Managing Compliance Effectively

By Keith Payne

Javitch, Block &Rathbone is one of the country’s largest creditor’s rights law firms. We employmore than 400 people, including 52 attorneys. We receive on average 11,000 newfile placements each month, with the file data remaining in the care of thefirm for years.

This large volume ofconfidential financial account data is subject to state privacy and informationsecurity laws. These include the Health Insurance Portability andAccountability Act (HIPAA), HealthInformation Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act, Fair and Accurate Credit Transaction Actand collections laws.

The vast majority of ourclient portfolio consists of companies from the financial services industry. Accordingto the ?Second Annual Cost of Cyber Crime Study,? conducted by the PonemonInstitute and sponsored by ArcSight, financial services companies have some ofthe highest annualized cyber-crime costs of all U.S. companies.

This results in JB&Rbeing heavily audited for security compliance information. These audits rangefrom remote auditing, which consists of questionnaires and evidence requests,to week-long engagements at our headquarters in Cleveland.

We must meet each auditrequest with unique answer sets: Some are on-site, while others are remote, andmost clients do not use standard information-gathering techniques. As a result,the monthly average audit schedule creates a high demand on our firm?sresources.

Historically, we have beenin a reactionary posture because of the constant demand from clients for auditfindings and recommendations. Continuous remediation of the findings forced ourindividual practices to implement controls without determining how thosecontrols fit into the overall security framework. Attempting to balance theneed to exceed the client?s expectations and our own information securitymanagement often resulted in blind implementation with little attempt todetermine the actual or perceived risks to the information we were managing.

This reactive posturemanifested itself in large amounts of decentralized general policies andprocedures. There was little centralized monitoring to determine if controlsets were duplicated by other practices, and there was no unified vision ofsecurity.

Our headquarters houses morethan 50 percent of our staff and 80 percent of the processing functions withthe regional offices, which include attorneys with direct-support staff. Someof the smaller, more focused practices are managed from these regional officesand are considered to be self-reliant, with the home office providinglogistical support.

The challenge in theregional offices, which must maintain the same functions on a smaller scale asthe main office, is that they ultimately require access to much of the sameinformation as headquarters and have the same demand for information systemscompliance.