ISO-27001 and BeyondLegalTech 2015 – New York
February 3, 201410:30 am – 11:45 am
ISO Myth #1: It’s just a bunch of documents
ISO Myth #2: It is something we have to do, but
it doesn’t actually add value
ISO Myth #3: It requires a huge investment in
technology
ISO Myth #4: It is only applicable to
“big law”
ISO Myth #5: It is just an “I.T.” thing
ISO Myth #6: It is a waste of time because NIST
is coming
ISO Myth #7: I’m a legal vendor. This doesn’t
apply to me
ISO Myth #8: It will take years
ISO Myth #9: Clients don’t care about
certification
2LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Introduction
Andreas AntoniouChief Information OfficerPaul, Weiss, Rifkind, Wharton & Garrison LLP
Jeff FranchettiChief Information OfficerCravath, Swaine & Moore LLP
Peter KaomeaChief Information OfficerSullivan & Cromwell LLP
Rachelle RennagelDirector of Research & Information ServicesWhite & Case LLP
Session Moderator
3LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Agenda
Why get ISO 27001 certified? Make the case!
How to get ISO 27001 certified? Do it!
What’s beyond ISO certification? Live it!
5LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why get ISO 27001 certified?
Improve Security to Protecting Client Interests & Firm Reputation
Demonstrate Due Care
Client and RegulatoryCompliance
6LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Information security helps protect client interests and firm reputation
Reputation Management for Law Firms
7LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Benefits of ISO 27001
• ISO 27001:• Security
•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature
information security within an organization.
9LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Benefits of ISO 27001
• ISO 27001:• Security
•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature
information security within an organization.
• Due Care•is an internationally recognized, •externally certifiable standard.
10LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Worldwide Trend & International Recognition
0
5000
10000
15000
20000
25000
2007 2008 2009 2010 2011 2012 2013 2014
Worldwide ISO Certifications
11LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Momentum in Legal
ISO 27001 Certified
Addleshaw GoddardAllen & OveryBird & BirdBerwin Leighton PaisnerBond DickinsonClifford ChanceCravath, Swaine & MooreEvershedsHogan LovellsIrwin MitchellLinklatersMilbankNorton Rose FulbrightOrrick, Herrington & SutcliffePaul, WeissPinsent MasonsRopes & GraySimpson Thacher & BartlettSullivan & CromwellWhite & Case
Working Towards or Investigating Certification
Arnold & PorterAlston & BirdBaker & McKenzieBaker DonelsonBryan CaveBuckleySandlerCleary GottliebDavis Polk & WardwellDavis Write TremaineDebevoise & PlimptonDorsey & WhitneyDuane MorrisEpstein Becker & GreenFaegre Baker DanielsFoley & LardnerFried, FrankGoodwin ProcterGray Robinson
Greenberg TrauigHolland & KnightHughes HubbardHunton & WilliamsJones DayKing & SpaldingKramer LevinMcDermott Will & EmeryMorrison FoersterO'Melveny & MyersPerkins CoieProskauerSeyfarth ShawShearman & Sterling Skadden, ArpsTaft Stettinius & HollisterTroutman SandersVinson & Elkinsvon Briesen & RoperWachtell, LiptonWilmer Hale Winston & Strawn
12LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Momentum in Legal Vendors
ISO 27001 Certified
AlphaLitBigHandCapital NovusComplete Discovery SourceConsilioeMag Solutions LimitedHuron ConsultingIntegreonIntelliteach, Inc.KierstedLDM GlobalQuisLexRenew DataRVM, Inc.TechLaw SolutionsXerox Litigation Services
Working Towards Certification
Chrome River TechnologiesIris Data ServiceNetDocumentsTruShield Security Solutions
13LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: ISO 27001 is a superset of frameworks and regulations
HIPAA
SOX
SOC2
Privacy Laws
ISO-27001/2The Universe of Controls
NIST / FISMA
14LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Benefits of ISO 27001
• ISO 27001:• Security
•specifies a risk-based framework to • initiate, implement, maintain, and continuously mature
information security within an organization.
• Due Care•is an internationally recognized, •externally certifiable standard.
• Compliance• can expand to include a wide range of legal, regulatory,
and security guidelines and frameworks•… and it helps with client audits.
15LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why: Helps with Client Audits
“…In addition, if your company is in possession of any
Information Security certification (e.g. BSI, SSAE 16 CSA
CCM, ISO 27001, PCI DSS) or audit reports, please
provide them before filling out the questionnaire as they
may be sufficient proof of proper Information
Security in your company and no further engagement
will be required.”
16LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Why get ISO 27001 certified?
Improve Security to Protecting Client Interests & Firm Reputation
Demonstrate Due Care
Client and RegulatoryCompliance
19LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Introduction to ISO 27001
“Sister Document”
ISO 27002
http://www.iso.org ($130)
Second Edition – 2013
1. Scope2. Normative references3. Context of the organization4. Leadership5. Planning Support6. Operation7. Performance Evaluation8. Improvement
Annex A – Reference controls• 14 Domains• 35 Control Objectives• 114 Controls
9 pages
Setting up your System
20LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
The ISMSInformation Security Management System
ISMS
ManagementReview
Risk Assessment
Treatment
Scope
21LEGALTECH NEW YORK / FEBRUARY 3‐5 2015 21
The standard contains 14 domains
Information Security Policies
Domains – 14Categories – 35Controls – 114
2
Organization ofInformation Security
Human ResourcesSecurity
Asset Management
7
6
10
AccessControl
Cryptography
14
2
Physical andEnvironmental 15
OperationsSecurity 14
CommunicationsSecurity
System Acquisition,Dev & Maintenance
SupplierRelationships
7
13
5
IncidentManagement
BusinessContinuity Mgt
7
4
ComplianceInternal & External 8
22LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Example: Security Policies
Organization ofInformation Security
Information SecurityPolicies
Human ResourcesSecurity
AccessControl
AssetManagement Cryptography Physical and
Environmental
CommunicationsSecurity
OperationsSecurity
System Acquisition,Dev & Meintenance
IncidentManagement
SupplierRelationships
BusinessContinuity Mgt
ComplianceInternal & External
ISO 27002 (additional detail)
a) access controlb) information classification (and handling)c) physical and environmental securityd) end user oriented topics such as:
1) acceptable use of assets2) clear desk and clear screen3) information transfer4) mobile devices and teleworking5) restrictions on software installations & use
e) backupf) information transferg) protection from malwareh) management of technical vulnerabilitiesi) cryptographic controlsj) communications securityk) privacy and protection of PIIl) supplier relationships
23LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
A.7 Human resources security
Example: Human Resources Security
Organization ofInformation Security
Information SecurityPolicies
Human ResourcesSecurity
AccessControl
AssetManagement Cryptography Physical and
Environmental
CommunicationsSecurity
OperationsSecurity
System Acquisition,Dev & Meintenance
IncidentManagement
SupplierRelationships
BusinessContinuity Mgt
ComplianceInternal & External
A 7.1 Prior to employment
- Screening- Terms & Conditions of employment
A 7.2 During Employment
- Management responsibilities- Information security awareness, education & training- Disciplinary process
A 7.3 Termination or change of employment
- Termination responsibilities
ISO 27002 - Screening
ControlBackground verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Implementation guidanceVerification should take into account all relevant privacy, protection of personally identifiableinformation and employment based legislation, and should, where permitted, include the following:
a) availability of satisfactory character references, e.g. one business and one personal;b) a verification (for completeness and accuracy) of
25LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
ISO 27001
ISMS
Mgt Review
Risk Assessment
Treatment
Second Edition – 2013
1. Scope2. Normative references3. Context of the organization4. Leadership5. Planning Support6. Operation7. Performance Evaluation8. Improvement
Annex A – Reference controls• 14 Domains• 35 Control Objectives• 114 Controls
26LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Certification details
Who is involved?
What does it cost?
How long does it take?
Law Firm: Senior ManagementCIO/CSODMS/Network/System AdministratorsPractice LeadHuman ResourcesLegal/CompliancePhysical Security
Consultant: (optional)securitygrc2.compivotsecurity.com
Registrar: bsigroup.org
27LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Certification details
Who is involved?
What does it cost?
How long does it take?
Depends on:ScopeCurrent gapFirm capacity for changeSchedule
Estimate:Consulting ($0 - $80k)Certification ($10k)Ongoing costs ($3k-$5k)
28LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Certification details
Who is involved?
What does it cost?
How long does it take?
Depends on: ScopeGapResource availabilityBudgetClient demandPrior ISO expertiseWillingness for change
Estimate:6– 12 months
Education & Risk Assessment
1 – 2 months
Gap Analysis & Planning
1 – 2 months
Remediation
3 – 6 months
Certification
1 – 2 months
30LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
“Keep Coming Back, it Works if You Work it…”
32LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Reactive
Compliance(Required)
ManagementSystems Focus
Risk Integration
• Ad Hoc • Dependent on
heroics
• Repeatable• Limited to IT• Focus on
meeting client inquiries
• Proactive• Includes Finance,
HR, Operations• Formal risk-based
approach to security management
• Continuous feedback and improvement
• “Best of Class” process
• Fully integrated into overall operations strategy
• Competitive advantage
Realizing IT Operational Maturity
33LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Streamlined Assessments & Compliance
Realizing IT Operational Maturity
34LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Q: Do you have a technology asset management policy or program that has been approved by management to maintain inventory of hardware, software, information assets (e.g., databases) and physical assets? Please describe if the program includes periodic asset recertification.
Q: Is there a published and management approved information asset and data classification policy?
Q: Is there a procedure for handling of information assets? If so, is it reviewed at least annually?
CLIENT QUESTIONNAIREA.8.1.1 Inventory of Assets:
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
Asset Management
ISO/ICE 27001:2013
• CM-8 INFORMATION SYSTEM COMPONENT INVENTORY
• CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS
• CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE
NIST 800-53, Rev 4
• § 164.310 (d) (1) Standard: Device and media controls
• § 164.310 (d) (2) (iii) Accountability (Addressable)
HIPAA
35LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Q: Do you have a process for granting and documenting access, including access for subcontractors and remote access? List the person(s)/group(s) responsible for granting access. Please describe the process, including any tools utilized
Q: Do security policies include policies on the creation and management of all types of accounts (e.g., system, user etc.)?
Q: Is there an information security policy that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy? If so, does the policy contain access control policies?
CLIENT QUESTIONNAIRE9.1.1 Access Control Policy:
An access control policy shall be established, documented and reviewed based on business and information security requirements.
AccessControl
ISO/ICE 27001:2013
• AC-1 ACCESS CONTROL POLICY AND PROCEDURES
• AC-2 ACCOUNT MGT• AC-3 ACCESS
ENFORCEMENT• AC-3 (1) ACCESS
ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS
• AC-5 SEPARATION OF DUTIES
• AC-6 LEAST PRIVILEGE
NIST 800-53, Rev 4
• § 164.308 (a) (3) (i) Standard: Workforce security
• § 164.308 (a) (3) (ii) (A) Authorization and/or supervision (Addressable) §164.308 (a) (3) (ii) (B) Workforce clearance procedure (Addressable) §164.308 (a) (4) (i) Standard: Information access management)
HIPAA
36LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Q: Do you have documented and tested incident response process and procedures? Please describe if you utilize external intelligence to keep up to date on security incidents (e.g., CSIRT, Bug Track, UNIRES - UK)
Q: Are incident response procedures for information security incidents defined and documented (e.g., network outages, abuse of access privileges)?
Q: Is there an information security policy that has been approved by management, communicated to appropriate constituents, and has an owner to maintain and review the policy? If so, does the policy contain:Security incident and privacy event management?
CLIENT QUESTIONNAIREA.16.1.1 Responsibilities
and Procedures: Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.
IncidentManagement
ISO/ICE 27001:2013
• IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES
• IR-5 INCIDENTMONITORING• IR-8 INCIDENT RESPONSE
PLAN• SE-2 PRIVACY INCIDENT
RESPONSE
NIST 800-53, Rev 4
• § 164.308 (a) (1) (i)Standard: Security management process
• § 164.308 (a) (6) (i)Standard: Security incident procedures
HIPAA
37LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Q: Do you have a process to review subcontractor performance relative to service-level agreements, determine if contractual terms and conditions are being met and evaluate the need for revisions to service-level agreements?
Q: Is there a process to conduct an information security review during contracting due diligence of your potential Vendor(s) that will have access to [CLIENT] data and/or systems?
Q: Do external parties have access to Scoped Systems and Data or processing facilities? If so, is a risk assessment performed on third parties?
CLIENT QUESTIONNAIREA.15.2.1 Monitoring and
Review of Supplier Services: Organizations shall regularly monitor, review and audit supplier service delivery.
SupplierRelationships
ISO/ICE 27001:2013
• SA-9 EXTERNAL INFORMATION SYSTEM SERVICES
NIST 800-53, Rev 4
• § 164.308 (b) (1) Standard: Business associate contracts and other arrangements
• § 164.314 (a) (1) (i) The contract or other arrangement
• § 164.314 (a) (2) (i) (A)Implement administrative, physical, and technical safeguards
HIPAA
38LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Beyond ISO certification
Streamlined Assessments & Compliance
Realizing IT Operational Maturity
Improved Security
ISO Myth #1: It’s just a bunch of documents
ISO Myth #2:It is something we have to do,
but it doesn’t actually add valueISO Myth #3:
It requires a huge investment in technology
ISO Myth #4:It is only applicable to
“big law”
ISO Myth #5:It is just an “I.T.” thing
ISO Myth #6:It is a waste of time because NIST is coming
ISO Myth #9:Clients don’t care about certification
ISO Myth #7:I’m a legal vendor.
This doesn’t apply to me
ISO Myth #8:It will take years
40LEGALTECH NEW YORK / FEBRUARY 3‐5 2015
Call to Action
• Get ISO 27001 certified
• Live the process
• Join the industry movement