Managing Compliance EffectivelyBy Keith Payne | Posted 2012-04-20 Email Print
Javitch, Block & Rathbone separated information systems security compliance from its legal compliance department, and the two departments now work hand in hand.
By Keith Payne
Javitch, Block & Rathbone is one of the country's largest creditor's rights law firms. We employ more than 400 people, including 52 attorneys. We receive on average 11,000 new file placements each month, with the file data remaining in the care of the firm for years.
This large volume of confidential financial account data is subject to state privacy and information security laws. These include the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act, Fair and Accurate Credit Transaction Act and collections laws.
The vast majority of our client portfolio consists of companies from the financial services industry. According to the “Second Annual Cost of Cyber Crime Study,” conducted by the Ponemon Institute and sponsored by ArcSight, financial services companies have some of the highest annualized cyber-crime costs of all U.S. companies.
This results in JB&R being heavily audited for security compliance information. These audits range from remote auditing, which consists of questionnaires and evidence requests, to week-long engagements at our headquarters in Cleveland.
We must meet each audit request with unique answer sets: Some are on-site, while others are remote, and most clients do not use standard information-gathering techniques. As a result, the monthly average audit schedule creates a high demand on our firm’s resources.
Historically, we have been in a reactionary posture because of the constant demand from clients for audit findings and recommendations. Continuous remediation of the findings forced our individual practices to implement controls without determining how those controls fit into the overall security framework. Attempting to balance the need to exceed the client’s expectations and our own information security management often resulted in blind implementation with little attempt to determine the actual or perceived risks to the information we were managing.
This reactive posture manifested itself in large amounts of decentralized general policies and procedures. There was little centralized monitoring to determine if control sets were duplicated by other practices, and there was no unified vision of security.
Our headquarters houses more than 50 percent of our staff and 80 percent of the processing functions with the regional offices, which include attorneys with direct-support staff. Some of the smaller, more focused practices are managed from these regional offices and are considered to be self-reliant, with the home office providing logistical support.
The challenge in the regional offices, which must maintain the same functions on a smaller scale as the main office, is that they ultimately require access to much of the same information as headquarters and have the same demand for information systems compliance.