Monitor and ControlBy Keith Payne | Posted 2012-04-20 Email Print
Javitch, Block & Rathbone separated information systems security compliance from its legal compliance department, and the two departments now work hand in hand.
Monitor and Control
The “Second Annual Cost of Cyber Crime Study” mentioned above clearly shows that information theft accounts for the highest external cost of cyber-crime. To respond to that, we must monitor and control our geographically diverse network and the data used on it to effectively secure our information.
The study also reports that smaller organizations experience a 3.8 times higher cost of recovery when a breach occurs. However, companies that use a security information and event management (SIEM) solution to quickly detect and contain cyber-crimes can have a 24 percent reduction in these costs.
Armed with this information, the committee set about acquiring and implementing SIEM. The logging and monitoring created a large volume of data that initially resulted in information overload. Through auditing, I was able to produce a visual representation of our information flow, and with the help of the IT systems department, we refined the triggers to properly monitor for anomalies.
The SIEM has given us the ability to determine what is happening across all areas and to measure the effectiveness of the controls implemented. Our adoption of LockPath’s Keylight GRC platform has enabled us to transform ourselves from a reactionary organization to a proactive organization in information security compliance.
As with many information security initiatives, the return has been more qualitative then quantitative, with the greatest return in the culture of our company. The employees now proactively consider and implement information security in daily operations and project design. By granting all employees the ability to log in to the GRC platform, by recording awareness campaigns and by making the program a one-stop shop for all things security, we’ve been able to realize a return on our investments.
In addition, our external audits are much more productive: We have seen a 40 percent reduction in the time spent with the audit teams for IS and a 50 percent reduction in remediation requests. The clients have a greater sense of our security posture and their requests for additional controls to mitigate their risks fit into our ISMS structure more logically.
The time required to complete an audit (data gathering) has also been reduced by 30 percent, as our efforts are clearly documented and measurable. Overall, we are thinking about security and identifying potential incidents quickly and effectively, which allows me to focus on actionable items instead of reacting to perceptions. The number of potential incidents has increased by 100 percent because employees are more aware of security risks. The perceived security incidents that are found to be false have dropped by about 20 percent, and this is continuing to trend downward. Reports that show the existence of a vulnerability that may lead to an incident are produced in 60 days, compared to the 100 days (for similar events) it took before this initiative.
Our quality projects integrate IS from conception. This saves an estimated 1000 staff hours per year (half FTE) in the time required to evaluate and mitigate concerns. All these efforts, with the full backing of upper management, have set us on the path to become an ISO-certified company.
Keith Payne has been the information systems security officer at the Javitch, Block & Rathbone law firm since 2005. Prior to that, he served 20 years in the U.S. Air Force, where one of his duties was to serve as an IS security officer. Payne converted the firm’s IS security program from a client-driven set of standards to an ISO/EIC 2700-compliant system.