Managing Compliance Effectively
By Keith Payne
Javitch, Block & Rathbone is one of the country's largest creditor's rights law firms. We employ more than 400 people, including 52 attorneys. We receive on average 11,000 new file placements each month, with the file data remaining in the care of the firm for years.
This large volume of confidential financial account data is subject to state privacy and information security laws. These include the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act, Fair and Accurate Credit Transaction Act and collections laws.
The vast majority of our client portfolio consists of companies from the financial services industry. According to the “Second Annual Cost of Cyber Crime Study,” conducted by the Ponemon Institute and sponsored by ArcSight, financial services companies have some of the highest annualized cyber-crime costs of all U.S. companies.
This results in JB&R being heavily audited for security compliance information. These audits range from remote auditing, which consists of questionnaires and evidence requests, to week-long engagements at our headquarters in Cleveland.
We must meet each audit request with unique answer sets: Some are on-site, while others are remote, and most clients do not use standard information-gathering techniques. As a result, the monthly average audit schedule creates a high demand on our firm’s resources.
Historically, we have been in a reactionary posture because of the constant demand from clients for audit findings and recommendations. Continuous remediation of the findings forced our individual practices to implement controls without determining how those controls fit into the overall security framework. Attempting to balance the need to exceed the client’s expectations and our own information security management often resulted in blind implementation with little attempt to determine the actual or perceived risks to the information we were managing.
This reactive posture manifested itself in large amounts of decentralized general policies and procedures. There was little centralized monitoring to determine if control sets were duplicated by other practices, and there was no unified vision of security.
Our headquarters houses more than 50 percent of our staff and 80 percent of the processing functions with the regional offices, which include attorneys with direct-support staff. Some of the smaller, more focused practices are managed from these regional offices and are considered to be self-reliant, with the home office providing logistical support.
The challenge in the regional offices, which must maintain the same functions on a smaller scale as the main office, is that they ultimately require access to much of the same information as headquarters and have the same demand for information systems compliance.
A Tough Challenge
I’m a one-person information security department, but I lead and manage IS compliance for the firm as a whole, as well as for each area of practice that has its own overlapping and unique governance and operations. Add the need, at least to some extent, to manage them independently of each other, and it’s a real challenge.
Since legal compliance is an integral core competency of our firm, we determined that IS security compliance needed to be separated from the legal compliance department and become an independently managed system. The newly formed information security department was designed to complement and work hand in hand with the firm’s legal compliance function.
To accomplish this, we developed an Information Security Management System (ISMS) based on ISO 27001. The governing committee managing the system consists of a managing partner of the firm, the director of information development, the director of information technology and the chief operations officer. I chaired the committee.
The first order of business involved organization. The legal compliance department clarified which governing laws, regulations and contractual obligations drove our business, and the committee began a discovery process to consolidate the volumes of policies and procedures related to information security.
We found the solution in LockPath’s Keylight Governance, Risk and Compliance (GRC) platform, which was customizable and scalable to meet our needs, as well as the needs of the financial industries we service. We chose the program as a software as a service (SaaS) to minimize the impact on our technology infrastructure.
The GRC platform provided the committee and legal compliance with a clear view of the size of our regulatory obligations. When we took all the controls identified individually, we found the compliance task to be extensive. Attempting to manually identify overlaps and ensure compliance was unmanageable.
The platform’s integration with the Unified Compliance Framework (UCF) content provided us with a means to eliminate the duplication and overlapping of the controls under which we operate. We immediately experienced a 60 percent reduction in the total number of controls required to be implemented in order to be compliant with the regulations that govern our work. This cleaner view of the scope enabled us to streamline the policy and procedures by focusing on what truly added value to our ISMS.
Once we had a solid base of obligations on which to build, I, as the committee chair, began working on discovering the assets that housed and processed the information. We deployed the open-source utility Nmap to inventory the entire network, along with the Nessus vulnerability scanner to determine the configurations and provide vulnerability analysis of our network’s security posture. These tools were fed directly into the GRC platform, allowing me to effectively manage cleaning up systems and, in some cases, to remove obsolete or highly vulnerable systems.
Monitor and Control
The “Second Annual Cost of Cyber Crime Study” mentioned above clearly shows that information theft accounts for the highest external cost of cyber-crime. To respond to that, we must monitor and control our geographically diverse network and the data used on it to effectively secure our information.
The study also reports that smaller organizations experience a 3.8 times higher cost of recovery when a breach occurs. However, companies that use a security information and event management (SIEM) solution to quickly detect and contain cyber-crimes can have a 24 percent reduction in these costs.
Armed with this information, the committee set about acquiring and implementing SIEM. The logging and monitoring created a large volume of data that initially resulted in information overload. Through auditing, I was able to produce a visual representation of our information flow, and with the help of the IT systems department, we refined the triggers to properly monitor for anomalies.
The SIEM has given us the ability to determine what is happening across all areas and to measure the effectiveness of the controls implemented. Our adoption of LockPath’s Keylight GRC platform has enabled us to transform ourselves from a reactionary organization to a proactive organization in information security compliance.
As with many information security initiatives, the return has been more qualitative then quantitative, with the greatest return in the culture of our company. The employees now proactively consider and implement information security in daily operations and project design. By granting all employees the ability to log in to the GRC platform, by recording awareness campaigns and by making the program a one-stop shop for all things security, we’ve been able to realize a return on our investments.
In addition, our external audits are much more productive: We have seen a 40 percent reduction in the time spent with the audit teams for IS and a 50 percent reduction in remediation requests. The clients have a greater sense of our security posture and their requests for additional controls to mitigate their risks fit into our ISMS structure more logically.
The time required to complete an audit (data gathering) has also been reduced by 30 percent, as our efforts are clearly documented and measurable. Overall, we are thinking about security and identifying potential incidents quickly and effectively, which allows me to focus on actionable items instead of reacting to perceptions.The number of potential incidents has increased by 100 percent because employees are more aware of security risks. The perceived security incidents that are found to be false have dropped by about 20 percent, and this is continuing to trend downward. Reports that show the existence of a vulnerability that may lead to an incident are produced in 60 days, compared to the 100 days (for similar events) it took before this initiative.
Our quality projects integrate IS from conception. This saves an estimated 1000 staff hours per year (half FTE) in the time required to evaluate and mitigate concerns. All these efforts, with the full backing of upper management, have set us on the path to become an ISO-certified company.
Keith Payne has been the information systems security officer at the Javitch, Block & Rathbone law firm since 2005. Prior to that, he served 20 years in the U.S. Air Force, where one of his duties was to serve as an IS security officer. Payne converted the firm’s IS security program from a client-driven set of standards to an ISO/EIC 2700-compliant system.