Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.
BakerHostetler lawyers have helped hundreds of businesses and other organizations respond to security incidents each year, many of which lead to regulatory investigations, class action lawsuits, or both. We see hundreds of examples of what went wrong and how regulators and plaintiffs’ attorneys react. Increasingly, as clients recognize the likelihood that they will face an incident, they seek to leverage our security incident response experience to help develop a strategic and focused approach for managing their risks and vulnerabilities. Our risk assessment team, which includes lawyers with Certified Information System Security Professional (CISSP) credentials, works to develop efficient and cost-effective plans to help organizations improve their chances of avoiding data breaches and be better prepared to more quickly detect and contain them if they do occur. We have developed solutions that range from immediate assessments and remediation to phased approaches that incrementally improve a company’s risk profile in a budget-conscious way.
How Should Risk Assessments Be Conducted?
Employing industry standards to determine how data security measures can be strengthened, such as ISO 27001-27002 and NIST SP 800-53, is critical. We then use our insight into how regulators will evaluate a company after a breach occurs and what other organizations are doing to protect their data to help prioritize remediation efforts. As part of this process, we interview key managers and review written information security policies and procedures to ensure they address critical issues that are important to regulators. We team with technical consultants to scan organizations’ computer networks to identify vulnerabilities, such as unpatched software and software configuration errors, which can provide access points for attackers.
Every risk assessment should consider these issues:
- Workstation, laptop, and mobile device security;
- Network security;
- Security personnel responsibilities and authority;
- Access control measures;
- Outside service providers’ security measures and commitments;
- Secure system planning, acquisition, development, and maintenance;
- Data security incident management; and
- Security awareness training.
What Deliverables Should Companies Seek?
The deliverables ultimately depend on the purpose of the risk assessment. Is the purpose of the assessment to comply with a law or regulation? Does it involve conducting a risk assessment to identify vulnerabilities that can be identified and then corrected to obtain a “clean bill of health?” We prepare executive briefings that summarize our findings and recommendations, which are followed by more detailed reports that include the observations that provide the bases for our conclusions. A benefit of using a law firm is that our recommendations are subject to attorney-client privilege. We provide in-depth vulnerability scan reports that list network and endpoint vulnerabilities and prioritize those vulnerabilities according to the severity of the risks they present. We identify immediate steps organizations can take to eliminate easy-to-fix security flaws. We provide prioritized recommendations for additional changes that should be made and help put in place a risk mitigation plan that is just as critical as the risk assessment. We estimate both the initial and ongoing costs of the changes we recommend.
We identify security measures that regulators identify as fundamental and that will result in an investigation, if a security incident occurs due to an organization failure to implement those measures. We encourage organizations to appropriately prioritize security tools and practices the Federal Trade Commission (FTC) has identified through more than 50 enforcement actions as required elements of a reasonable security program, such as: user authentication, access control measures, encryption, intrusion detection monitoring, software updating and patching, security education and awareness training, secure data retention and disposal, management of third-party service providers, and incident response preparedness.
We recognize that deploying measures to meet FTC “hot button” issues and implementing other basic security measures are necessary but insufficient. We also understand that “best practices” standards, including SANS Top 20, NIST SP 800-53, and ISO 27001-27002, are expensive to satisfy completely. Flexibility in approach, therefore, is key. For organizations that strive to implement best-available security practices, we may recommend that they continue to use standard security measures but that they also implement network security monitoring to defeat any attackers who gain access to their networks.
How Organizations Benefit
Chief Information Officers and security managers can use our findings and recommendations to better protect sensitive information. If the measures we recommend are implemented, they should reduce the risk that organizations will experience a data breach and the regulatory, litigation, financial, and reputational harms such breaches cause. Our suggestions regarding incident response procedures help organizations respond more quickly and effectively when data breaches occur. Our prioritized recommendations and cost estimates help organizations plan longer-term steps to continue to improve information security and to show that the company took a thoughtful approach to managing its risks.