Editor: How should corporations or law firms qualify service providers’ data security policies and procedures?
Burke: The first thing you want to know about prospective data security consultants is whether or not they are independent, because you want to be sure that they are not locked into solutions, providers, or software that will not have the flexibility to meet the unique needs of your organization. Depending on the type of work you are asking a provider to perform, you may want to look at what certifications they hold, such as, the Certified Information Systems Security Professional (CISSP). I also advise clients to ask the prospective consultants to identify their prior engagements with comparable organizations and ask for references from those clients. They should look for evidence of deep experience in cybersecurity and potentially additional certifications in ethical hacking, penetration testing and cyber technology.
Kiersted: Do your due diligence and be certain that providers understand the questions you are asking and that you understand the answers they are providing.
Regarding certifications, keep in mind that there are certified people and there are certified entities, and for each of those there are different certifications. A person gets EnCase certified and a person gets certified to be an ethical hacker or a CISSP. In the case of the ISO 27001 and ISO 27002, organizations will be certified. For instance Kiersted Systems has ISO certification, and we also have employees certified in a number of DoD and other certifications.
Editor: Are law firms also beginning to certify?
Kiersted: There does seem to be a trend toward firms embracing certification for themselves. From the perspective of a vendor who is working with both corporations and law firms this has some interesting ramifications, and it impacts what firms are looking for from their vendors. The law firm wants to make sure that it has adequate security policies and procedures in place, and it is also looking at ISO certification to help with that. The firm, in turn, seeks vendors and service providers that have similar standards in place and certification. These common standards help to foster a successful relationship between firms and vendors.
Editor: In order to ensure success and compliance, who should be in the initial conversations between the corporation and vendors?
Burke: At a minimum you want to include representatives from your organization’s IT, IT security, and legal departments – ideally lawyers who are involved with managing data security risks. The “nice to have” list is longer and includes stakeholders from the organization’s record management, audit, compliance and human resources departments, which are often called upon to search and find employee data. Each has familiarity with the nature and location of key information on the network. Make sure whatever policy changes you institute are not going to inhibit these departments’ processes but improve them.
Kiersted: From the vendor standpoint, it is very helpful to have some clearly defined roles within our structure that distinguish between information security, information technology and the client relationship people. These groups all tend to be involved when potential clients request information about our security or when we need to respond to an RFI or an audit, and depending on the nature of the request and the client’s needs, there may be other stakeholders involved.
Editor: When collecting, sharing and transferring data between corporate locations or with outside vendors, what steps should be taken to protect the data in transit?
Kiersted: That’s a great question, but let’s take a step back and talk about the certification process that surrounds ISO 27001 and ISO 27002 because this really pertains to all the previous questions in some fashion. ISO 27001 mandates the establishment of an information security management system, which concerns policies, standards and procedures. ISO 27002 defines the devices and the manner in which data is secured. Once a corporation is satisfied that the ISO scope meets its needs, a corporation can most easily verify whether the party they are evaluating has the appropriate policies and procedures in place by verifying that the vendor subscribes to these standards and has been certified in them. It means that they have already been audited by a third party and meet certain standards within a specified scope. In our experience, the fact that we have achieved that certification through a third-party audit makes it easier for our law firm and corporate partners to ascertain what we provide; they are more comfortable with our security than if they had to conduct that audit themselves and rely upon their own assessment. There are some practical, very helpful aspects to that kind of external certification. It might not necessarily negate the need for an audit, but it makes it easier to establish whether we can meet their needs. We’ve also found that the information sharing that occurs between certified entities benefits the management of the whole security profile.
Editor: That’s an excellent point, and I’m curious – from your standpoint, Patrick, when you know a vendor is ISO certified, does that reduce the number of people that need to come to the table in initial conversations to evaluate the vendor, or is it still important that everyone you mentioned is there?
Burke: It depends on the particular project, but you do want to make sure that all the important stakeholders involved in the technologies affected are represented. A CIO can make that determination and can also provide some useful insights about questions like data transfers.
As to protecting data transfers – at a minimum, you want to make sure that any data that you’re transferring is encrypted so that if it’s lost or hacked in any way during transfer, the data itself will be unreadable. If the transfer involves very small amounts of data, using an online transfer method like FTP (File Transfer Protocol) can shore up security well (again, best to transfer encrypted data). For large amounts of data that might require significant loading time via FTP, however, you want to consider sending the encrypted data on media such as a hard drive, CD or DVD by a carrier that is security conscious enough for that circumstance. Sending encrypted data by FedEx may work in most cases, but if the data is extremely sensitive, you may want to consider using a special carrier or an employee to physically transport the media.
Editor: What do you suggest corporations and vendors do to secure backups at outside vendors, including cloud providers?
Burke: Physical backups need to be secured, and if data is going to be transported, you need to make sure that there’s sufficient security and encryption. With cloud providers, the challenge is that you are placing your data in a system that you do not control, so it’s important for both your legal and technical experts to review exactly what technology the cloud provider applies in terms of data security and search and retrieval capabilities and to carefully negotiate any contract involved to ensure, among other things, that the data will remain secure and encrypted. Agreements should clearly state that the organization is entitled to promptly retrieve its data in the event of a contract dispute with the cloud provider.
Editor: So, it’s important to know the physical location of your data?
Burke: Yes. It’s important because it can have legal ramifications, particularly in terms of data that is held by cloud providers that have facilities around the globe. Those facilities may be in jurisdictions that have security risks or privacy mandates that can affect your use of the data or retrieval of the data when it is sent back to the United States.
Physical location should also be a factor when determining who controls data encryption. Ideally the organization should control its encryption within a cloud environment. One concern, particularly for European companies, is that when data is kept in a cloud hosted in the United States, American law enforcement and intelligence services may be able to gain access to that data. If the cloud provider is holding the key to the encryption, then the U.S. government can ask them to decrypt it for them. If, however, the encryption is controlled by the organization that owns the data, the organization can more effectively safeguard its data against privacy violations.
Editor: What do you suggest a corporation or law firm do to secure its networks and prevent data breaches and unauthorized access?
Burke: As with most data challenges, the solution requires people, process and technology. Organizations who have yet to introduce up-to-date security systems can no longer afford to wait. Customers and clients are demanding secure environments. Organizations can tighten up their policies and procedures by educating employees in the day-to-day aspects of data security and by training them in how to strengthen passwords and avoid phishing exploits.
Editor: Is there a rule of thumb regarding how often a corporation or law firm should be revisiting and revising its data security policies?
Kiersted: We don’t look at our policies as immutable. Our rule of thumb is to remain flexible and be ready for change as the need arises.
There are always going to be new challenges, and the effects are not always readily visible. If somebody breaks into your house and steals your TV, you recognize the damage the moment you get home, but with infractions of a cyber nature, damage is not always readily known. Kiersted is working closely with its clients to share experiences and knowledge about exchange security-related problems, such as exchanging attack IP addresses or attack profiles. We are also part of InfraGard, which exchanges critical security-related information between government and private industries.
Burke: I’d add that the BYOD trend has created new data breach vulnerabilities for corporations and law firms to contend with. Increasingly, more of the control needs to extend outside of the office environment. Earlier this year, the federal government issued the NIST Cybersecurity Framework, which provides a structure that organizations can adapt to their own environments and risk profiles. It’s a good way to look at the issues. It’s always worthwhile for an organization to evaluate the relative maturity of their data-security stands in relation to other comparable organizations.
Lawyers have an ethical duty to understand technology sufficiently to properly advise their clients – or to engage an expert who has that understanding. Corporations and other organizations should be sure their vendors, including outside counsel and technical consultants, buy in on their organization’s focus on improving data security. The appointment of a chief information officer, with a broader mandate than a chief information security officer, is a step that many corporations and some law firms are taking to ensure that data is kept both accessible and secure.
Published September 25, 2014.