Upload
donna-morrison
View
221
Download
1
Embed Size (px)
Citation preview
The Benefits of ISO-27001 for
Legal FirmsIs it right for your firm?
Today’s Agenda
1) What is ISO-27001? Why are you hearing so much about it?
2) What problems does it solve? Other benefits?
3) What does the process look like?4) How much ? How fast ? How painful?5) Why is it relevant to the Legal
Vertical?
© 2010 Pivot Point Security, Inc.
2
Quick Clarification
• ISO-27000 is a “series” of information security standards
• ISO-27001 “uses” ISO-27002
• ISO-27002 used to be called ISO- 17799
© 2010 Pivot Point Security, Inc.
3
Should we be thinking about 27001?
How Bad is Your Pain?We need to prove to many of our
clients that we are “secure”We need to prove that many of our
service providers keep our data secure
We need to prove we are compliant with different regulations/standards
We are struggling with regards to Information Security
© 2010 Pivot Point Security, Inc.
4
Law Firm Pain is (similar but) Different
© 2010 Pivot Point Security, Inc.
5
• Highly diverse levels of very sensitive data in a single firm• Diverse Client/Vendor Risk Management (VRM) practices
• National/International Client Base• International attestation• PII Data Protection laws (EU-DPA, 46 State PII, PIPEDA)
• Partner Model can be divergent with F500 security requirements
• “Brand” is a priority
Law Firm Pain is (similar but) Different
© 2010 Pivot Point Security, Inc.
6
Law Firm Client Contract Pain: “Blame the Cloud”
© 2010 Pivot Point Security, Inc.
7
• The “Cloud Attestation Vortex”• As VRM practices rapidly
mature/evolve contractual “expectations” do as well
• Prove to me your “secure”• Pen Tests, SOC2,
ISO27001, FedRAMP
• Prove to me your “compliant”• HIPAA, PCI, PII, etc.
SAAS/IAAS/PAAS
Cost, scalability,
flexibility,
redundancy
Increasing ability of vendors to prove they are secure &
compliant
Rapid
ly
beco
min
g
indu
stry
nor
m
Secure ?
Companies Asking for ISO-27001 Certifcation
© 2010 Pivot Point Security, Inc.
8
Growth of ISO-27001 Certifcation9
Requests for 27001
Certification are and will continue to
escalate rapidly
Law Firm Regulatory Pain: “Thanks' CMS!!”
© 2010 Pivot Point Security, Inc.
10
• HIPAA• Covered Entities (CE) are beholden
• HIPAA HITECH• Business Associate Agreement (BAA)
signers are beholden• HIPAA Omnibus Rule
• Implicit BAA via data Store, Process, Transit
• Key Impacts• Need to apply the “Principle of Least
Privilege” • Document Management System
• Develop Breach Risk/Impact Assessment mechanism to mitigate Breach Notification Risk on un-authorized disclosure (even by a lawyer in same practice area)
Law Firm Cyber Security Pain: Targeted Attacks
© 2010 Pivot Point Security, Inc.
11
Mary Galligan, head of FBI’s NYC cyber division convened a meeting with the top 200 law firms in New York City last November to deal with the rising number of law firm intrusions.
China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on the Canadian law firms handling the deal.
Law Firm Pain: Unique Culture
© 2010 Pivot Point Security, Inc.
12
Partner’s
Opinion
Best Practice
Law Firm Operational Pain: Mobility & BYOD
© 2010 Pivot Point Security, Inc.
13
Law Firm Practice Pain: Paper (lots of it)
© 2010 Pivot Point Security, Inc.
14
Law Firm Pain: Desired (& un-desired) Use
© 2010 Pivot Point Security, Inc.
15
Good News: Freud would have liked 27001 …
© 2010 Pivot Point Security, Inc.
16
In Freudian
psychology, people
seek pleasure and avoid
pain …
Should we be thinking about 27001?
How Much Success Can You Handle?
We are always looking for competitive differentiators We are always proactive and looking to stay
ahead of the curve
"Our recent ISO 27001 and ISO 20000 certifications provide us with a competitive differentiator in the market place.
“It also provides us with further validation that our approach to managing service delivery and security risk is comprehensive and effective -- an important consideration for our business and customers …”
© 2010 Pivot Point Security, Inc.
17
A Competitive Differentiator (for now)
18
More Good News … 19
ISO-27001 will address each of the pain points, differentiate your firm in the near term, and position you to
keep/win business with organization with mature Vendor Risk Management
programs, and significantly simplify security & compliance …
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
20
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
21
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
22
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
23
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
24
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
25
What is ISO-27001 ?
“ISO27001 is an internationally recognized, certifiable,
Information Security Standard that formally specifies an
Information Security Management System (ISMS) to
bring Information Security under explicit management control.”
26
ISO-27001 “Road Map”
• Determine Your Scope• Understand Your Risks• Determine Best Way to Manage The Risks• Find Gap Between Desired & Current State• Close the Gaps• Certify the ISMS• Monitor & Respond• Improve the ISMS• Repeat
© 2010 Pivot Point Security, Inc.
Determine Your Scope
Out-of-Scope
External
VPN Zone
User LAN Zone
ED
P L
AN
Zon
e
Servers LAN ZoneDMZ Zone
Smith INAS
SMB?Worker
machines
XXX AppFor
Pharmaceutical Research,
Production & Hosting Services
Apache(?) Web ServerOracle DB
XXX & ZZZ Hosting Systems
MS SQL Server DBs
Mail Server
S-FTP Server
XX Smith St(Scanner &
Physical Media)
Pharma Clients
Email submission
S-FTP submission
Submission of Docs, Disks &
DrivesSMB?
Unknown
SMB?
SMB?
XXXLondon
XXX & YYY Hosting Systems
IIS Web Servers
SQL?
SSL
SSL
SMB?
1
XXX Appfor Research
Services
MS SQL DB
Unknow
n
ZZZ(CC Export System)
For Production Services
Pharmaceutical Client Data Flow
2 3
4
4a
4b
5a
Deliverable Client
SQ
L?
Paper5
67
© 2010 Pivot Point Security, Inc.
28
Understand Risk - Risk Assessment
• Identify, Assess, & Decide on Risks• Risks that are not “acceptable” will need to be
“remediated” (next slide)
• Risk Assessment is simplified by focusing on information/ processes • Secure Data Flow Diagramming is intuitive and
management inclusive • Asset Centric Risk Assessment is painful
© 2010 Pivot Point Security, Inc.
29
Managing Risk – Risk Treatment Plan
• Your manage risk by applying controls• Controls are mechanisms which reduce risk
• ISO-27001 defines the process • Determines which of the ~ 114 ISO 27002 controls we
should implement in our environment• The controls inherent in 27001 all have to be implemented• There is a possibility that you will need to use controls
outside of 27002
© 2010 Pivot Point Security, Inc.
30
Gap Assess & Remediate
© 2010 Pivot Point Security, Inc.
31
• Gap assess current implementation vs. Risk Treatment Plan
• Develop Prioritized Remediation Plan
Get Certified !!
© 2010 Pivot Point Security, Inc.
Celebrate Your Success
27001 Benefits: Improved Risk Management
Applying only those controls required reduces costs
• Applies a structured risk management approach• Integrates/aligns with corporate ERM• Greater, more positive exposure to management for
CSO/CIO• Rationalizing budgetary requirements in a language
management understands = More Money
© 2010 Pivot Point Security, Inc.
33
• Rationalizing strategic and security direction based on customer mandate = Greater Acceptance
27001 Benefits: Reduces the Burden of Compliance
• Reduces Complexity of Dealing with Multiple Standards• Attest once to a single
standard then map to disparate standards
• Inputs now become outputs (HIPAA, NIST/FISMA, PII)
© 2010 Pivot Point Security, Inc.
34
• Attestation can be Painful• Replaces SOC1/2 at a
notably lower cost• Provide 27001 instead of
answering endless questionnaires
• 27001 “derivatives” may be helpful for certain industries
27001 Benefits: Reduces the Burden of Attestation
© 2010 Pivot Point Security, Inc.
35
27001 Benefits: Simplifies Vendor Risk Management
• Gain attestation that their control environment is compliant with the world’s leading Info-Sec Standard
© 2010 Pivot Point Security, Inc.
36
27001 Benefits: Complex Problem – A Simple Approach
• A “recipe” that has been vetted by thousands over the last 15 years
• International standard usable and accepted world wide
• 27001 mandates Continuous Improvement
37
27001 Benefits: Demonstrate Thought Leadership
© 2010 Pivot Point Security, Inc.
38
FAQ’s: The Six W’s of ISO-27001
1)Who?
2)What?
3)Why?
4)When?
5)Where?
6) How?
© 2010 Pivot Point Security, Inc.
39
Who is Involved?
© 2010 Pivot Point Security, Inc.
40
Law Firm Consultant (optional)
Registrar
Prepare & ValidateAudit/Certify
Who is Involved?
© 2010 Pivot Point Security, Inc.
41
• CIO/CSO• DMS Admin• Network Admin• System Admin• Practice Lead• Human Resources• Legal/Compliance• Physical Security• Senior
Management
Most firms appoint a project lead who engages relevant
personnel as required
What: ISMS Scope 42
Where is sensitive information that clients
want assurance on?
• Multiple offices?
• Multiple regions?
What Does it Cost? 43
Four Key Factors• Scope
• Current Gap• Firm’s Capacity
• Execute: facilitate ratio
• Schedule
Why: ISO-27001 vs. Alternatives
44
• Superset of Regulatory & Information Security Frameworks
• Internationally Accepted
• Dovetails with ERM
• Basis of most VRM programs & other standards (Shared Assessment, HITRUST)
• Clients are asking for it
• Simplifies life
ISO-27001/2The Universe of Controls
HIPAA
SOX
SOC2
PII Laws
NIST/FISMA
When: Typical Timeline?45
4 – 18 months dependent upon Scope, Gap, Resource Availability, ISMS Expertise, Budget, Client Demand, &
Willingness to disrupt BAU
Where is ISO-27001 Leveraged?
46
Everywhere !!
How Does ISO-27001 Work?47
Unless you have been sleeping … or I did a terrible job … you should have a pretty good idea by now … :>)
Q & A
Any Questio
ns?
© 2010 Pivot Point Security, Inc.
48
Did we Accomplish Our Agenda?
1) ISO-27001 is an internationally accepted information security risk management program
2) It addresses the unique challenges in law firms and positions them with discerning cleints
3) The process is relatively simple and straight-forward (although involved)
4) We discussed time-lines, costs, & resourcing5) Its highly relevant to the Legal Vertical because
its highly relevant to the legal verticals clients
© 2010 Pivot Point Security, Inc.
49