Information Security

Why It Can’t Be ‘Just An IT Problem’

#LegalSEC

• Introductions

• Reasons security can’t be an IT problem

• Strategies for transforming the view of InfoSec

• Questions/Discussion

• #LegalSEC

Agenda

• Adam Carlson

• 10+ years in information security

• M.S. from UC Davis, ISACA CISM

• Security researcher studying Internet threats

• Security auditor for financial services/Fortune 500

• Chief Security Officer at UC Berkeley

• Legal IT security consultant

• Currently security solutions consultant at IntApp

Introductions

• Smart people say so • FISMA • ISACA • ISO 27001/27002 • NIST 800-30 • FFIEC

• Strategic decisions involved in risk management • Some problems are simply not IT-related • Evolving threat patterns • Cultural implications of improving defenses

So Why Can’t It?

• People, processes, and technology protecting information and information systems from unauthorized access, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Source: Federal Information Security Management Act of 2002

What Is Information Security

“Until recently the focus of has been on the IT systems that process and store the vast majority of information rather than the information itself. But this approach is too narrow to accomplish the level of integration, process assurance and overall security that is now required.” (page 9)

ISACA CISM Review Manual

“IT security addresses the security of the technology and is typically driven from the CIO level. Information security addresses the universe of risks, benefits and processes involved with information, and must be driven by executive management and supported by the board of directors.” (page 9)

ISACA CISM Review Manual

“Generally, executive management looks to the information security manager to define the information security program and its subsequent management. Often the information security manager is also expected to provide education and guidance to the executive management team. As opposed to being the decision maker, the information security manager’s role in this situation is often constrained to presentation of options and key decision support information; in other words, an advisor.” (page 223)

ISACA CISM Review Manual

Risk Governance Objectives

“In the end, the senior management team is liable for the impact of the risk faced by the enterprise and bears the responsibility to ensure that it is provided ongoing risk assessment results, monitors the risk environment and mandates corrective action where the risk levels are not within acceptable limits” (page I-F-2)

ISACA CRISC Review Manual

• 4.2 Establishing and managing the ISMS

• 4.2.1 (b) Define an Information Security Management System (ISMS) policy in terms of the characteristics of the business, the organization, its location, assets and technology that:

• …

• (5) has been approved by management.

ISO 27001

• 5 Management Responsibility

• 5.1 Management shall provide evidence of commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: • a) Establishing an ISMS policy

• b) Ensuring that ISMS objectives and plans are established

• c) Establishing roles and responsibilities for information security

ISO 27001

• (5.1 cont.) • d) Communicating to the organization the importance of

meeting information security objectives….

• e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS

• deciding the criteria for accepting risks and the acceptable levels of risk

• ensuring that internal ISMS audits are conducted

• conducting management reviews of the ISMS

ISO 27001

• “Critical success factor for successfully implementing an information security program:

…

c) visible support and commitment from all levels of management” (page x)

ISO 27002

“…the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.” (Page 1)

NIST 800-30

IT Risk Management Process:

“IT controls result from an effective, risk assessment process. Therefore, the ability to mitigate IT risks is dependent upon risk assessments. Senior management should identify, measure, control, and monitor technology to avoid risks that threaten the safety and soundness of an institution.”

FFIEC IT Examination Handbook

• Risk = Likelihood x Impact

• IT only an expert on 50% of that equation (likelihood)

• Can IT really decide…

• how a breach would impact client relationships?

• how much the firm’s reputation is worth?

• the effect downtime would have on revenue?

• the importance of security on bus dev opportunities?

• whether the firm should be risk tolerant or risk averse?

Strategic Implications

• Security takes resources

• IT rarely has unilateral budget authority

• Knowing what to do ≠ Being able to do it

• Stealing from IT to pay for security is self-defeating

• “Let’s buy an IDS instead of replacing aging servers”

• Need risk-based investments

• If business at high risk, money must be allocated

“Can I Have A Blank Check Please?”

• A Firewall Won’t Stop These Problems

• Weak or easily guessed passwords

• Insecure personal devices

• Unauthorized use of outside cloud services

• Lost paper records

• Inadvertent disclosures

• Social engineering attacks (spear phishing)

• Need to change behavior

Money Isn’t Always The Answer

Hacked Because Of Employees

• “… the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them.” (Source: Symantec Internet Security Threat Report 2013)

• Between February and September 2012 91 percent of targeted attacks involved spear phishing. (Source: Trend Micro Report: “Spear-Phishing Email: Most Favored APT Attack Bait”)

Individuals Increasingly Targeted

• "We have hundreds of law firms that we see increasingly being targeted by hackers”

• -Mary Galligan, FBI security expert at LegalTech New York 2013

• LegalSEC 2013 Keynote: Cybercrime and Legal Security

• -Eric Brelsford, FBI Chicago

• June 13, 2013 Lombard Illinois

• Session agenda now up!

Law Firms “Increasingly Targeted”

No Hacks Needed

• Legal industry is rich with culture

• Security protections can cause “friction”

• Security training is “expensive”

• Need a culturally-aligned strategy

• Only management can change culture

“Culture Eats Strategy For Breakfast”

• Resource allocation and the need for “defense-in-depth”

-Carlos Rodriguez, LegalSEC Extraordinaire

• “BYOD”

-Judi Flournoy, Chair of the LegalSEC Initiative

• “Physical record access and segregation; Tailgating; clean desk policy / enforcement”

-Tim Golden, Chair of the LegalSEC Maturity Model Team

• “Document destruction policies.”

-Bob Dubois, ILTA Advisory Board LegalSEC Liaison

Issues Difficult For Legal IT

• Build a successful information security program

• Establish information security as a business problem

• Get support from management

• Develop a pragmatic plan of attack

So What Do We Do About This?

• Develop InfoSec strategy aligned with business goals

• Align security strategy with corporate governance

• Develop business cases justifying investment in InfoSec

• Identify legal and regulatory requirements

• Identify drivers affecting the organization

• Obtain senior management commitment

• Define roles and responsibilities

• Establish internal and external reporting channels

ISACA CISM Governance Steps

• Focus On What Matters To Your Firm • Market competition

• Business development opportunities

• Client audits

• Reputation risk

• Costs associated with a data breach

• Professional responsibility

• Regulatory requirements

• Business continuity

Aligning With Business Goals

• Impacts rather than threats (aka money!)

• Goofus: “BYOD is terrible because those devices are not protected and they might be lost or stolen.”

• Gallant: “If a lawyer in the healthcare practice puts matter information on their personal device and that device is lost, the firm may be exposed to seven figure fines.”

Remember What Matters To Them

• No one trusts Chicken Little

• Goofus: “If we don’t mandate security awareness training for our lawyers, we will definitely get hacked.”

• Gallant: “Current information security trends show an increasing need for security awareness training. If we do not offer some type of awareness training, we may be more exposed than our peer law firms.”

Be Realistic, Not Sensationalistic

• Acknowledge information security is not a science

• Cite statistics and experts when possible

• Explain how things have changed

• Don’t be afraid to admit you don’t know

• Reference peers and LegalSEC

• Remember it is their money

• Don’t try to argue with a lawyer

Embrace Skepticism

• You won’t get everything you want

• You can’t do everything at once anyways

• If you get their attention don’t waste it!

• What do you need right now:

• Management input

• Time

• Money

• Help

Have A Plan Not A Wish List

Tim Golden, McGuire Woods:

“Focus on achievable small steps. Those are the ones that prove to the team that they can move the ball forward and prove to your management that the team can take on larger initiatives.”

Start Small, Prove Success

• Even if you don’t need input now, you will eventually

• Identify willing stakeholders

• Managing partner

• Legal administrator

• General counsel

• Practice heads of security focused practices

• Risk managers

• Engage them before you need something

Create A Forum

• Information Security Can’t Be All IT

• Responsibility Without Authority

• IT is responsible for…

• lawyer behavior but can’t set policy

• tech infrastructure but can’t set budget

• risk evaluation but not provided business information

• strategic alignment but aren’t in strategy meetings

• Break the cycle!

Conclusion

• Thanks for joining us today!

• Continue the discussion

• #LegalSEC

• @ajcsec on twitter

• adam.carlson@intapp.com

Questions/Comments