The Benefits of ISO- 27001 for Legal Firms Is it right for your firm?

The Benefits of ISO-27001 for

Legal FirmsIs it right for your firm?

Today’s Agenda

1) What is ISO-27001? Why are you hearing so much about it?

2) What problems does it solve? Other benefits?

3) What does the process look like?4) How much ? How fast ? How painful?5) Why is it relevant to the Legal

Vertical?

© 2010 Pivot Point Security, Inc.

2

Quick Clarification

• ISO-27000 is a “series” of information security standards

• ISO-27001 “uses” ISO-27002

• ISO-27002 used to be called ISO- 17799


3

Should we be thinking about 27001?

How Bad is Your Pain?We need to prove to many of our

clients that we are “secure”We need to prove that many of our

service providers keep our data secure

We need to prove we are compliant with different regulations/standards

We are struggling with regards to Information Security


4

Law Firm Pain is (similar but) Different


5

• Highly diverse levels of very sensitive data in a single firm• Diverse Client/Vendor Risk Management (VRM) practices

• National/International Client Base• International attestation• PII Data Protection laws (EU-DPA, 46 State PII, PIPEDA)

• Partner Model can be divergent with F500 security requirements

• “Brand” is a priority

Law Firm Pain is (similar but) Different


6

Law Firm Client Contract Pain: “Blame the Cloud”


7

• The “Cloud Attestation Vortex”• As VRM practices rapidly

mature/evolve contractual “expectations” do as well

• Prove to me your “secure”• Pen Tests, SOC2,

ISO27001, FedRAMP

• Prove to me your “compliant”• HIPAA, PCI, PII, etc.

SAAS/IAAS/PAAS

Cost, scalability,

flexibility,

redundancy

Increasing ability of vendors to prove they are secure &

compliant

Rapid

ly

beco

min

g

indu

stry

nor

m

Secure ?

Companies Asking for ISO-27001 Certifcation


8

Growth of ISO-27001 Certifcation9

Requests for 27001

Certification are and will continue to

escalate rapidly

Law Firm Regulatory Pain: “Thanks' CMS!!”


10

• HIPAA• Covered Entities (CE) are beholden

• HIPAA HITECH• Business Associate Agreement (BAA)

signers are beholden• HIPAA Omnibus Rule

• Implicit BAA via data Store, Process, Transit

• Key Impacts• Need to apply the “Principle of Least

Privilege” • Document Management System

• Develop Breach Risk/Impact Assessment mechanism to mitigate Breach Notification Risk on un-authorized disclosure (even by a lawyer in same practice area)

Law Firm Cyber Security Pain: Targeted Attacks


11

Mary Galligan, head of FBI’s NYC cyber division convened a meeting with the top 200 law firms in New York City last November to deal with the rising number of law firm intrusions.

China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on the Canadian law firms handling the deal.

Law Firm Pain: Unique Culture


12

Partner’s

Opinion

Best Practice

Law Firm Operational Pain: Mobility & BYOD


13

Law Firm Practice Pain: Paper (lots of it)


14

Law Firm Pain: Desired (& un-desired) Use


15

Good News: Freud would have liked 27001 …


16

In Freudian

psychology, people

seek pleasure and avoid

pain …

Should we be thinking about 27001?

How Much Success Can You Handle?

We are always looking for competitive differentiators We are always proactive and looking to stay

ahead of the curve

"Our recent ISO 27001 and ISO 20000 certifications provide us with a competitive differentiator in the market place.

“It also provides us with further validation that our approach to managing service delivery and security risk is comprehensive and effective -- an important consideration for our business and customers …”


17

A Competitive Differentiator (for now)

18

More Good News … 19

ISO-27001 will address each of the pain points, differentiate your firm in the near term, and position you to

keep/win business with organization with mature Vendor Risk Management

programs, and significantly simplify security & compliance …

What is ISO-27001 ?

“ISO27001 is an internationally recognized, certifiable,

Information Security Standard that formally specifies an

Information Security Management System (ISMS) to

bring Information Security under explicit management control.”

20

What is ISO-27001 ?





21

What is ISO-27001 ?





22

What is ISO-27001 ?





23

What is ISO-27001 ?





24

What is ISO-27001 ?





25

What is ISO-27001 ?





26

ISO-27001 “Road Map”

• Determine Your Scope• Understand Your Risks• Determine Best Way to Manage The Risks• Find Gap Between Desired & Current State• Close the Gaps• Certify the ISMS• Monitor & Respond• Improve the ISMS• Repeat


Determine Your Scope

Out-of-Scope

External

VPN Zone

User LAN Zone

ED

P L

AN

Zon

e

Servers LAN ZoneDMZ Zone

Smith INAS

SMB?Worker

machines

XXX AppFor

Pharmaceutical Research,

Production & Hosting Services

Apache(?) Web ServerOracle DB

XXX & ZZZ Hosting Systems

MS SQL Server DBs

Mail Server

S-FTP Server

XX Smith St(Scanner &

Physical Media)

Pharma Clients

Email submission

S-FTP submission

Submission of Docs, Disks &

DrivesSMB?

Unknown

SMB?

SMB?

XXXLondon

XXX & YYY Hosting Systems

IIS Web Servers

SQL?

SSL

SSL

SMB?

1

XXX Appfor Research

Services

MS SQL DB

Unknow

n

ZZZ(CC Export System)

For Production Services

Pharmaceutical Client Data Flow

2 3

4

4a

4b

5a

Deliverable Client

SQ

L?

Paper5

67


28

Understand Risk - Risk Assessment

• Identify, Assess, & Decide on Risks• Risks that are not “acceptable” will need to be

“remediated” (next slide)

• Risk Assessment is simplified by focusing on information/ processes • Secure Data Flow Diagramming is intuitive and

management inclusive • Asset Centric Risk Assessment is painful


29

Managing Risk – Risk Treatment Plan

• Your manage risk by applying controls• Controls are mechanisms which reduce risk

• ISO-27001 defines the process • Determines which of the ~ 114 ISO 27002 controls we

should implement in our environment• The controls inherent in 27001 all have to be implemented• There is a possibility that you will need to use controls

outside of 27002


30

Gap Assess & Remediate


31

• Gap assess current implementation vs. Risk Treatment Plan

• Develop Prioritized Remediation Plan

Get Certified !!


Celebrate Your Success

27001 Benefits: Improved Risk Management

Applying only those controls required reduces costs

• Applies a structured risk management approach• Integrates/aligns with corporate ERM• Greater, more positive exposure to management for

CSO/CIO• Rationalizing budgetary requirements in a language

management understands = More Money


33

• Rationalizing strategic and security direction based on customer mandate = Greater Acceptance

27001 Benefits: Reduces the Burden of Compliance

• Reduces Complexity of Dealing with Multiple Standards• Attest once to a single

standard then map to disparate standards

• Inputs now become outputs (HIPAA, NIST/FISMA, PII)


34

• Attestation can be Painful• Replaces SOC1/2 at a

notably lower cost• Provide 27001 instead of

answering endless questionnaires

• 27001 “derivatives” may be helpful for certain industries

27001 Benefits: Reduces the Burden of Attestation


35

27001 Benefits: Simplifies Vendor Risk Management

• Gain attestation that their control environment is compliant with the world’s leading Info-Sec Standard


36

27001 Benefits: Complex Problem – A Simple Approach

• A “recipe” that has been vetted by thousands over the last 15 years

• International standard usable and accepted world wide

• 27001 mandates Continuous Improvement

37

27001 Benefits: Demonstrate Thought Leadership


38

FAQ’s: The Six W’s of ISO-27001

1)Who?

2)What?

3)Why?

4)When?

5)Where?

6) How?


39

Who is Involved?


40

Law Firm Consultant (optional)

Registrar

Prepare & ValidateAudit/Certify

Who is Involved?


41

• CIO/CSO• DMS Admin• Network Admin• System Admin• Practice Lead• Human Resources• Legal/Compliance• Physical Security• Senior

Management

Most firms appoint a project lead who engages relevant

personnel as required

What: ISMS Scope 42

Where is sensitive information that clients

want assurance on?

• Multiple offices?

• Multiple regions?

What Does it Cost? 43

Four Key Factors• Scope

• Current Gap• Firm’s Capacity

• Execute: facilitate ratio

• Schedule

Why: ISO-27001 vs. Alternatives

44

• Superset of Regulatory & Information Security Frameworks

• Internationally Accepted

• Dovetails with ERM

• Basis of most VRM programs & other standards (Shared Assessment, HITRUST)

• Clients are asking for it

• Simplifies life

ISO-27001/2The Universe of Controls

HIPAA

SOX

SOC2

PII Laws

NIST/FISMA

When: Typical Timeline?45

4 – 18 months dependent upon Scope, Gap, Resource Availability, ISMS Expertise, Budget, Client Demand, &

Willingness to disrupt BAU

Where is ISO-27001 Leveraged?

46

Everywhere !!

How Does ISO-27001 Work?47

Unless you have been sleeping … or I did a terrible job … you should have a pretty good idea by now … :>)

Q & A

Any Questio

ns?


48

Did we Accomplish Our Agenda?

1) ISO-27001 is an internationally accepted information security risk management program

2) It addresses the unique challenges in law firms and positions them with discerning cleints

3) The process is relatively simple and straight-forward (although involved)

4) We discussed time-lines, costs, & resourcing5) Its highly relevant to the Legal Vertical because

its highly relevant to the legal verticals clients


49

Documents

The Benefits of ISO- 27001 for Legal Firms Is it right for your firm?