The onslaught of cyber attacks across industries continues, along with events driven by employee mistakes and poor information security practices. In-house counsel must understand their organization's information security program and any current gaps to help manage these risks and address increasingly complex data security laws and regulations. Effective information security programs employ a variety of safeguards, including both protective measures to prevent attacks and detective controls to rapidly recognize incidents and respond. Unfortunately, many organizations' programs fall short, leaving them open to unnecessary risk.
This article lists ten common information security gaps counsel should understand and address with business leadership.
1. Written program and policies
Federal and state laws require certain organizations, especially those that handle personally identifiable information, to develop, implement, and maintain a written information security program (WISP). For example, the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act apply specific information security requirements to the financial services and health care sectors and their service providers. Sector-specific information security program and policies requirements may also apply to those who own or support critical infrastructure, as defined by federal policy. Critical infrastructure includes a broad set of 16 public and private sectors deemed vital to the US economy, national security, or public health and safety.
A WISP documents the high-level measures that a business takes to protect the security, confidentiality, integrity, and availability of personal information and other sensitive data. By contrast, information security policies establish specific safeguards, provide guidance to workforce members, and limit how workforce members may access and use the organization's network and systems.
Maintaining a strong WISP and policies can benefit any organization by establishing accountability, communicating clear expectations, and demonstrating a commitment to cybersecurity. However, counsel should caution the business that any failure to implement and maintain safeguards consistent with its WISP and policies may be used as evidence against it in litigation or regulatory actions. Policies should include supporting processes to document, review, and monitor any exceptions granted for legitimate business needs.
2. Risk assessment
Periodic, formal risk assessments play a vital role in information security by helping organizations understand gaps and prioritize investments. Risk assessments should include pertinent stakeholders such as business leadership, key program staff, information technology (IT), legal, privacy, human resources, and compliance groups. Organizations should assign accountability to remediate (or at least mitigate) identified risks and track efforts to completion.
Cybersecurity risks may be described by a simple equation: risk = threat + vulnerability. It is important to understand both the ever-changing threat landscape and an organization's particular vulnerabilities. Risk assessments should consider external threats, such as cyber attacks, vendor errors, and data or equipment theft, and internal threats, including employee mistakes and policy non-compliance, whether inadvertent or intentional. Counsel must recognize that vulnerabilities may result from technical issues, gaps in administrative processes, physical security breakdowns, or a combination of factors.
Given their pivotal role in maintaining data security, certain federal and state laws require risk assessments, and publicly-traded companies may be obligated to disclose cyber risks. Counsel may also consider conducting privileged assessments or reviews.
3. Information handling
All too often, organizations do not understand and so cannot reasonably protect the data they hold. Creating a data inventory ("data mapping") ensures that stakeholders, including legal, know what information the organization is storing, how it is using it, where the information is located, and the safeguards in place.
Organizations should use technical safeguards to protect data, such as access control, encryption, and secure backup and disposal methods, and administrative and physical safeguards including workforce training and restricted access to areas that house sensitive information. Data loss prevention (DLP) software can also help detect and prevent data leakage, while educating users with information and warnings on media handling and data movement. DLP tools set limits on the actions users can take with certain data types and monitor the way sensitive information moves within an organization's network.
4. Incident planning and response
While many cyber events can be prevented, organizations must be prepared if and when they occur. Response plans should include an event-specific analysis of applicable law and obligations, such as data breach notification to regulators and affected individuals. Response plans should also assign responsibility and explain criteria for engaging law enforcement when criminal attacks occur, including legal review.
Breach notification obligations generally depend on the data compromised and affected individuals' locations. Counsel should recognize and remind business clients that breach notification laws typically apply to both employee and consumer personal information. Some states also require organizations that breach personal information to provide affected individuals with identity theft protection or credit monitoring services. To avoid response delays, counsel should help negotiate contracts with appropriate service providers prior to any events.
Counsel should encourage and participate in regular event simulations to exercise plans and identify any gaps.
5. User access management and audits
Organizations should only grant access to individuals with demonstrated need-to-know confidential information. Counsel should encourage their clients to use sound methods to verify user identity, including two-factor authentication where appropriate, and grant access based on users' management-validated business roles. Organizations must be careful to grant administrative or privileged systems access only to trusted individuals whose assigned duties require it. In all cases, users should be given the least amount of access necessary to fulfill their duties and no more - an information security concept known as "least privilege."
Counsel should also recommend that the organization conduct regular user access audits to verify continued need-to-know and promptly remove access when an individual's relationship with the business terminates.
6. IT asset and vulnerability management
Simply put, organizations cannot protect hardware and software if they do not know about them. Inventorying and tracking IT assets provides a clear view of current risk, supports license and contract compliance, and enables ongoing vulnerability management. Organizations should control how purchased and freely available IT assets are added to prevent surprises.
Monitoring vendor notifications and reliable sources for new vulnerability alerts promotes timely response through software patching, configuration updates, or device replacement. Counsel should realize and caution business leaders that many cyber attacks exploit known but unaddressed vulnerabilities.
By participating in information sharing programs, organizations benefit from others' experience and contribute to a safer community. In-house counsel plays an important role by reviewing information sharing protocols and agreements. See Legal Update, President Obama Signs Cybersecurity Act of 2015, and watch for new regulations that encourage information sharing, including liability limitations for those who share threat indicators.
7. Mobile device management
Many organizations allow workforce members to use their own mobile devices to connect to their systems (or just do not prevent them from doing so). Unfettered access to the organization's network can result in data leakage or misuse and other cybersecurity risks. Counsel should also be aware of other potential legal issues, including data ownership and labor relations. Organizations should implement policies and safeguards to manage the legal and technical risks presented by Bring Your Own Device to Work (BYOD).
8. Service provider governance
Many, if not most, organizations engage third-party service providers to support specific business functions. These relationships often require the third parties to access, collect, create, use, or maintain data or IT assets on the organization's behalf. Especially in the case of cloud computing services, business groups may contract on their own without recognizing information security issues. Requiring upfront legal and cybersecurity due diligence and specific contract terms that demand sound practices and permit periodic audits avoids undue risk.
9. Continuous monitoring
Organizations must be able to detect, respond to, and investigate cyber events in near real-time. They must also recognize IT environment changes that create vulnerabilities. Continuous monitoring and event management tools address these needs and include technical capabilities such as intrusion detection and prevention, anomaly detection, configuration management, vulnerability assessment, and managed services (especially for smaller or less cyber-sophisticated organizations).
Counsel should understand which tools their clients are using and their capabilities, including any security information and event management (SIEM) services that help with incident detection, response, and data collection. Counsel should also identify potential litigation or regulatory actions and help develop appropriate event response protocols (see #4) and data retention policies.
10. Log management
Hardware and software event logs support continuous monitoring but also provide for post-event review and forensic analysis. Often, IT groups ignore or unwittingly destroy them.
Log management tools collect event logs and protect them from tampering or inadvertent deletion. As with continuous monitoring, counsel should understand which tools their clients are using and their capabilities, while also providing advice on data retention and investigations. If the organization has not invested in these increasingly common tools, counsel may be well-positioned to help business leaders understand risks and emerging standards of care, as shown by recent litigation and enforcement trends.
With vigilance and an effective, counsel-supported information security program, organizations can prevent most cyber attacks, or at least lessen the damage if an attack occurs.
***
Practical Law provides legal know-how that gives lawyers a better starting point. Our expert team of attorney editors creates and maintains thousands of practical resources across all major practice areas. We go beyond primary law and traditional legal research to allow you to practice more efficiently and improve client service. Request your free trial today >>
Melodi (Mel) Gates, Attorney Editor, Practical Law, Privacy & Data Security Melodi (Mel) Gates, CIPP/US joined Practical Law from Squire Patton Boggs (US) LLP, where she was a senior associate focusing on cybersecurity and privacy issues, including in the health information technology field. Prior to practicing law, Mel worked for over twenty years in the telecommunications industry, last serving as chief information security officer (CISO) for a large network provider. She is also an appointed member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee (DPIAC).