protecting accounting firms and their clients - eric vanderburg - jurinnov
DESCRIPTION
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovTRANSCRIPT
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
Protecting Firms and their Clients The Role of the
Virtual Chief Security Officer
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
2
Welcome
1. Cyber Threats: Real World Examples• Breach• Non-compliance
2. Cybersecurity Maturity: Where is Your Firm?
3. Virtual Chief Security Officer (CSO)
4. Q&A
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
3
Protecting Firms and Their ClientsThe Role of the Virtual Chief Security Officer
Janet A. Gosche
Chief Strategy & Operations Officer
Janet leads JurInnov’s business operations and supports the managed services practice. Janet honed her skills at Accenture, the global management consulting, technology services and outsourcing company, where she spent 25 years helping clients improve their business operations and results. During this time, Janet was a pioneer in Accenture's emerging outsourcing practice. She is an alumni member of the FBI Citizens’ Academy. She taught experienced professionals for Accenture and was a Covey Principle Centered Leadership facilitator.She currently coaches students at the Baldwin-Wallace Center for Innovation and Growth and Mathematics Department.
Baldwin-Wallace College 1978-82
Bachelor of Science in Mathematics
Magna Cum Laude, General Honors
Honors in Economics
Timothy M. OpsitnickFounder and General [email protected]
Tim founded JurInnov in 2000. He is at the forefront of practitioners addressing issues involved in the security and discovery of electronically stored information. His consulting practice focuses on electronic discovery, information governance, cybersecurity, computer forensics, and cloud-based document management systems. His clients include United States and international law firms and companies. He has also conducted numerous continuing legal education seminars regarding electronic discovery, cybersecurity, and other technology issues. In addition, he has served as a court-appointed Special Master and as an expert witness. Finally, he was with the law firm of Jones Day from 1986 until 2000, where he was a member of the Litigation and Product Liability sections. His practice concentrated in the management of complex, multi-district litigation.
Ohio Wesleyan University, 1978-82Bachelor of Arts, Political Science and Psychology
Phi Beta KappaCase Western Reserve University, School of Law, 1982-85
Eric A. VanderburgDirector, Information Systems and Security
Eric joined JurInnov in 2006 and leads the company’s information systems and security team. Eric holds more than 30 certifications in networking and systems engineering, including Certified Information Systems Security Professional, Holistic Information Security Practitioner, and Certified Wireless Security Professional. He has been invited to speak at many organizations and campuses on technology and information security and has published more than a dozen technical articles. Most recently, he was a professor of computer networking at Remington College where he taught courses on information security, database systems, and computer networking. He is also an Adjunct Professor of Computer Information Systems at Lorain County Community College.
Doctor of Information Assurance (Exp. 2013)The University of Fairfax, Vienna, Virginia
East Asian Studies (Non-degree)Kansai Gaidai University, Osaka, Japan
MBA with an Information Systems ConcentrationKent State University, Kent, OhioBachelor of Science, TechnologyKent State University, Kent, Ohio
Assoc of Applied Business, Computer Information SystemsLorain County Community College, Elyria, Ohio
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
4
How Do You Measure Success?Risk Management and Compliance Areas (U.S. and Global)
• Anti-money laundering (AML)• Bribery / FCPA / UKBA• Business ethics• Code of business conduct• Competition / antitrust• Country law• CYBERSECURITY• Department of Transportation (logistics distribution /
reverse distribution)• Environmental• Employment compliance (wage and hour / facility
accessibility)• Employment practices / workplace rights• Export controls / ITAR / dual use technology / military
use technology• Financial services, banking, insurance• Food safety / labeling• Government relations
• Import / customs• Information protection• Intellectual property• Licenses and permits• OSHA (health and safety)• Product stewardship / product safety• Pharmacy and health services• Privacy• Records and information management• Securities law (including insider trading, Dodd
Frank)• Supply chain / conflict minerals• Third party management• Trade sanctions / Office of Financial Assets Control
(OFAC)• Government boycotts / Bureau of Industry and
Security
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
5
CPAs must take steps to mitigate cybersecurity risk
“CPAs, their organizations, and their clients should be aware thattheir data and computing resources are exposed to a growing
web of cybercriminals and malicious software designed topenetrate cybersecurity defenses”
Why? – a host of reasons, including….» Cybercriminals have the technology» They are organized» You have mobile devices
• April 29, 2013By Jeff Drew
Jeff Drew, CPA Insider, AICPA Newsletter April 29, 2013
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
6
CPAs Prioritize Tech Security
Many not confident that their organization is handling the task appropriately
Top Tech Priorities 20121. Securing the IT environment (62%) 2. Managing and retaining data (61%) 3. Managing risk and compliance (65%) 4. Ensuring privacy (62%) 5. Leveraging emerging technologies (34%) 6. Managing system implementation (52%) 7. Enabling decision support and managing performance (46%) 8. Governing and managing IT investment/spending (56%) 9. Preventing and responding to fraud (60%) 10. Managing vendors and service providers (56%)
Jeff Drew, Journal of Accountancy, May 2012
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
7
Your Clients are Taking the Lead – Are You?
Audit committee chairs and cybersecurity experts agree“that the audit committee should take the lead in
elevating cybersecurity as a key enterprise risk priority.”
BoardMatters Quarterly, April 2013
• Clarify cybersecurity roles and responsibilities within the executive team.
• Establish metrics to adequately assess cybersecurity.
• Meet regularly with the IT expert on the external audit team.
• Make sure internal audit has the appropriate skills.
• Confirm that due diligence processes incorporate cyberrisk assessments.
• Recruit technology experts to join the board.
• Engage “ethical hackers.”
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
8
Is There a False Sense of Security?
Some might be able to withstand a security breach.“Your average accounting firm cannot.
Accountants and tax preparers …store all of the information that data thieves most want to obtain…”
BoardMatters Quarterly, April 2013
73% believe they are protected…
62% confident employees were aware of company’s formal Internet security policies.
77% feel their companies are safe from cyberthreats.
77% describe strong cybersecurity and online safety posture a positive for their brand.
HOWEVER… 83% have no formal cybersecurity plan.
87% do not have a formal written Internet policy for employees.
75% have no social media policy governing employee behavior.
59% have no contingency plan how to respond and report data breach losses.
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
9
Data Breaches Grow in Number and Scale
“This past year saw major hacks at:– Zappos (24M customer accounts)– Statfor (private U.S. intelligence firm; 5M e-mails)– Global Payments (1.5M credit card numbers)– LinkedIn (6.5M passwords)– eHarmony (1.5M passwords)– Yahoo (0.5M passwords)– Nationwide Mutual (1.1M customer accounts)– Wyndham Worldwide (600K credit card numbers)
Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
10
Data Breaches Grow in Number and Scale
“This past year saw major hacks at:– Zappos (24M customer accounts)– Statfor (private U.S. intelligence firm; 5M e-mails)– Global Payments (1.5M credit card numbers)– LinkedIn (6.5M passwords)– eHarmony (1.5M passwords)– Yahoo (0.5M passwords)– Nationwide Mutual (1.1M customer accounts)– Wyndham Worldwide (600K credit card numbers)
…many large organizations reported that security breacheswere caused by their own staff, most commonly through
ignorance of security practices.”
Cyber-security and Data Privacy Outlook and Review: 2013, Gibson, Dunn & Crutcher, 04/16/13
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
11
What are Cybercriminals After?
Access to:– Financial information– Tax information– M&A documents– Intellectual property– Client correspondence– Possible litigation claims
Business disruption of:– Calendar system– Billing system– Website
Why?– Money– Political motives– Sport
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
12
2013 HIPAA Omnibus Rules
Accounting firms having contact with PHI must revisit policies, practices, enforce information security controls, protect confidential info, monitor workforce info access, track compliance.
Is this new news? Confirm the inpact?
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
13
“Improving Critical Infrastructure Cybersecurity”Executive Order, Federal Register 13636: February 19, 2013
WASHINGTON (Reuters) - U.S. President Barack Obama on Tuesday signed an executive order seeking better protection of the country's critical infrastructure from cyber attacks that are a growing concern to the economy and national security.
Reuters, 02/12/13
"We know hackers steal people's identities and infiltrate private e-mail.”
“We know foreign countries and companies swipe our corporate secrets.”
“Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
“Cyber threat is one of the most serious economic and national security challenges we face as a nation.”
“America's economic prosperity in the 21st century will depend on cybersecurity.”
We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.“
U.S. President Barack Obama, State of the Union Speech, 02/12/13
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
14
U.S. Cyberspace Policy Review Near Term ActionsWhat are Yours?
1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities.
2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure.
3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues.
6. Initiate a national awareness and education campaign to promote cybersecurity.
7. Develop an international cybersecurity policy framework and strengthen our international partnerships.
8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships.
9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure.
10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.
Executive Order, “Improving Critical Infrastructure Cybersecurity,” Federal Register 13636 (02/19/13)
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
15
Cybersecurity Maturity: Where is Your Organization?
Ad Hoc
Developing
Practicing
OptimizingLeading
Elements of Effective CybersecurityCulture of SecurityLegal RequirementsTraining and EducationPolicy, Procedure and ControlsMonitor and AuditingResponse and DocumentationInformation ManagementAccountability
• Informal• Reactive• Inconsistent performance
• Likely repeatable• Some consistency• Lacks rigorous process discipline
• Defined controls• Documented standards• Consistent performance
• Effective controls• Uses process metrics• Targeted improvement
• Integrated strategies• Innovative changes• Seamless controls
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
16
Security vs. Compliance?
If I am compliant, am I secure?maybe
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
17
Security vs. Compliance?
If I am compliant, am I secure?maybe
If I am secure, am I compliant?maybe……
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
18
Compliance and Security
“We start with the principle that saysbuild a good program, do the right things [in terms of]controls that are appropriate for your enterprise and
at the end of that process you [say]what have we missed from a regulatory perspective and
what do we need to do and you close those gaps.
You don’t start [by] saying what does the regulation say I must do…That can be an issue in the financial services industry because
unfortunately too often people [let] external regulators tell them what they should be doing
rather than construct a good program themselves.”
Michael Barrett, PayPal CISOInterview at the RSA Conference, April 24, 2013
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
19
How Do You Know Where You Stand?
• How does your leadership team make and implement decisions about information
security?
• Do lawyers and support staff know and understand your security policies?
• Are they disciplined in their daily behaviors?
• Are mobile devices and small digital media secure?
• Do you know everyone who has access to your systems (network, physical, etc.)?
• How would you know if an unauthorized person accessed sensitive data?
• Are you certain that you can recover from an unexpected loss?
• Have your applications been tested from a security viewpoint?
• Are your third party service providers secure?
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
20
Who is Responsible for Security?
EveryoneKnow how to confidently use workplace technology without
compromising sensitive data or hindering efficiency
Information Technology TeamKnow the risks and the technical controls that can mitigate those risks
But, there is more…..
today’s threat layers of defense
malware social engineering
email/web safety physical security
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
21
Who is Responsible for Executive Leadership and Decisions?
Chief Security OfficerIdentifying data risks and making informed decisions on how to handle those risks.
Understanding how to respond to a breach so it is contained, resolved and documented.
Prioritizing the most vital cybersecurity policies and procedures; overseeing their implementation and ensuring awareness and adherence.
Understanding and overseeing data classification and ownership.
Approving access to critical data.
Being aware of and ensuring existing and new regulatory requirements are followed.
Ensuring awareness of and adherence to ethical obligations.
Periodically evaluating the security of vendors and ongoing vendor oversight.
Stewarding a secure information culture embedded in the organization’s strategy, with a focus on continuous improvement.
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
22
CSO – a Strategic Thinker
“…Information security executives need to be strategic thinkers,
understand the underlying technologies,
and be able to calmly and practically assess evolving scenarios.
Most security challenges occur at the intersection of
people, process and technology.”
George Baker, Help Net Security, June 17, 2013
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
23
But, the Reality
Many organizationsdo not need,
cannot afford, and cannot retain
a full-time Chief Security Officer!
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
24
JurInnov’s Solution
Virtual Chief Security Officeraka…
Managed ServiceOutsourced Model
On CallAs Needed
Part Time Resource
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
25
The Virtual CSO
What is a Virtual CSO?
• Strong balance of business acumen and technology knowledge
• Highly skilled team
• Varied security-related experiences
• Certified, typically CISSP, HISP, CEH, and
others
• Part-time resources
• On staff only when needed
Why Virtual?
• Lower cost than a full-time CSO
• More effective with a deeply skilled CSO team
• Most law firms do not need a full-time CSO
• Firm benefits from a CSO with varied experiences
• Ability to attract and retain the best resources because of the career opportunities at a legal technology company…
• … versus being the only security person at a firm with little or no career progression
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
26
Virtual CSO Value
Peace of mind• Understand the gap to be secure / compliant and how to get there• An informed leadership team• Employees better aware of how to be secure / compliant• More time for executives to focus on core business
Business Impact• Lower risk• Lower cost• Positive marketing message to customers / clients• Fewer executive distractions / more focus on core business
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
27
How Will You Know? – Customized Metrics
• Executive satisfaction: focus on peace of mind• Employee awareness: better behaviors• Audits passed• System availability• Penetration test results• Compliance metrics• Security improvements implemented• Business critical systems recovery tests• Change management days• Encrypted devices• Etc.
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
28
Why JurInnov?
• Enterprise-wide view of risk management– Security first – and then compliance
• Legal perspective and discretion
• Core values
• More flexibility– Customized arrangements
– What you need when you need it – no more/no less
• Over a decade of experience in– Protecting terabytes of sensitive, business critical data
– Data breach response
– Computer forensics
– eDiscovery
© 2013 JurInnov, Ltd. All Rights Reserved.
CONFIDENTIAL
29
Questions
To learn more, send us a chat message or give us a call at 216-664-1100
to set up a meeting to talk it through.
Other JurInnov Solutions
Breach Investigation
Computer Forensics
Cybersecurity Survey / Gap Analysis
Training: Cybersecurity, Breach Response and Computer Forensic
Incident Response Planning
Cybersecurity Assessment / Audit
Cybersecurity Risk Management and Strategic Planning
Cybersecurity Policy Review and Development