cyber
division convened a meeting with the top 200
law firms in New York City last November to
deal with the rising number of law firm
intrusions.
© 2010 Pivot Point Security, Inc.
12
Law Firm Pain: Unique Culture
© 2010 Pivot Point Security, Inc.
13
Law Firm Operational Pain: Mobility & BYOD
© 2010 Pivot Point Security, Inc.
14
Law Firm Practice Pain: Paper (lots of it)
© 2010 Pivot Point Security, Inc.
15
Law Firm Pain: Desired (& un-desired) Use
© 2010 Pivot Point Security, Inc.
16
Good News: Freud would have liked 27001 …
In Freudian
psychology,
people seek
pleasure
and avoid
pain …
© 2010 Pivot Point Security, Inc.
17
Should we be thinking about 27001?
How Much Success Can You Handle?
"Our recent ISO 27001 and ISO 20000
We are always
certifications
provide looking
us with afor
competitive
differentiators
competitive
differentiator
in the market
place.We are always proactive and
looking to stay ahead of the
“It also provides us
with further
curve
validation that our approach to
managing service delivery and security
risk is comprehensive and effective -- an
important consideration for our
business and customers …”
© 2010 Pivot Point Security, Inc.
18
A Competitive Differentiator (for now)
19
More Good News …
ISO-27001 will address each of the pain points,
differentiate your firm in the near term, and
position you to keep/win business with
organization with mature Vendor Risk
Management programs, and significantly
simplify security & compliance …
20
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
21
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
22
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
23
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
24
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
25
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
26
What is ISO-27001 ?
“ISO27001 is an internationally recognized,
certifiable, Information Security Standard
that formally specifies an Information
Security Management System (ISMS) to
bring Information Security under explicit
management control.”
ISO-27001 “Road Map”
•
•
•
•
•
•
•
•
•
Determine Your Scope
Understand Your Risks
Determine Best Way to Manage The Risks
Find Gap Between Desired & Current State
Close the Gaps
Certify the ISMS
Monitor & Respond
Improve the ISMS
Repeat
© 2010 Pivot Point Security, Inc.
28
Determine Your Scope
Pharmaceutical Client Data Flow
User LAN Zone
1
2
XX Smith St
Submission of
Docs, Disks &
Drives
(Scanner &
Physical Media)
3
Worker
machines
SMB?
SMB?
4a
S-FTP submission
S-FTP Server
Unknown
Email submission
Mail Server
SMB?
4
XXX App
for Research
Services
SMB?
MS SQL DB
Unknown
XXX App
For
Pharmaceutical
Research,
Production &
Hosting Services
Smith I
NAS
4b
SMB?
EDP LAN Zone
Pharma
Clients
SSL
XXX & YYY
Hosting Systems
SQL?
XXX & ZZZ
Hosting Systems
MS SQL Server DBs
IIS Web Servers
External
© 2010 Pivot Point Security, Inc.
DMZ Zone
Out-of-Scope
Deliverable
6
7
XXX
London
Paper
ZZZ
(CC Export System)
For Production
Services
SQL?
Apache(?)
Web Server
Oracle DB
SSL
5
VPN Zone
5a
Servers LAN Zone
Client
29
Understand Risk - Risk Assessment
• Identify, Assess, & Decide on Risks
• Risks that are not “acceptable” will need to be “remediated” (next slide)
• Risk Assessment is simplified by focusing on information/ processes
• Secure Data Flow Diagramming is intuitive and management inclusive
• Asset Centric Risk Assessment is painful
© 2010 Pivot Point Security, Inc.
30
Managing Risk – Risk Treatment Plan
• Your manage risk by applying controls
• Controls are mechanisms which reduce risk
• ISO-27001 defines the process
• Determines which of the ~ 114 ISO 27002 controls we should
implement in our environment
• The controls inherent in 27001 all have to be implemented
• There is a possibility that you will need to use controls outside
of 27002
© 2010 Pivot Point Security, Inc.
31
Gap Assess & Remediate
• Gap assess current
implementation vs.
Risk Treatment Plan
• Develop Prioritized
Remediation Plan
© 2010 Pivot Point Security, Inc.
Get Certified !!
Celebrate
Your
Success
© 2010 Pivot Point Security, Inc.
27001 Benefits:
Improved Risk Management
• Applies a structured risk management approach
• Integrates/aligns with corporate ERM
• Greater, more positive exposure to management for CSO/CIO
• Rationalizing budgetary requirements in a language
management understands = More Money
Applying only those controls required reduces costs
• Rationalizing strategic and security direction based
on customer mandate = Greater Acceptance
© 2010 Pivot Point Security, Inc.
33
27001 Benefits:
Reduces the Burden of Compliance
• Reduces Complexity of Dealing
with Multiple Standards
• Attest once to a single standard
then map to disparate standards
• Inputs now become outputs
(HIPAA, NIST/FISMA, PII)
© 2010 Pivot Point Security, Inc.
34
27001 Benefits:
Reduces the Burden of Attestation
• Attestation can be Painful
• Replaces SOC1/2 at a notably
lower cost
• Provide 27001 instead of
answering endless
questionnaires
• 27001 “derivatives” may be
helpful for certain industries
© 2010 Pivot Point Security, Inc.
35
27001 Benefits:
Simplifies Vendor Risk Management
• Gain attestation that their control environment is
compliant with the world’s leading Info-Sec Standard
© 2010 Pivot Point Security, Inc.
36
27001 Benefits:
Complex Problem – A Simple Approach
37
• A “recipe” that has been
vetted by thousands over the
last 15 years
• International standard usable
and accepted world wide
• 27001 mandates Continuous
Improvement
27001 Benefits:
Demonstrate Thought Leadership
© 2010 Pivot Point Security, Inc.
38
39
FAQ’s: The Six W’s of ISO-27001
1) Who?
2) What?
3) Why?
4) When?
5) Where?
6) How?
© 2010 Pivot Point Security, Inc.
40
Who is Involved?
Law Firm
Consultant
(optional)
Prepare & Validate
Audit/Certify
© 2010 Pivot Point Security, Inc.
Registrar
41
Who is Involved?
•
•
•
•
•
•
•
•
•
CIO/CSO
DMS Admin
Network Admin
System Admin
Practice Lead
Human Resources
Legal/Compliance
Physical Security
Senior Management
© 2010 Pivot Point Security, Inc.
Most firms appoint a project
lead who engages relevant
personnel as required
42
What: ISMS Scope
Where is sensitive information that
clients want assurance on?
• Multiple offices?
• Multiple regions?
43
What Does it Cost?
Four Key Factors
• Scope
• Current Gap
• Firm’s Capacity
• Execute: facilitate ratio
• Schedule
44
Why: ISO-27001 vs. Alternatives
• Superset of Regulatory
& Information Security
Frameworks
• Internationally
Accepted
• Dovetails with ERM
• Basis of most VRM
programs & other
standards (Shared
Assessment, HITRUST)
• Clients are asking for it
• Simplifies life
SOX
HIPAA
SOC2
PII
Laws
NIST/FISMA
45
When: Typical Timeline?
4 – 18 months dependent upon Scope, Gap, Resource Availability, ISMS
Expertise, Budget, Client Demand, & Willingness to disrupt BAU
46
Where is ISO-27001 Leveraged?
Everywhere !!
47
How Does ISO-27001 Work?
Unless you have been sleeping … or I
did a terrible job … you should have
a pretty good idea by now … :>)
48
Q &A
Any
Questions
?
© 2010 Pivot Point Security, Inc.
49
Did we Accomplish Our Agenda?
1) ISO-27001 is an internationally accepted
information security risk management program
2) It addresses the unique challenges in law firms
and positions them with discerning cleints
3) The process is relatively simple and straightforward (although involved)
4) We discussed time-lines, costs, & resourcing
5) Its highly relevant to the Legal Vertical because
its highly relevant to the legal verticals clients
© 2010 Pivot Point Security, Inc.

similar documents