SECURITY CONSIDERATIONS FOR LAW FIRMS

SECURITY CONSIDERATIONS FOR LAW FIRMS

Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally, nationally, and internationally Serves the private and public sectors Serves more than 12 different industries www.emrisk.com

Speaker Silka Maria Gonzalez President and Founder - Enterprise Risk Management Prior Experience Price Waterhouse Assurant Diageo PLC 30 years of experience in the field of cyber security

Speaker Education Massachusetts Institute of Technology - Entrepreneurial Masters Program Florida International University - Master of Accounting Information Systems Xavier University - Bachelor of Science, Computer Information Systems - Bachelor of Arts, Accounting

Speaker Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Manager (CISM) Certified Information Systems Auditor (CISA) Certified Information Technology Professional (CITP) Certified in Risk and Information Systems Control (CRISC) Payment Card Industry Qualified Security Assessor (QSA)

Agenda Lawyer s Responsibilities Security Problem General Lawyers Logical Security Physical Security Administrative Security New Technologies and New Trends Questions and Answers

LAWYERS RESPONSIBILITIES

Lawyers Responsibilities Ethics rules require lawyers to protect the confidentiality of clients information New ethics advisory opinions regarding new technologies Responsibility to obtain training and understanding of new information systems technologies and risks Responsibility to evaluate information systems and security risks and manage such risks

Florida Bar Ethics Opinion 10-2 Devices that Contain Storage Media Lawyers must take reasonable steps to ensure that confidentiality is maintained, including: Identification of potential threats to confidentiality, such as unauthorized access Development and implementation of policies to address the potential threats to confidentiality Keeping abreast of changes in technology to identify new threats to confidentiality

Florida Bar Proposed Ethics Opinion 12-3 Cloud Computing Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it. Lawyers have an ethical obligation to understand the technology they are using and how it potentially impacts confidentiality of information relating to client matters. Lawyers should consider whether to use additional security in specific matters in which the lawyer has proprietary client information or has other particularly sensitive information.

Ethics Opinions throughout United States Multiple State Bars have issued ethics opinions regarding cloud computing and similar technology. Lawyers must exercise reasonable care. Lawyers must educate themselves and determine what are sufficient safeguards depending on: the level of sensitivity of the client information, and evolving technology and threats.

Ethics Opinions throughout United States State Bars with opinions on cloud computing or similar technology: Alabama Arizona California Iowa Maine Massachusetts New Hampshire New Jersey New York North Carolina Oregon Pennsylvania Vermont

SECURITY PROBLEM

Security Problem Global and large Affects everything Increasing and growing in complexity Lack of awareness and understanding Ignored or not addressed properly Impact can be extensive

Security Attacks Source: IBM Security Services Cyber Security Intelligence Index June 2013

Categories of Incidents Source: IBM Security Services Cyber Security Intelligence Index June 2013

Categories of Attackers Source: IBM Security Services Cyber Security Intelligence Index June 2013

Attacker Motivation Source: IBM Security Services Cyber Security Intelligence Index June 2013

How Breaches Occur Source: IBM Security Services Cyber Security Intelligence Index June 2013

Some Major Sources of the Problem Inadequate Configurations Malware Hacking Social Engineering Physical Issues Opportunistic situations

Security Problem Law firms are vulnerable Firm s client information Firm s information Security breaches Fraud Lawsuits Reputational damage Financial losses

Security Problem In November 2011 the FBI met with top law firms in New York to address the growing number of cyber attacks on law firms While financial institutions and corporations have strengthened cyber security, law firms remain easier targets Law firms hold valuable client information Example: Hackers began hitting several law firms Hackers were looking for information regarding a $40 billion acquisition deal

LOGICAL SECURITY

Logical Security Logical security covers the protection of information assets using different types of automated mechanisms. Logical security refers to technical and automated security controls within computer information systems and software. Logical security focuses on systems, configurations, timely updates, monitoring, and remediation. Strong logical security applies the principle of defense in depth.

Key Elements of Information Security Confidentiality Prevention of intentional or unintentional unauthorized disclosure of a message s contents. Loss of confidentiality can occur in many ways, such as through the intentional release of private company information or through the misapplication of network rights. Integrity Ensuring that modifications are not made to data by unauthorized personnel or processes and that unauthorized modifications are not made to data by authorized personnel or processes. Availability Ensuring the reliable and timely access to data and computing resources by the appropriate personnel.

Security Components Relationship Threat Agent Give rise to Exploits Threat Leads to Vulnerability Directly affect Risk Asset Can damage Exposure And causes an Safeguard Can be mitigated by a

Logical Security Network Layer Components: Firewalls Routers Switches IDS\IPS

Logical Security Network Layer Components: Virtual Private Networks(VPNs) Wireless Mobile

Logical Security Computer Systems Layer Components: Operating Systems Applications Systems Database Systems Email Systems Backup Systems

Logical Security Computer Systems Layer Component: Imaging Systems Anti-Virus Systems Anti-malware Systems Security Systems Logging and Monitoring Systems

Some Logical Security Issues Inadequate network design and segmentation Inadequate configurations of systems Lackofsystem updatesorpatches Inadequate user access controls Inadequate resource access controls

Some Logical Security Issues Data integrity can be compromised Data confidentiality can be compromised Inadequate logging, monitoring, and follow up Inadequate control of data leakage Improper control of data outside the organization

Key Considerations for Logical Security Adequate design and segmentation of networks Adequate security policies, standards, and procedures Adequate system configurations Periodic upgrades and patching Adequate user access controls Adequate resource access controls

Key Considerations for Logical Security Proper logging, monitoring, review, and retention Proper use of encryption Qualified and trained security professionals Proper use of on-going automated tools Performance of periodic security reviews On-going remediation

PHYSICAL SECURITY

Physical Security Physical security covers the protection of information assets using different physical mechanisms. Physical security focuses on both human disasters such as human error, misappropriation of assets, and natural disasters. Strong physical security applies the principle of defense in depth.

Physical Security Parking Building Visitors Offices Computer rooms Telecommunication/ wire rooms Sensitive areas Storage media

Physical Security Access Card Systems Alarm Systems Surveillance Systems Windows Doors Gates Locks Boxes Documents

Physical Security Mobile devices Printer and fax areas Filing cabinets Garbage

Some Physical Security Issues Unathorized access to organization, sensitive areas, and sensitive data Theft and misuse of organizational data Gaining physical connections to the internal network to access information logically from outside locations Gaining access to law firms clients networks and data.

Key Considerations for Physical Security Adequate policies, standards, and procedures Adequate access controls to key areas Use of proper encryption mechanisms Limitofdatausageviamobiledevices Adequate configuration of systems Adequate user access controls

Key Considerations for Physical Security Adequate resource access controls Proper logging, monitoring, review, and retention Qualified and trained security professionals Performance of periodic security reviews On-going remediation

ADMINISTRATIVE SECURITY

Administrative Security Administrative security covers organizational aspects, management directives, and overall governance considerations. Administrative security covers the softer side of information security.

Administrative Security Organizational structure Security function Information security personnel Information security program Information security policies Information security standards Information security procedures

Administrative Security Security administration Security training and awareness Security incident response Business continuity planning Periodic security reviews and remediation Useofautomatedtools

Key Decision Makers Key decision makers should: Involved in the information security process Set policies and strategies Provide resources for information security Assign responsibilities to management and set priorities

NEW TECHNOLOGIES AND NEW TRENDS

New Technologies Mobile device technologies Wireless technologies Cloud computing technologies New security software tools email channel protection

Social Engineering Exploit the weakest link in information security- People. Why go technical when you can manipulate people into divulging the information? People are basically helpful by nature. Exploit the human hardware bugs. Organizations spend large amounts of money on information security infrastructure and yet fall prey to the oldest tricks in the book. Thatreassuringly expensive firewallisofnouseifthehumanfirewallisweak. Security isonlyasstrongastheweakestlink.

Contact ERM Phone : 305.447.6750 E-mail : info@emrisk.com www.emrisk.com