LEO CYBER SECURITY REFERENCE DESK 2017 · LEO1. Seth Jaffe - General Counsel and VP, Incident...

W W W . L E O C Y B E R S E C U R I T Y . C O M

2017

LEO

CYBER SECURITY

REFERENCE DESK

LEO1

Seth Jaffe - General Counsel and VP, Incident Response

[email protected]

David Tompkins - SVP of Client Services

[email protected]

David Deering - Founder and Client Executive

[email protected]

CONTACTS

Designed to accompany LEO’s Cyber Security Law Conferences, this compilation of documents is

intended to provide useful references to pressing cyber security issues. The information contained

in this compilation is for informational purposes only, and is not intended to be legal advice.

SUMMARY

LEO CYBER SECURITY REFERENCE DESK

2017

LEO2

of4

Sample Questions a Board of Directors May Want to Ask the

Information Security Group In today’s environment, certain fiduciary duties imposed on corporate directors applies to information security. These duties must be discharged in good faith and in a manner the director reasonably believes to be in the best interests of the company. In the wake of major data breaches, courts and experts have weighed in on the board of directors’ cyber security duties.1 The following questions are intended to serve as example queries for the board to put to the information security department. They are purposefully fashioned not to be yes/no questions to better elicit dialog between Infosec and the board. Certain questions may beget complex answers, so it may make sense for a technical member of the board or a chartered committee to pose the questions. Goal 01 – Identify Information Assets Actionable risk assessments depend on accurate inventory of company information. This starts with thorough data mapping, taking into account not only where data resides, but what kind of data it is, along with its potential value on the dark web. Board Questions:

1. What tools and processes did we use for asset and data discovery? 2. What assets have the most value to cyber criminals? 3. How many assets did we discover that we were unaware of?

Red Flag(s): No new assets discovered. No clear defined classification of assets and controls sets specified based on classification. Uncontrolled data and use of Cloud applications. Goal 02 – Identify Risks to the Information Assets Once assets are catalogued, assess risks associated with those assets. This includes identification of the potential threats to the assets, the likelihood of those threats finding their target, and the subsequent damage if those threats do materialize. Board Questions:

1. Describe the last three tests we have completed outside of penetration tests. 2. Identify the top two threats by likelihood of attack and by damage to the

company. 1 For a legal interpretation of court opinions, see Thomas J. Smedinghoff, Addressing Director Responsibilities for Data Security, available from the author. https://www.lockelord.com/professionals/s/smedinghoff-thomas-j

LEO3

of4

Red Flag: Lack of risk assessments outside of generic pen tests. Goal 03 – Establish a Written Information Security Plan (WISP) Various laws, regulations, and guidelines require adoption of an information security program commensurate with the risks presented. An integral part of that program is the adoption of a WISP, the contents of which should evolve to meet the dynamic cyber threat landscape. Board Questions:

1. When was the last time our WISP was updated and what change does the update reflect?

2. How does our WISP handle third party management? 3. What modifications do we plan to make to the WISP in accordance with our 1, 3,

5-year strategy? Red Flag: Lack of, or stagnant, WISP. Goal 04 – Implement the Security Program Failing to implement responsive security measures may put board members in the crosshairs of a shareholder derivative suit. Board Questions:

1. What is the status of our security program deployment? 2. What are the last three security measures that were deployed to meet our WISP. 3. What is the most difficult part of implementing this plan? 4. What are the next three actions you plan to take?

Red Flag: Lack of clear direction or dedicated resources to drive the program. Goal 05 – Monitor the Effectiveness of the Security Program Security programs must adapt as the threats do, and this requires periodic assessments of their effectiveness. Board Questions:

1. Describe the three most difficult parts of your daily cyber security operations. 2. Name your two tools that require the most time for day to day operations. 3. Who manages those tools?

Red Flag: Inability to provide insight metrics, dashboard, key performance indicators about the program’s improvement and success.

LEO4

of4

Goal 06 – Reassess and Update Security Program When program effectiveness wanes, changes should be implemented to modernize and maintain. This could occur because of changes in the threat landscape, changes to operations or the technology used in the business, or discovery of better security solutions on the market. Board Questions:

1. When was the last time a third party assessed our cyber security program in operations, who was it, and what were the findings?

2. What recent material business changes may have opened us to new threats? 3. When was the last time we conducted a review of cybersecurity solutions and

what were the findings? Red flag: Little to no demonstrable action has been taken since last assessment. Goal 07 – Employee Cyber Security Training Security programs are only as strong as their weakest link. Participation from employees is paramount to program success, and that begins with training and education. Board Questions:

1. What is our cyber security employee training and education plan? 2. What were the last three initiatives undertaken in that area? 3. Specifically describe to me how we educate users around phishing or

spearphishing attacks. Red flag: Inability to measure the effectiveness of the program and improvement of the employees. Goal 08 – Imposing Security Obligations on Third Party Partners As demonstrated in some of the more notable breaches of late, outsourcing does not absolve companies of their security obligations. In fact, companies have a duty not only to contractually require vendors to implement and maintain appropriate security measures, but to periodically verify compliance. Board Questions:

1. Describe our third party cyber security ratings and risk monitoring process. 2. Do we have a vendor risk management program in place? 3. Show me sample security provisions imposed on third parties.

Red Flag: Not having a formalized third-party program and a clear inventory of vendors. No defined security audit program.

LEO5

of4

Goal 09 – Implement a Robust Incident Response Program Modern responses to cyber security incidents occur in public view, and companies cannot afford to haphazardly hash together a plan as the incident occurs. Programs should include detailed run books, well-trained teams, and pre-coordinated partnerships.2 Board Questions:

1. Provide the written incident response plan. 2. Highlight the executable parts of the plan. 3. What type of personnel certification program is in place? 4. Describe the event elevation protocols, including how executives/board members

are notified. Red Flag: No training has been provided to senior management related to incident response. Simulations/Table Top exercises are infrequent or of low fidelity.

2 For more information on incident response programs, see http://leocybersecurity.com/service/executive-risk-cyber-crisis-management/

LEO6

of 2

C-Level Questionnaire

1. Would you describe your Security Program as reactive or proactive and why? 2. When you have your next event/breach are you most likely to find it yourself (i.e. by the

organization’s IT/Security staff) or be informed about it from an external party like the FBI?

3. Who is your most senior dedicated security person? Who do they report to? How many levels down are they from the C-Suite?

4. How often is the C-Suite and Board briefed on security? 5. What is the Board’s and C-Suite’s risk tolerance with regards to security? Has that been

communicated down to the organization/IT/security groups? 6. Is your 1/3/5 year Security Roadmap in line with the risk tolerance set by the Board and

C-Suite? Are those goals adequately funded? 7. What is your budgeted security spend as a percentage of IT? Dedicated resource

allocation? How do you match up with your competitors? 8. How do you evaluate the return of investment (ROI) of your IT Security spend? What

metrics, key performance indicators, and dashboards do you receive from the IT and/or Security Team?

9. What is your security strategy for the Internet of Things (IOT)? 10. What are your critical business systems/data (i.e. if lost or compromised would

end/disrupt the business/revenue)? What extra security controls are in place around those systems? What is the cost to the organization if those systems are down? How quickly can you restore them?

11. How would you know if you had a threat moving laterally through your network? Is your internal network considered trusted?

12. How do you know when your critical data is leaving your controlled environments? 13. How would you recognize an insider threat? 14. When was the last time you tested your Incident Response (IR) Plan? What were the

results and lessons learned? Do you run tabletop exercises or employ Red Teams? 15. From a security perspective, how do you evaluate your vendors, suppliers, and other

third parties with whom you may interact? What type of access do you allow them to have to your environment?

16. How do you verify your users when they log in to your systems? How do you filter for bad actors with compromised credentials? Where do you use multi-factors?

17. How have you prepared for ransomware? Can you recover? Do you pay? 18. Who would you call if you have a breach? Do you have an IR retainer? 19. Who monitors your privilege users and super users? How many do you have? 20. How much data/IP/PII etc., do you have in the cloud? How do you control the movement

of that data? 21. How do you review and approve Software as a Service platforms (SaaS) like Salesforce,

Concur, Box, Amazon Web Services, etc.? What are your defined Security Requirements for those solutions?

LEO7

of 2

22. If you have an European Union (EU) presence, what steps have you taken to be compliant with General Data Protection Regulation(GDPR) by May 25, 2018?

23. When presented with a new threat/breach/hack/etc. a. Has this threat impacted organizations of similar size, geography, line of

business, and customer profile? b. Has this threat been weaponized/automated and is it ‘in the wild’ right now? c. Do our existing mitigating controls (e.g. firewall, antivirus, architecture)

acceptably decrease our organization’s susceptibility to this threat?

LEO8

of3

SampleSecurityControlsMatrixTacticsforNegotiatingSecurityProvisions

DisclaimerThisdocumentisacasestudyofahypotheticalcompany.Thematrixbelowrepresentsahypotheticalcompany’spostureas

itrelatestoaparticularstandard—inthiscase,CIS20.Thistypeofmatrixcanbepreparedforotherstandards,suchasISO

27002,NIST800-53,etc.Bearinmind,however,thatthematrixisspecifictoaparticularcompanyand,insomecases,toa

particularventure.Thisdocumentisnotintendedtobeusedasagenericreference,butrather,itisanexampledocumentof

thetypeofdeliverablethatcanassisttransactionalattorneysinnegotiatingsecurityprovisions.

OverviewTheintentofthisdocumentistopresentacasestudybaseduponafictitiousorganization—inthisscenarioasoftwareasa

service(SaaS)provider(“SaaSCorp”)—targetingmid-sizetolargecompanies.Asitisawardedcontracts,SaaSCorp’s

customersimposecertainsecurityprovisionsbywayofaMasterSaaSAgreement.Oneoftheprovisionsstipulatesthat

SaaSCorprepresentandwarrantthatadministrative,physical,andtechnicalsafeguardsareinplacethatarenolessrigorous

thanthosesetoutintheCIS20standard.

1

SaaSCorp’sattorneyisconcernedaboutwhetherSaaSCorpcanmakethoserepresentations,asshedoesnotwishforher

organizationtobeinbreachimmediatelyuponexecutionofthecontract.Forthisreason,sheengagesacybersecurity

companytoassessSaaSCorp’scyberprogramagainsttheCIS20standard(andothersecurityprovisionrequirements)for

thistypeofindustry/ventureforthepurposeofbuildingamatrixshecanuseinthisandsubsequentcontractnegotiations.

NegotiationTacticsOftentimessecuritystandardsarenegotiatedinanallornothingfashion,butSaaSCorp’sattorneyrecognizesthatshemay

beabletobreakupastandardcontrolbycontrol,forgranularnegotiations.Hernegotiationtacticsincludethefollowing

strategies

1. Determinewhichcontrols/itemshavealreadybeencompletedsothatshecanacceptthemoutright

2. Identifythosecontrols/itemsthatcouldbecompletedwithlowtomoderatedifficultyandatreasonablecost

3. Negotiateoutcontrols/itemsthatarenotapplicabletoSaaSCorp’ssecurityprogramrequirementsforthis

engagement

4. Defer,foraperiodoftime,certaincontrols/itemsthatareconsidereddifficulttoimplementorarecostly

5. Offer,asanalternative,aliabilitysupercapinlieuofcompletingacontrol/item

6. Putinplace,asanalternative,additionalinsurancecoverageinlieuofcompletingacontrol/item

7. Shiftbacktothecustomer,forapricediscount,responsibilityforacontrol/item

1 CIS20wasselectedinthisexerciseinpartbecauseofitsdivisionofsecuritycontrolsinto20definedcategories.

LEO9

SecurityControlsMatrix- CaseStudy&SampleControlsMatrix

Page2of3

Requirement/Control

Description StatusDifficulty CapEx OpEx

NotesEasy Medium Hard $ $$ $$$ $ $$ $$$

SANSCIS20SecurityControls

1.InventoryofAuthorizedandUnauthorizedDevices Complete X X SaaSCorphasprocessesinplacetoperform&maintaincurrenthardware

inventories,andcandemonstratehavingmetthisrequirement.

2.InventoryofAuthorizedandUnauthorizedSoftware Complete X X SaaSCorphasprocessesinplacetoperform&maintaincurrentsoftware

inventories,andcandemonstratehavingmetthisrequirement.

3.SecureConfigurationsforHardwareandSoftware Tactic2:Cancomplete X X X ThemajorityoftheexpenditurewouldbeinOpXbecausesecuringsystems

canbecompletedwithSaaSCorp’sexistinginformationsecurityteam.

4.ContinuousVulnerabilityAssessmentandRemediation Tactic2:Cancomplete X X X

SaaSCorphasalreadycompletedavulnerabilityassessment.Uponexecutionofthisagreement,SaaSCorpwillcontractwithathirdpartytosatisfythiscontrol.

5.ControlledUseofAdministrativePrivileges Complete X X SaaSCorphasprocessesandtechnologyinplacetoprovidethiscapability,

andcandemonstratehavingmetthisrequirement.

6.Maintenance,Monitoring,andAnalysisofAuditLogs Tactic2:Cancomplete X X X

SaaSCorpwillneedtoimplementtechnologysolutionstosupportthisrequirement,andwillcontractwitha3rdpartyforsupportandmonitoringservicestominimizeoperationalcosts.

7.EmailandWebBrowserProtections Tactic2:Cancomplete X X X

SaaSCorphasbasicemailsecuritytechnologiesinplace;however,theexistingprogramdoesnotaddresswebbrowsingdefenses.

Addressingthisissuewillberelativelyeasy,butwillrequirethepurchaseanddeploymentofadditionaltechnologysolutions.

8.MalwareDefenses Complete X X SaaSCorphaspurchased&implementedcurrentanti-malwaretechnology,andcandemonstratehavingmetthisrequirement

9.LimitationandControlofNetworkPorts Complete X X SaaSCorphasnetworkconfigurationstandards&processesinplaceto

addressthis,andcandemonstratehavingmetthisrequirement

10.DataRecoveryCapability Tactic7:Shifttocustomer NotApplicable Customerisacloudserviceprovider,sothiscontrolcanbepushedtothecustomerinnegotiation,perhapswithapriceshift.

11.SecureConfigurationsforNetworkDevices Complete X X X SaaSCorphasdevelopedabasicdevicesecuritymanagementprocess,,and

candemonstratehavingmetthisrequirement

LEO10

SecurityControlsMatrix- CaseStudy&SampleControlMatrix

Disclaimer: This document represents a hypothetical case study involving a fictitious organization, for educational purposes, and does not refer to any specific or actual organization

Requirement/ControlDescription Status

Difficulty CapEx OpExNotes

Easy Medium Hard $ $$ $$$ $ $$ $$$

12.BoundaryDefense Complete X X SaaSCorphasboundarycontrolssuchasfirewallsandintrusiondetectionsystemsinplace,andcandemonstratehavingmetthisrequirement.

13.DataProtection Tactic5:Supercap X X X

SaaSCorpdoesnotcurrentlyhavetheabilitytoencryptdata,butreliesonothercontrolsandaspectsofitscybersecurityprogramtoprotectcustomerdata.Untilsuchencryptioncanberolledout,SaaSCorpmayofferasupercapinthelimitationofliabilityforthiscontrol.Asanalternative,SaaSCorpcanoffertoattainadditionalcybersecurityinsurance.

14.ControlledAccessBasedontheNeedtoKnow Complete X X SaaSCorphasdefinedpolicyrequirements&processestolimitaccessbased

onrole,andcandemonstratehavingmetthisrequirement.

15.WirelessAccessControl Tactic3:N/A NotApplicable SaaSCorppreventswirelessnetworkingbypolicyanddoesnotemploywirelessnetworks.

16.AccountMonitoringandControl Tactic6:Insurance X X

SaaSCorpcanmonitorwhenusersareloggingin,buthaslimitedinsightintoaccountusagedetails.Untiltechnologysolutionsareputinplace,SaaSCorpcanoffertoattainadditionalcybersecurityinsuranceandnameCustomerasabeneficiary.

17.SecuritySkillsAssessment&AppropriateTrainingtoFillGaps Tactic2:QuickWin X X SaaSCorpcanmeetthisrequirementwithrelativeeasebyleveraging3rd

partysolutionstoassessexistingsecurityskillsandprovidetrainingcourses.18.ApplicationSoftwareSecurity Complete X X SaaSCorphasadocumentedsecuresoftwaredevelopmentprocessinplace,

andcandemonstratehavingmetthisrequirement.

19.IncidentResponseandManagement Tactic4:Deferforoneyear X X

WhileSaaSCorphasagenericincidentresponseplan,theattorneyisconcernedthatitisnotactionableandmaynotwithstandscrutiny.SaaSCorpwillconveyitsplanstoemployarecognizedincidentresponseprogramandwillnegotiateoneyeartocomply.

20.PenetrationTestsandRedTeamExercises Complete X X SaaSCorphasperformedapenetrationtestwithintheprior12months,and

candemonstratehavingmetthisrequirement.

LEO11

DOCUMENTS SUGGESTING CYBER SECURITY PROGRAMS October 27, 2017

Seth Jaffe – [email protected]

https://www.linkedin.com/in/sethejaffe/

1

INSTITUTION TITLE DATE Excerpt American Bar Association

Formal Opinion 477 May 11, 2017 A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or

unauthorized access to, information relating to the representation of a client.

Association of Corporate Counsel

Model Information Protection and Security Controls for Outside

Counsel Possessing Company Confidential Information

2017 “Outside Counsel shall have in place appropriate organizational

and technical measures to protect Company Confidential

Information or other information of a similar nature”

Board of Governors of the Federal Reserve

System

Guidance Concerning the Reporting of Computer-Related Crimes by Financial Institutions

Nov. 6, 1997 “A financial institution should report on a SAR any activity that

appears to be violative of 18 U.S.C. § 1030 (Fraud and related

activity in connection with computers).

California DOJ California Data Breach Report Feb 2016 “California’s information security statute requires businesses to

use “reasonable security procedures and practices...to

protect personal information from unauthorized, access,

destruction, use, modi cation, or disclosure.”

LEO12




2

Colorado 3 Colo. Code Regs. §§ 704-1:51-4.8(A), 704-1:51-4.14(A)

May 15, 2017 “A broker-dealer must establish and maintain written procedures reasonably designed to ensure

cybersecurity.” Dept. of Treasury

(FinCEN) FinCEN Advisory Oct. 25, 2016 “If a financial institution knows,

suspects, or has reason to suspect that a cyberevent was intended, in whole or in part, to conduct, facilitate, or affect a

transaction or a series of transactions, it should be

considered part of an attempt to conduct a suspicious transaction

or series of transactions.”

European Union GDPR – General Data Protection Regulation

Apr. 27, 2016 “controller and the processor shall implement appropriate technical and organisational

measures to ensure a level of security appropriate to the risk”

European Union NIS (Network and Information

Systems) Directive July 6, 2016 “Each Member State shall adopt

a national strategy on the security of network and information systems”

LEO13




3

Federal Reserve, FDIC, Office of the Comptroller

of the Currency

Enhanced Cyber Risk Management Standards (Proposed Rule)

2016 “Agencies are considering standards under the cyber risk

governance category that would be similar to the governance

standards generally expected for large, complex financial

organizations.” FDIC Suspicious Activity Reporting (FIL-

124-97)

Dec. 5, 1997 “A financial institution should report on a SAR any activity that



Gramm-Leach-Bliley Act 15 U.S.C. § 6827(4)(a); 15 U.S.C. § 6801(b)(1)-(3)

July 21, 2010 “Establish appropriate standards…to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated

threats or hazards to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of

such records or information which could result in substantial harm or inconvenience to any

customer. IANS Tackling NYSDFS Cybersecurity

Regulations

July 20, 2017

LEO14




4

Kentucky Proposed KRS CHAPTER 61 10/26/17 “An agency or nonaffiliated third party that maintains or otherwise possesses personal information, regardless of the form in which

the personal information is maintained, shall implement, maintain, and update security

procedures and practices” Massachusetts 201 CMR 17.00: Standards for the

Protection of Personal Information of Residents of the Commonwealth

Mar. 1, 2010 “Every person that owns or licenses personal information

about a resident of the Commonwealth shall develop,

implement, and maintain a comprehensive information

security program” Nat’l Credit Union

Administration (NCUA) Guidance for Reporting Computer-Related Crimes (97-RA-12)

Dec. 5, 1997 “A financial institution should report on a SAR any activity that



NY Dept Financial Services

General Information Request Mar 2015 “Management of cyber security issues, including the interaction

between information security and core business functions, written information security policies and

procedures, and the periodic reevaluation of such policies and

LEO15




5

procedures in light of changing risks; “

NY State Cybersecurity Reqs for Financial Svcs Companies

Feb 2017 “Section 500.02 Cybersecurity Program

Each Covered Entity shall maintain a cybersecurity

program designed to protect the confidentiality, integrity and availability of the Covered

Entity’s Information Systems.” Office of Inspector

General CFPB Evaluation Report 2017-SR-

C-011 May 15, 2017 Recommends physical and

electronic access control, operational procedures for

handling sensitive information.

Office of the Comptroller of the Currency

OCC Bulletin (OCC 2000-14) May 15, 2000 “Senior management and the board of directors are

responsible for overseeing the development and

implementation of their bank’s security strategy and plan”

Rhode Island Rhode Island Identity Theft Protection Act of 2015

July 2, 2016 “implement and maintain a risk-based information security

program [that] contains reasonable security procedures

and practices” Vermont Vermont Securities Regulations

S-2016-01 (Rev.) May 15, 2017 “A securities professional must

establish and maintain written

LEO16




6

procedures reasonably designed to ensure cybersecurity.”

U.S. Congress Internet of Things (IoT) Cybersecurity Improvement Act of

2017

Aug. 1, 2017 “requires the contractor providing the Internet-connected device to provide written certification that the device…does not contain…

any known security vulnerabilities or defects.”

U.S. Congress Proposed Main Street Cybersecurity Act of 2017

NIST Small Business Cybersecurity Act

2017 NIST Director “shall disseminate clear and concise resources for small business concerns to help reduce their cybersecurity risks.”

U.S. DoD, NASA, GSA 48 CFR 52.204-21 May 16, 2016 Contractor shall apply, at a minimum, 15 information security

controls. U.S. Gov’t Cybersecurity Enhancement Act of

2014 15 U.S.C. 7451

Dec. 11, 2014 NIST Director shall coordinate with private sector personnel to

identify “information security measures and controls, that may be voluntarily adopted by owners

and operators of critical infrastructure to help them

identify, assess, and manage cyber risks”

LEO17

DOCUMENTS SUGGESTING INCIDENT RESPONSE PLANS August 7, 2017



1

INSTITUTION TITLE DATE Excerpt California DOJ California Data Breach Report Feb 2016 “The 20 controls in the Center for

Internet Security’s Critical Security

Controls identify a minimum level of

information security that all

organizations that collect or

maintain personal information

should meet. The failure to

implement all the Controls that

apply to an organization’s

environment constitutes a lack of

reasonable security. Control 19:

Incident Response and

Management”

Dept. of Justice Best Practices for Victim Response

and Reporting of Cyber Incidents

April 2015 “Organizations should have a plan

in place for handling computer

intrusions before an intrusion

occurs.”

European Union GDPR April 27, 2016 “In the case of a personal data

breach, the controller shall without

undue delay and, where feasible,

not later than 72 hours after having

become aware of it, notify the

personal data breach to the

supervisory authority”

LEO18




2

European Union NIS Directive July 6, 2016 “Each Member State shall

designate one or more Computer

Security Incident Response Teams”

EY Path to Cyber Resilience 2016-17 “Cyber resilience is a subset of

business resilience; it is focused on

how resilient an organization is to

cyber threats. [Step 3 is] “React,”

[which includes] need to be ready to

deal with the disruption, ready with

incident response capabilities and

ready to manage the crisis.”

FCC Consent Order – Cox Communications Nov 2015 Consent orders related to breaches

almost always require an Incident

Response Plan: “Within one

hundred and twenty (120) calendar

days after the Effective Date, Cox

shall review, revise and maintain its

Incident Response Plan to ensure

that it is reasonable,

comprehensive, and enables Cox to

detect, respond to, and provide

timely notification….”

Federal Reserve, FDIC,

Office of the Comptroller of

the Currency

Enhanced Cyber Risk Management

Standards (Proposed Rule)

2016 “The agencies are considering a

requirement that covered entities

establish and maintain effective

incident response and cyber

resilience governance, strategies,

LEO19




3

and capacities that enable the

organizations to anticipate,

withstand, contain, and rapidly

recover from a disruption caused by

a significant cyber event.”

FFIEC Cyber Attacks Compromising

Credentials

Mar 2015 “The Federal Financial Institutions

Examination Council (FFIEC)…is

issuing this statement to notify

financial institutions of the growing

trend of cyber attacks…and to

recommend risk mitigation

techniques. Financial institutions

should address this threat by

reviewing their risk management

practices and controls over

information technology (IT)

networks and authentication,

authorization, fraud detection, and

response management systems

and processes.”

FFIEC Destructive Malware Mar 2015 “In accordance with regulatory

requirements and FFIEC guidance,

financial institutions should consider

taking the following steps. Review,

update, and test incident response

and business continuity plans.”

LEO20




4

FFIEC CAT CEO Board Overview Jun 2015 “The role of the chief executive

officer (CEO), with management’s

support, may include the

responsibility to do the following:

• Develop a plan to conduct the

Assessment.”

FFIEC CAT Jun 2015 “Domain 5: Cyber Incident

Management and Resilience”

includes an incident response team

as the baseline.

FTC FTC Business Alert on GLBA

Safeguards Rule

May 2002 “According to the Safeguards Rule,

financial institutions must develop a

written information security plan that

describes their program to protect

customer information. Experts

suggest security management,

including the prevention, detection

and response to attacks, intrusions

or other system failures.”

HHS Quick Response Checklist June 9, 2017 In the event of a cyber-attack or similar emergency an entity must execute its response and mitigation procedures and contingency plans.

ICC – International

Chamber of Commerce

Cyber Security Guide for Business No date “In order to minimize business

impact of cyber security incidents,

enterprises must develop

organizational response plans in

LEO21




5

addition to technical response

measures.”

NAIC INSURANCE DATA SECURITY

MODEL LAW

Aug. 7, 2017 “each Licensee shall establish a

written incident response plan

designed to promptly respond to,

and recover from, any

Cybersecurity Event that

compromises the confidentiality,

integrity or availability of Nonpublic

Information”

NC State Protiviti Executive Perspectives on Top Risks

for 2015

2015 “Larger organizations may have

invested in developing and testing

crisis management plans and now

all other organizations are realizing

their need for similar investments

despite their smaller size and more

limited resources.”

NIST Framework Improving Critical

Infrastructure Cybersecurity

Ver 1.0 – Feb

2014

“PR.IP-9: Response plans (Incident

Response and Business Continuity)

and recovery plans are in place and

managed.”

NIST Supply Chain Risk MGMT-Pub 800-

161

Apr 2015 “Implement a robust incident

management program to

successfully identify, respond to,

and mitigate security incidents. This

program should be capable of

identifying causes of security

LEO22




6

incidents, including those

originating from the ICT supply

chain.”

NIST Guide Cybersecurity Event Recovery Dec 2016 “While this document is primarily

focused on recovering from a

cybersecurity event, it is important

to understand that a Cyber Incident

Response Plan (CIRP) should be

developed as part of a larger

Business Continuity Plan (BCP).”

NY Dept Financial

Services

General Information Request Mar 2015 “Describe the extent to which

information security is incorporated

into your institution's business

continuity and disaster recovery

plan, the way in which that plan is

tested, how often the plan is tested,

and the results of the most recent

test;”

NY State Cybersecurity Reqs for Financial Svcs

Companies

Feb 2017 “Section 500.16 Incident Response Plan.

(a) As part of its cybersecurity

program, each Covered Entity shall

establish a written incident

response plan designed to promptly

respond to, and recover from, any

Cybersecurity Event materially

affecting the confidentiality, integrity

LEO23




7

or availability of the Covered

Entity’s Information Systems or the

continuing functionality of any

aspect of the Covered Entity’s

business or operations.”

Office of the President of

the United States

Presidential Policy Directive – PPD-41 July 2016 “effective incident response efforts

will help support an open,

interoperable, secure, and reliable

information and communications

infrastructure that promotes trade

and commerce, strengthens

international security, fosters free

expression, and reinforces the

privacy and security of our citizens”

OMB Memo on Preparing and Responding

to a Breach

Jan 2017 “This Memorandum sets forth the

policy for Federal agencies to

prepare for and respond to a breach

of personally identifiable information

(PII).” Section VII details the

Breach Response Plan.

Paloalto - NSYE Navigating Digital Age Oct 2015 “Boards should require that

management implement an

enterprise-wide cybersecurity risk

management plan.”

PCI-SSC Requirements and Security

Assessment Procedures

V3.1 – Apr 2015 PCI DSS Requirement 12.10:

“Implement an incident response

LEO24




8

plan. Be prepared to respond

immediately to a system breach.”

Ponemon Cost of a Data Breach Study June 2016 “Incident response plans,

appointment of a CISO, employee

training and awareness programs

and a business continuity

management strategy continue to

result in cost savings.”

SANS Institute Incident Response Capabilities in 2016 June 2016 “87% reported incidents in the past

12 months, and these incidents

resulted in actual breaches 59% of

the time.”

SEC: OCIE – Office of

Compliance Inspections

and Examinations

2015 Cybersecurity Examination

Initiative

September 2015 “Incident Response: Examiners

may assess whether firms have

established policies, assigned roles,

assessed system vulnerabilities,

and developed plans to address

possible future events.”

Verizon PCI Compliance Report 2015 “Organizations often give incident

response little attention until

a crisis occurs and they are forced

to try to regain control.”

World Energy Council The Road to Resilience 2016 INSURANCE PROVIDERS FOCUS

ON FIVE KEY QUESTIONS WHEN

ASSESSING CYBER RISKS: Does

the company have organizational

and technical controls in place to

LEO25




9

detect, respond, and react to a

cyber-attack in good time, including

cross-functional incident response

structures and processes?

LEO26

of 3

Cyber Security for Law Firms1 Law firms are particularly high value cyber security targets because 1) they hold highly sensitive information in forms less voluminous than their clients, and 2) they are more likely to employee safeguards that are more easily defeated than those of their clients. In 2017, the American Bar Association issued formal opinion 477 discussing cyber security obligations of attorneys. Lawyer Duties

1. Duty of Competence: A lawyer should maintain a basic understanding of technology relevant in the field. The ABA Commission has commented that provision of competent legal services includes command of the benefits and risks associated with technology employed by the attorney or client in furtherance of the engagement.

2. Duty of Confidentiality: “A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”2 While this may not impose specific security measures, the ABA believes it to require a process of assessing risks, identifying and implementing appropriate security protocols, verifying they are effective, and maintaining updates in view of new developments.

3. Duty to Communicate: Upon reasonable belief that highly sensitive confidential client information may be transmitted, a lawyer has a duty to inform the client about the risks involved, and discuss with the client means for adequate protection of the information. This includes adhering to special security measures requested by the client.

Model Rules Rule 1.1 To maintain the requisite knowledge and skill, a lawyer should keep

abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Rule 1.4 Reasonably consult with client about client’s objectives, which may include discussing security safeguards and expectations.

1 The contents of this document are informational in nature and do not constitute legal advice. 2 MODEL RULES OF PROF’L CONDUCT R. 1.6(c)

LEO27

of 3

Rule 1.6 “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Rule 5.1 Supervisory attorney will take reasonable measures to ensure that employee lawyers adhere to the rules of professional conduct, including that they maintain security safeguards.

Rule 5.3 Supervisory attorney will take reasonable measures to ensure that conduct of non-lawyer assistants is compatible with the professional obligations of the attorney. This includes establishing policies on technology and information security, training assistants, supervising to ensure requirements are met, and updating policies as needed.

Association of Corporate Counsel Model Security Provisions

1. Policies – Outside counsel shall have in place an overarching information security policy, with subsets encompassing organization of security, asset management, human resources security, physical security, communications and operations management, access control, infosec systems acquisition and maintenance, incident management, business continuity management, personnel training, and compliance.

2. Document Retention – Outside counsel shall retain client confidential information for only so long as specified by the client, or as long as necessary for the purpose, or as directed by law. With limited exceptions, at the conclusion of the engagement, outside counsel shall return, delete, or destroy said information. Outside counsel should certify destruction within a pre-coordinated amount of time.

3. Data Handling – Communications of client confidential information will be encrypted according to client’s specifications. Confidential information in possession of the law firm will be encrypted at rest, including information stored on portable devices and removable media.

4. Data Breach Reporting – Any actual or suspected breach involving client confidential information will be communicated to the client within 24 hours of discovery. Outside counsel will designate a point of contact with authority over the breach and access to outside counsel networks and the incident response team. Outside counsel will fully cooperate with client.

5. Physical Security – Outside counsel will maintain reasonable physical security measures including access control, ID badges, security guards, alarm system, enhanced access control for server rooms, secure backups, procedures and logs.

6. Logical Access Controls – Outside counsel shall install and maintain electronic controls designed to restrict access to confidential information on a least privilege and need-to-know basis. This includes a revocation process for invalid logins.

LEO28

of 3

7. Monitoring – Outside counsel will continuously monitor networks, employees, contractors, and contingent workers for malicious activity.

8. Risk and Vulnerability Assessments – Periodically, outside counsel will perform penetration tests on all systems where confidential information resides. In addition, outside counsel will maintain application security software development controls.

9. System Security – Outside counsel will implement and maintain controls at least as rigorous as prescribed industry standards (such as NIST, ISO, CIS, etc.). Systems will include vulnerability detection and management applications, antivirus, infrastructure patching, network security controls such as firewalls, DMZ, intrusion detection and prevention.

10. Auditing – Outside counsel will allow client to inspect, examine, and review its processes, systems, policies, and facilities.

11. Industry Certification – Outside counsel will complete and maintain an ISO 27001 certification and will supply a SOC audit upon request.

12. Background Checks – Outside counsel will conduct background screening on all of its employees, contractors, and contingent workers.

13. Cyber Liability Insurance – Outside counsel will maintain in force a cyber insurance policy having a minimum credit rating of A- with a coverage level of at least $10 million.

14. Contractors and Vendors – Where outside counsel contracts any of its security obligations to a third party, it will impose upon the third-party obligations at least as rigorous as those set out in these security provisions.

Common Law Duties Restatement (Third) of The Law Governing Lawyers §§ 16(3), 60 (2000): “the lawyer must take steps reasonable in the circumstances to protect confidential client information against impermissible use or disclosure by the lawyer’s associates or agents that may adversely affect a material interest of the client or otherwise than as instructed by the client.” References American Bar Association: Formal Opinion 477, available at https://www.americanbar.org/content/dam/aba/administrative/law_national_security/ABA%20Formal%20Opinion%20477.authcheckdam.pdf Association of Corporate Counsel: Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information, available at http://www.acc.com/advocacy/upload/Model-Information-Protection-and-Security-Controls-for-Outside-Counsel-Jan2017.pdf

LEO29

OKLAHOMA CITY • TULSA

WILLIAMS CENTER TOWER IITWO W. SECOND STREET • SUITE 1100 • TULSA, OK 74103(918) 587-0000 • FAX (918) 599-9317www.mcafeetaft.com

Key Data Security Issues to Consider and Address in Client Engagement Letter

• Definitions: Have you identified what constitutes confidential, sensitive, protected data? Have you considered state and federal privacy laws and regulations that define and mandate protection of certain data? For example, 48 states define protected personal information under their security breach notification laws, and HIPAA defines electronic protected health information.

• Data security representations and warranties: Does either party have formal data security policies and procedures? Are the parties’ data security controls commensurate? Do the firm’s data security controls satisfy applicable state and federal privacy laws and regulations?

• Notification obligations: Have you considered notification (when, to whom, and timing) if confidential, sensitive, protected data has potentially or actually been viewed, accessed, or used by someone unauthorized to do so? Have you considered state and federal privacy laws and regulations that require notifying consumer and government agencies if certain protected data has been viewed, accessed, or used by someone without authorization to do so? For example, 48 states have security breach notification laws that require notification under certain circumstances.

• Audit right: Have you considered confirming compliance with required data security controls?

• Data location: Where is confidential, sensitive, protected data stored? Is data stored on mobile devices?

• Data storage: Have you considered encrypting confidential, sensitive, protected data? Have you considered that HIPAA requires encryption at rest or in transit when “reasonable and appropriate,” and the ABA believes “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication” when “the lawyer has implemented basic and reasonably available methods of common electronic security measures?”

• Data access and usage: Who has access to where confidential, sensitive, protected stored?

• Data retention: How long will confidential, sensitive, protected data be stored? Have you considered state and federal privacy laws and regulations that require specified retention periods? For example, the Gramm-Leach-Bliley Act specifies retention requirements for protected financial information/records held by financial institutions.

• Data destruction: How will confidential, sensitive, protected data be destroyed? Have you considered state and federal privacy laws and regulations that specify the method(s) of destruction? For example, the Payment Card Industry Data Security Standards identifies disposal techniques for protected, stored credit cardholder data.

LEO30

1.101 IRT INITIALIZATION (COMPANY IRP – PROCEDURE BREAKOUT)

Version1.2 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE1of3Verifythatthisisthecorrectversionbeforeuse.

GC STEP 1: ATTORNEY-CLIENT PROTOCOLS 1.1: Review with IRT the reasons for att-cl privilege 1.2: Review att-client protocols with IRT RULE GC101 1.3: Advise disciplines to check with GC prior to discussing incident with a third party 1.4: Advise disciplines not to engage any third party without IRT approval RULE GC102

IRT STEP 2: RECON INCIDENT IS 2.1: Overview of incident (what happened)

2.2: Acquire information about data 2.2.1: Affected systems

2.2.1.1: What systems are (potentially) affected 2.2.1.2: Potential impact, if any, on business 2.2.1.3: Status of containment, including steps taken 2.2.1.4: Preservation of systems

2.2.1.4.1: Are images necessary 2.2.1.4.2: Status of logging and SIEM 2.2.1.4.3: Additional forensics employed or completed

2.2.2: Potential accessed data 2.2.1.1: What data have been potentially accessed (PHI, PII, contracts) 2.2.1.2: Extent (number of affected persons)

2.2.2: How was the data accessed 2.2.3: Determine the associated technology owner

IRT 2.2.4: Demographic information for affected persons IS 2.3: Initial Remediation

2.3.1: Brief IRT on the timeline to remediate RULE IS301 GC 2.3.2: Initialize preservation, if required – STEP 10 IRT STEP 3: POST RECON ACTIONS 3.1: Reassess IRT members and add stakeholders to the briefing, if required GC 3.2: Engage third party assistance, if required – GC 3.102 Procedure IRT 3.3: Advise on communications with industry associations, if desired RULE GC110

3.4: Queue directors of cross-divisional crisis management programs, if desired IRT STEP 4: DISCIPLINE COORDINATION

4.1: Inform disciplines to trigger internal notification bulletins, if desired DIS 4.2: Determine internal stakeholders

4.3: Add stakeholders to [DIS] Notification Bulletin GC 4.4: Clear language with GC

4.5: Initiate [DIS] Notification Bulletins Decide on period and fidelity based on severity of incident

IRT STEP 5: EXECUTIVE COORDINATION 5.1: Obtain executive briefing material from relevant disciplines 5.2: Determine executive notification format and frequency RULE IR110

LEO31



GC 5.3: Clear language with GC IRT 5.4: Initiate Executive Notification Bulletins IRT STEP 6: DIVISIONAL COORDINATION

6.1: Assess impact to cross-divisional crisis management programs 6.1.1: Crisis Management 6.1.2: Business Continuity 6.1.3: Disaster Recovery

6.2: Prepare statement to cross-divisional team GC 6.3: Verify language with GC IRT 6.4: Initiate cross-divisional notification protocols RULE IR130

IRT STEP 7: LAW ENFORCEMENT NOTIFICATION ASSESSMENT NOTE: this step may be delayed depending on the nature of the incident, and whether Law Enforcement might delay the notification obligations.

7.1: Review law enforcement guidelines RULE GC103 7.2: Coordinate meeting with stakeholders

IR Director, GC, Corporate Security, PR 7.3: Facilitate decision on engagement

7.3.1: Which enforcement agency 7.3.2: When to notify 7.3.3: What level of fidelity

7.4: Prepare recommendation for executive committee, if desired 7.5: Consult with executive committee, if desired 7.6: Obtain GO from IRT to notify law enforcement

GC/CS 7.7: Notify law enforcement per Rule GC103 RULE GC103

IRT STEP 8: NOTIFICATION OBLIGATION ASSESSMENT GC 8.1: GC to assess breach notification laws in view of incident – GC 3.110 Procedure IRT 8.2: Brief notification stakeholders that assessment is in work

8.2.1: Insurance 8.2.2: Finance

GC 8.3: GC to brief IRT re applicable laws 8.1.1: State Laws – See GC Data File DF515GC 8.1.2: DoD Laws – See National Industrial Security Program Operating Manual 8.1.3: Financial Laws – See GC Data File DF516GC 8.1.4: International Laws – See GC Data File DF517GC 8.1.5: Industry Specific Laws – See GC Data File DF518GC 8.1.6: Advisory Councils – See PCI Council guidelines RULE GC121

8.1.6.1: Confer with Finance Department on PCI 8.1.7: Contractual – Review contract database GC Data File DF510GC

IRT 8.4: Poll team for breach declaration recommendation RULE IR111

LEO32



IRT STEP 9: EXECUTIVE COORDINATION 9.1: Prepare Executive Notification Bulletin on breach notification assessment 9.2: Schedule meeting with executive steering committee 9.3: Deliver breach notification recommendation

EX 9.4: Obtain executive direction on breach notification RULE IR111 IRT 9.5: Inform IRT

GC STEP 10: PRESERVATION IRT 10.1: Identify internal and external stakeholders with potential important information

10.3: Notify stakeholders of preservation obligations RULE GC115 10.3.1: Engage external e-discovery vendor, if desired – GC 3.102 Procedure 10.3.2: Prepare litigation hold notice

IRT 10.3.3: Identify management personnel to deliver hold notice GC 10.4: Initiate lock down protocols

10.4.1: Engage e-discovery team to lock down stakeholders’ assets 10.4.2: Verify assets are locked down

IRT 10.5: Deliver litigation hold notices

IRT STEP 11: BREACH NOTIFICATION IRT 11.1: Obtain GO from IRT to declare notification obligation RULE IR140

11.2: Assign Tiger Team RULE IR141 GC 11.2: Run GC3.111 Procedure

11.3: GC to verify complete and inform IRD

IRT STEP 12: POST INCIDENT 12.1: Inform IRT of its post-incident duties RULE IR900 12.2: Remediation vendor

12.2.1: Address the need for external remediation recommendations and/or forensic report 12.2.2: Structure vendor engagement to preserve privilege – GC 3.102 Procedure

12.3: GC to advise team on privilege for cross-functional post-incident activities DIS 12.4: Disciplines to run internal post-incident procedure – DIS X.900 IRT 12.5: Hold IRT post-incident meeting

12.6: Implement data retention plan 12.7: Update policies, procedures, and rules, as appropriate 12.8: Ensure incident is properly closed

LEO33

COMPANY

INCIDENTRESPONSEDIRECTIVES

Version1.1 COMPANYCONFIDENTIAL–DRAFT–01/01/17 PAGE1of1VERIFYTHATTHISISTHECORRECTVERSIONBEFOREUSE.

TEMPLATEONLY.COMPANYSHOULDCONSULTOUTSIDECOUNSELONLEGALMATTERS.

1

GC-101 ATTORNEY-CLIENTPRIVILEGE

WHENCOMMUNICATINGABOUTTOPICSRELATINGTOANINCIDENTINVESTIGATION,IRTMEMBERSSHOULD:

A. INCLUDEPARTICIPATINGGCTEAMMEMBERSINTHECOMMUNICATIONS;

B. LIMITTHECONTENTOFCOMMUNICATIONSTOWHATISNEEDED.AVOIDUNNECESSARYCOMMENTARY,SPECULATION,ANDOPINIONS;

C. LIMITDISTRIBUTIONOFCOMMUNICATIONSABOUTTHEINVESTIGATIONSTORELEVANTIRTMEMBERS,GC,AND,IFDIRECTED,OUTSIDECOUNSEL;

D. LIMITCOMMUNICATIONSTOTHOSEWHOHAVEDIRECTKNOWLEDGEOFASPECIFICAREARELATINGTOTHEINCIDENTANDTHEINVESTIGATIONANDWHOSEINPUTANDINFORMATIONARENECESSARYTOTHEINVESTIGATION;

E. ADVISEANYEMPLOYEE,CONTRACTOR,ANDCONSULTANTINTERVIEWEDORINVOLVEDINANYPARTOFTHEINVESTIGATIONTHATALLDISCUSSIONS,ANALYSIS,NOTES,ANDDOCUMENTSPRODUCEDINCONNECTIONWITHTHEINVESTIGATIONARECONFIDENTIALANDSHOULDNOTBEDISCLOSEDTOANYOTHERPERSONWITHOUTGCAPPROVAL;

F. LABELEMAILS,NOTES,DRAFTANDFINALREPORTS,ANDOTHERCOMMUNICATIONSRELATEDTOTHEINVESTIGATIONS“COMPANYCONFIDENTIALANDATTORNEY-CLIENTPRIVILEGEDCOMMUNICATION—DONOTFORWARD”[COMPANYMAYWANTTOAPPENDTOINCLUDEINDICATOROFINCIDENT,FORE-DISCOVERYPURPOSES];

G. DISCUSSWITHTHEIRT(SPECIFICALLYGC)REPORTS,ANALYSES,OROTHERWORKPRODUCTTHATPURPORTTODRAWCONCLUSIONSREGARDINGTHEINCIDENTBEFOREFINALIZINGORSUBMITTINGSAIDREPORT,ANALYSIS,ORWORKPRODUCT;AND

H. DONOTMAKEVIDEOORAUDIORECORDINGSOFANYINTERVIEWS.NOTESRELATINGTOANYINTERVIEWSSHOULDBEINWRITING,SHOULDTAKETHEFORMOFSUMMARIES,ANDSHOULDBECLEARLYMARKEDAS“CONFIDENTIAL-ATTORNEY/CLIENTPRIVILEGED.”

[REF20170101-04]

COMPANYmaywanttoassertthatcommunicationsamongIRTmembersandGCorOutsideCounselshouldbeprotected,bytheattorney-clientprivilege,fromdisclosureinlitigationandregulatoryinvestigations.

MaintainingtheabilitytoasserttheprivilegeisimportanttoensurethattheIRTmembersandGCcommunicateopenlywithoneanotherwithoutconcernthattheircommunicationsmaybemisusedinlitigationorinaregulatoryinvestigation.

GClegaladvicewillbebasedinpartoninformationIRTmembersreportregardingtheirinvestigation.[REF20170101-04]

LEO34

COMPANY



TEMPLATEONLY.COMPANYSHOULDCONSULTOUTSIDECOUNSELONLEGALMATTERS

GC-103LAWENFORCEMENTNOTIFICATION

(A) INDETERMININGWHETHERTONOTIFYLAWENFORCEMENT,IRTSHALLASSESSTHEINCIDENT

UNDERTHEFOLLOWINGFACTORS,TAKINGINTOACCOUNTCOMPANY’SCURRENT

RELATIONSHIPWITHTHEAGENCY.GCANDCORPORATESECURITYSHALLLEADTHE

ASSESSMENT.[SOMECOMPANIESMAYWANTTOMAKETHISANEXECUTIVELEVELDECISION].

[XXXXXX-XXXXREFERENCESTATESWHENITWASLASTUPDATED]

Incertainsituations,partneringwithoneormorelawenforcementagenciescanbeuseful,buttherecanalsobedrawbacks.GeneralCounselshouldworkwiththeagencyrelationshippartner[CorporateSecurity]todeterminewhichagency,ifany,shouldbenotified.Themagnitudeofthecyberattackcarriesgreatweightinthedecision.Inaddition,IRTshouldconsiderthefollowingfactors:Benefits:

a) Lawenforcementmaybringtobearpriorexperiencewithsimilarincidentsinordertoassistthe

investigation, containment, remediation, ormitigation efforts. For example, law enforcement

may:

a. disclosethreatsignaturesandindicatorsofcompromise.

b. predictthescheduleofanattackbasedonsimilarvectorsagainstotherentities.

c. pointoutsubsequenttargetsoftheattack.

b) Lawenforcementcandrawupongovernmentinvestigativetools,suchasgrandjurysubpoenas,

searchwarrants,wiretaps,etc.

c) Lawenforcementhastheabilitytodelaynotificationobligationsforinvestigativepurposes,butit

rarelydoesso.

Drawbacks:a) Lawenforcementmayhaveitsownpublicrelationsinterests.

a. LawenforcementmaymakeannouncementsbeforeCOMPANYisready.

b. LawenforcementannouncementsmaynotfollowtheCOMPANYmessage.

b) Potentiallossofcontroloftheinvestigation,althoughlawenforcementisunlikelytotakecontrol

becausetheywouldlosecorporatepartnershipinthefuture.

c) Businessinterruption

a. Lawenforcementmayrequesttoremovehardwareforinvestigationpurposes,thoughit

willlikelyreturnthehardware.SeeSectionDbelow.

b. Lawenforcementmaywish toattachmonitoringdevices toCOMPANYnetworks. See

SectionEbelow.

d) Notificationdelaysmayrestrictreturntonormaloperations.

LEO35

COMPANY




(B) IRTSHALLDETERMINEWHICHAGENCYTONOTIFYUPONCONSULTATIONWITHOUTSIDE

COUNSEL.

TheFBIandSecretServicearebothchargedwithcybercrimeenforcement.TheFBIisdefinedastheprimaryagencyundertheComputerFraudandAbuseAct(CFAA)(18U.S.C.§1030)foroffensesinvolvingespionage,foreigncounterintelligence,criticalinfrastructure,orothernationalsecuritymatters.TheSecretServicehasjurisdictiontoinvestigatefinancialcrimessuchascreditcardfraud,computerfraud,telecomfraud,andothercrimesaffectingfederallyinsuredfinancialinstitutions.TheInternalRevenueService,throughitsCriminalInvestigationsUnit,investigatesincidentsinvolvingreportsofunauthorizedaccesstotaxinformation.TheInternetCrimeComplaintCenter(“IC3”)isapartnershipbetweentheFBIandtheNationalWhiteCollarCrimeCenterthatreceives,develops,andreferscriminalcomplaintsregardingcybercrime.IC3providesacentralreferralmechanismforcomplaintsinvolvinginternetrelatedcrimes.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]

(C) NOLAWENFORCEMENTCOMMUNICATIONWILLOCCURWITHOUTOUTSIDECOUNSEL

PARTICIPATION

Careshouldbetakennottodisrupttheattorney-clientprivilegeandwork-productprotection.Wheneverpossible,oralcommunicationispreferred.Disseminationofforensicreports,evenfactualreports,shouldonlybeconsideredafterconsultationwithlegalcounselduetothepotentialofthereportbeingmadepublicevenaccidentally.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]

(D) NOCOMPANYHARDWAREWILLBETAKENINTOCUSTODYBYLAWENFORCEMENTUNTIL

INFOSECISCONSULTEDANDANIMAGEOFTHEDEVICEISMADE

LossofaccessofaCOMPANYdevicemayimpedeinternalforensicinvestigation.Therefore,animageofanydeviceshouldbemadepriortolossofaccess.Consultlegalcounselbeforearrangingtransferofanysuchhardware,monitordevicesoractivity.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]

(E) PRIORTOALLOWINGLAWENFORCEMENTTOMONITORCOMPANYSYSTEMS,ENSURE

COMPANYWILLMAINTAINACCESSTOTHEINFORMATIONBEINGMONITORED

Lawenforcementmayrequestthatitbeallowedtotrackactivityforthepurposeofidentifyingthethreatactororbuildingacriminalcase.COMPANYdesiresthatanysuchlawenforcement

LEO36

COMPANY




accessdisruptCOMPANYoperationsaslittleaspossible.[XXXXXX-XXXXreferencestateswhenitwaslastupdated]

(F) LAWENFORCEMENTMAYDELAYNOTIFICATIONREQUIREMENTS.IRTWILLDOCUMENTANY

SUCHDIRECTIVE,IDENTIFYTHEPUBLICRELEASEDATE,ANDWILLCONTINUEPREPARATIONOF

NECESSARYNOTIFICATIONDOCUMENTSFORRELEASEATTHEEARLIESTOPPORTUNITY

Lawenforcementhasauthoritytodelayfederalandstatenotificationlawswhileitconductsorcompletesaliveinvestigation.IRTshouldinquirewhetherlawenforcementwishestoinvokethatauthority.Ifso,IRTwilldothefollowing:

1. Documenttherequestbylawenforcement;2. DeterminethedatelawenforcementwillallowCOMPANYtomakethenotificationpublic;3. Preparenotificationdocumentstobesentassoonaspossibleaftertherelease.

[XXXXXX-XXXXreferencestateswhenitwaslastupdated][NOTE:Thisisatemplateonly.COMPANYshouldworkwithitsdesignatedoutsidecounselon

mattersoflegaladvice.]

LEO37

of 2

AGuidetoSafePublicWi-Fi

Introduction…WithalltherecenthubbuboverpublicWi-Fi,andWi-Fisecurityingeneral,itcanbedifficulttoseeaclearpathforeffectivelyprotectingpersonalandcompanyinformationinamobileworld.Abitofguidanceandperspectivecanoftenbejustenoughtogetourfeetontherightpathandmakeinformeddecisionstomanagerisk.WhoThisIsWrittenFor(AndWhy)…SearcharoundabitonthewebforguidanceonsecureuseofpublicWi-Fi,andyouwillfindthatnearlyeverythingavailableatthetimeofthispublicationfallsintooneofafewcategories:

1. Deeptechnicalcontentrelatedtosecuringand/ortestingWi-Finetworks.2. Genericand/orgeneralizedtechnicalguidanceforaddingsecuritytohomeWi-Finetworks,withmanybeing

unfocusedandunactionable(andinsomecases,completelyoutdatedandineffective).3. Lotsofscarycontenttalkingabout,detailing,andevendemonstratingbadstuffwhichcanhappen.

Whatisn’treadilyavailableisclearguidanceforthenon-technicalbusinessuser,orstakeholder,thatcanbeusedtotakeasmartapproachtoprotectingyourselfandyourcompany’ssecuritywhileonthego.ThisprimerisaimedatprovidingactionableguidancefornavigatingtherisksassociatedwithpublicWi-Finetworks.

UnderstandtheRisks…Noteverybodyhasthesameriskperspectives,andthereareafewkeyitemsweshouldconsiderwhendeterminingourriskprofile.Forexample:

1. Whattypesofwebsitesandappsdoyouplanonusing?Company/email,banking,personal?Howsensitiveistheinformationyouusuallyaccess?

2. Fromwheredoyoutypicallyconnect?Homeoroffice?Airports,cafés,andeverythinginbetween?

3. Doyouhavesecurityfeaturesenabledandcurrentonyourdevice?Decidehowbaditwouldbeifahackerwasabletoeavesdroponwhateveryou’redoingonthatconnection,orworse–infectyoursystemwithmalware-andyou’llbegintoformanunderstandingofhowcarefulyoumustbe.

HowParanoidShouldWeBe?2017hasbeenabigyearinsecurity,particularlyintheworldofwirelessnetworking,andthethreatisdifferenttodaythanyesterday.ThebigthingtobeawareofhereisthatthemainWi-Fisecurityprotocol(WPA–“Wi-FiProtectedAccess”),isbroken(read:cracked),andforatleasttheforeseeablefuture,itwillbedifficultorevenimpossibletotrustthatanypublicorun-managedWi-Fiservicesaresafefrommaliciouseavesdroppers.Weneedtobeawarethatnotallwebsitesprotecteverythingbeingsentandreceived,withmanyonlyprotectingpartoftheconversationandpossiblyexposingotherinformation.Afinalpointhereisthatvarioustechnicalissuesexisttotripupnotonlytheunwary,butevensophisticatedtechnologyusers.Browsersessionscanbehijacked,dataandaccountscanbestolen,andwhileyoucanreaduponattackswithcoolsoundingnames,thesimplefactismostofthatinformationisoflittlepracticalvaluetomostusers.

LEO39

AGuidetoSafePublicWi-Fi

Page 2 of 2

HowCanWeProtectOurselves?So,nowthatwearereadytoeithersmashourmobiledevicesorjustswear-offusingWi-Fiforever,thegoodnewsisthere’sasmartapproachtomanagingthis,andwecanbreakitdownintofivekeypillars:

1) GrowSituationalAwarenessThemostimportantpillarinourapproachisawareness.Bygettingintothehabitofthinkingaboutthepossiblesensitivityofthewebsitesandinformationyouareaccessing,aswellaswhereyoumaybeatthetime,mostpeoplewilldevelopagutfeelforwhenadditionalcautionorconsiderationmaybewarranted.

2) ProtectYourEndpointDeviceProtectingyourendpointissomethingeveryonecando,andgoesalongwaytowardsprotectingmobiledevicesfromcommonthreats,malware,etc.Thismeans:

ü Makesureyourmobiledevicehasallthelatestsecurityupdatesinstalled.ü Makesurethatacurrentanti-malwareprogramisinstalled,running,anduptodate.ü TurnoffWi-Fi,NFC,andothercommunicationserviceswhennotinuse.

3) MakeInformedRiskDecisionsInordertomakeinformedriskdecisions,weneedtohavealittleunderstandingofwhatthreatsareoutthere.Forexample,weknowthat:

ü NumeroustechnicalvulnerabilitiesandattackvectorsexistforWi-Finetworks&webtraffic.

ü Wi-Fisecurityprotocolshavebeenbrokenandnounmanagednetworkscanbetrustedtohavepatchedthevulnerability.Whatthismeansisthatifunpatched,anattackermaybeableto,ataminimum,interceptandeavesdropontheallinvolvedWi-Ficonnections.

Withtheseconsiderationsinmind,wecanbebetterpreparedtodecidewhatmayormaynotbeappropriateusesofpublicWi-Fi.Forexample,ratherthaninteractwithsensitivewebsitesorapps(e.g.email,banking,etc.)overuntrustedpublicWi-Fi,wemaywishtoconsideralternativessuchas:

ü CellularDataNetworkorPersonalAccessPointü VirtualPrivateNetworkü Deferuntilatrustednetworkconnectionisavailable.

4) UseaPersonalAccessPointForbusinessorsecurity-conscioususersworkingremotely,saferWi-Fiaccesscanbeachievedusingpersonalaccesspoints.ThisoptionprovidesasimplealternativetothepublicWi-Fidilemma,andonlyrequiresmakingsurethatthepersonalaccesspoint(orhomewirelessrouter)isproperlyconfigured,andhasbeenupdatedtofixtheWi-Fiencryptionvulnerabilities.

5) VPN(VirtualPrivateNetwork)SolutionsFinally,fororganizationswithlargenumbersofusers,orindividualswhowantamoreflexibleoreconomicsolution,VPNtechnologiesoffermanyadvancedcapabilitiesandareoftenapreferredchoice,astheyprotectalltrafficwithinanotherlayerofstrongencryption,undertheassumptionthateverythingwillbetransmittedoveruntrustednetworks.BasicVPNservicesareavailableinaSoftwareasaServicemodel;OrganizationscanalsochoosetoleveragerobustsolutionssuchasPaloAlto’s“AlwaysOn”VPNfunctionality,whichwasdesignedtoprotectallendpointcommunicationsevenwhenconnectingtohostilenetworks.

LEO40

LevelRiskLevelEvaluation

Riskcharacter TypicallevelofresponseLabelTheissuesexperiencedoranticipatedhavethepotentialtohaltallcriticaloperationsandprocessesforanextendedperiodoftime.

1 Strategic

Boardlevelinvolvement.Coordinationwithappropriategovernmentagencies.ImplementationofDRBCPlan.

2 Severe

3 Elevated

Thereislikelytobeameasureableimpactoninternaloperationsandprocesses,buttherisktosharevalueorreputationisconsideredlow.

CXOinvolvement.Re-readanddiscussionofDRBCPlan.CoordinationwithPRteam.Policeinvolvementonlyifappropriate.Nomediacontactmade.

Thereislikelytobeanobservabledegradationofkeyservicesoroperationswiththepotentialtoaffectsharevalueorreputation.

Operational

Thereisunlikelytobeanymeasureableimpactoninternaloperationsorprocessesandnoimpactonsharevalueorreputationisanticipated.

AppropriateC-levelinvolvementorreporting.Departmentalleveloperationalresponsesandcontainment.Normalbusinessprocessescontinue.

Boardlevelinvolvement.PossiblecoordinationwithPolice/other.ReviewofDRBCPlan.ExecutionofMediaandSocialMediaplans.

4

• Proactivelyfoundor3rd partyprovided

• Securityteamdetermineshowpervasiveeventisbyproactivelyhuntingforinfections

• Analyzewhattheattackisdoing

• Classifytheeventperrisklevel&notifyorganizationasappropriate

IdentifyanEvent

• Createoutofbandchannelsofcommunication

• Isolateinfectedenvironmentsfromrestofenterprise

• Collectdataasnecessary

• Takeforensicimages

Containment

• Mitigatethethreat:eithersurgicallyremove,reimagetheendpoint,orrebuildenvironmentasnecessary

• Validatethethreatisremovedandnotpervasiveorreturned

Eradicate

• Resumeactivethreathunting

• Determineoriginofattackandvulnerability

• Fixvulnerabilities

Recover&LessonsLearned

GeneralTimelineofInfosec IncidentResponse

1

LEO41

-SecurityOperationsteamwillnotifythe

appropriateteam(i.e.infrastructure,

applications,database,networketc.)toisolate

theaffectedenvironments

-TheSecurityOperationsteamwillthenwork

withtheotherteamstoremediatethe

environmentbydoingoneofthefollowing:Surgicallyremovethethreat,re-imagethe

environment,orrebuildtheenvironment.-CISOandSecurity

Operationswilldeterminerootcause

andmitigatevulnerabilities

associatedwiththeevent.

HowdoweIsolateandRemediate

-SecurityOperationswillanalyzetheevent’s

threatlevelbasedonthreathuntersandtheir

findings-Basedonevaluation

SecurityOperationswillclassifytheeventand

notifytheCISOasnecessary

-CISOwillnotifynecessaryparties

includinglegalandIRteam.

Forensicexpertswillusetheirtoolstocapturea

snapshotoftheenvironmentfor

investigationandlegal.

Whatdowiththeevent?

-ThreathunterturnsoverfindingstoSecurity

OperationsTeam-SecurityAnalystturnsoverfindingstoThreathuntersandSecurity

OperationsTeam-Notifiedpartyturns

overtoCISOorSecurityOperationsteamfor

investigation

Whowouldhandle?

-SecurityTeamThreathuntercouldfindtheinfectionproactively

-Companyownedtoolcouldprovideanalertto

SecurityAnalyst-Informedbyoutsideparty(i.e.FBI,Vendor,

Partner,etc.)usuallytoC-level,legal,orCISO

HowDidWeGetEvent?

2

LEO42

of 2

List of Security Standards/Frameworks ISO/IEC 27001/2

International Organization for Standardization 2700X standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls, taking into consideration the organization's information security risk environment(s). ISO charges for access to this standard. https://www.iso.org/standard/54533.html

NIST 800-53/CSF

The National Institute of Standards and Technology’s (NIST) Special Publication 800-53 provides controls for federal information systems, but it can be employed by commercial entities. NIST offers the cybersecurity framework (CSF), which incorporates 800 and the Federal Information Processing Standard. There is no charge for access to the standard. https://nvd.nist.gov/800-53

CIS 20 The Center for Internet Security maintains a standard of 20 controls, originally developed by SANS. There is no charge for access to this standard. https://www.cisecurity.org/controls/

ISACA COBIT 5

The Information Systems Audit and Control Association offers the COBIT framework for information security. Represented to align with ISO 27000 series, Information Security Forum standard, and BMIS. There is a charge for access to the standard. http://www.isaca.org/COBIT/pages/default.aspx

ISF The Information Security Forum’s Standard of Good Practice provides controls and guidance on current and emerging security topics. The Standard and its corresponding ISF Benchmark align with ISO 27002, COBIT 5, CIS 20, NIST, and PCI-DSS. https://www.securityforum.org/tool/the-isf-standardrmation-security/

DISA The Defense Information Security Agency provides security standards including Control Correlation Identifiers (CCIs), Security Requirements Guides (SRGs), Security Technical Implementation Guides (STIGs), and mobile code. http://www.disa.mil/~/media/Files/DISA/News/Conference/2016/AFCEA-Symposium/3-McKinney_Security%20Standards.pdf

ITIL Maintained by Axelos, the Information Technology Infrastructure Library is directed to IT Service Management. Aligned with the ISO 20000 series, it is published as a series of five core volumes, each covering a different ITSM lifecycle stage. There is a charge for access to this standard. https://www.axelos.com/best-practice-solutions/itil/what-is-itil

PCI-DSS A joint venture by the major credit card companies, the Payment Card Industry security council’s Data Security Standard is a set of policies and procedures intended to improve the security of card transactions.

LEO43

of 2

Compliance is mandated by the credit card companies. In addition, some state laws either refer to it, or mirror certain aspects of the standard. https://www.pcisecuritystandards.org/pci_security/

OWASP The Open Web Application Security Project offers a number of resources to improve the security of web applications, including the popular OWASP Top 10. There is no charge for access to the OWASP Top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

BSIMM The Building Security in Maturity Model is directed to software security, and offers a framework used to organize a number of activities to help manage and measure enterprise security initiatives. There is no charge for access to the framework. https://www.bsimm.com/framework.html

CSA 4.0 The Cloud Security Alliance offers the Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 for the purpose of improving security and mitigating risk in the adoption of cloud computing technologies. https://cloudsecurityalliance.org/guidance/#_overview

ILTA The International Legal Technology Association’s LegalSEC provides the legal community with guidelines for risk-based information security programs. Certain tools are available to the public at no charge. https://www.iltanet.org/resources/legalsec

LEO44

BRINGING YOUR INFORMATION SECURITY PROGRAM IN LINE LEOCYBER SECURITY LAW CONFERENCE 2017 WITH YOUR CONTRACTUAL PROMISES, OR VICE VERSA 1

{1755664;}© 2017 Gable & Gotwals, A Professional Corporation. This information constitutes legal education and not legal advice. An attorney-client relationship is not created by this information. You should consult an attorney before taking any action that has legal consequences.

Sample Template for Security Provisions Will Holland, Torchmark Corporation

Tom Vincent, GableGotwals

Concept Issues/Considerations Sample Provision(s) NOTE: Bolded terms relate to the questions provided – these may be removed and/or revised with appropriate mitigating controls/arrangements.

Confidentiality

Make sure definition of “Confidential Information” is complete and appropriate. x What sort of information will be shared? x How sensitive is the agreement itself? x Should certain information always

remain confidential (and not e.g. be subject to an exclusion)?

“Confidential Information” shall mean information in any form that a party owns or possesses, uses or that is potentially useful, that the respective party treats as proprietary, private, or confidential, and that is not generally known to or shared by the respective party with the public, or which either creates with respect to the [Transaction]. Each party’s Confidential Information includes, but is not limited to, all information relating to the party’s existing and contemplated business affairs, operating systems, facility components and technology, client, employee and vendor information (including without limitation any protected health information or personally-identifiable information), business operation and development strategies, relationships with third parties, communications, discussions and negotiations by each party concerning the [Transaction] (including any draft or final versions of any agreement contemplated by the [Transaction], whether or not finalized and/or executed), and financial information of any nature.

Make sure ownership is retained and doesn’t pass to a third party.

x What information may result from the third-party relationship?

[Third party] acknowledges and agrees that [Third party] neither has nor acquires because of this [Agreement] any ownership, right or interest in or with respect to [Customer]’s Confidential Information, including any information derived from [Customer]’s Confidential Information. NOTE: If any license is necessary for the Third party to provide services, include e.g. “other than as expressly provided in Section []”. Unless the parties otherwise agree in writing, all Confidential Information, along with all other documents, memoranda, notes and all other writings whatsoever prepared by either party based on or arising out of the Confidential Information, shall be (i) returned to the party upon whose Confidential Information the document was developed (without retaining any copies thereof) within [] days from receipt of a written demand therefore by the originating party; or (ii) destroyed, with certification of its destruction to the other party within the same time period.

LEO45

BRINGING YOUR INFORMATION SECURITY PROGRAM IN LINE LEOCYBER SECURITY LAW CONFERENCE 2017 WITH YOUR CONTRACTUAL PROMISES, OR VICE VERSA 2

{1755664;}© 2017 Gable & Gotwals, A Professional Corporation. This information constitutes legal education and not legal advice. An attorney-client relationship is not created by this information. You should consult an attorney before taking any action that has legal consequences.

Breach Response

Make sure you are notified in the event of a breach of confidential information. x How is breach defined? x What is the timeline for notification

from the third party? o When making this determination,

consider the timeline for notification to affected individuals and other parties.

[Third party] must (i) notify [Customer] within [] days of the detection of any unauthorized access to [Customer]’s Confidential Information, (ii) consult and cooperate with [Customer] regarding any investigations and the results of same (including any notices necessary in [Customer]’s sole discretion), and (iii) provide any information reasonably requested by [Customer].

Make sure that you can control the message. x What are the responsibilities of the third

party regarding cooperation with you in the event of a breach?

[Third party] agrees that [Customer] has sole control over the timing, content and method of any required or voluntary notification to [Customer]’s clients, vendors, and any other third parties who may be impacted by the unauthorized access and/or who, in [Customer]’s sole discretion, should receive notification.

Liability

Make sure that liability in the event of a breach is (i) appropriate based on the type and amount of information you’re providing and (ii) carved out from limitation of liability.

Notwithstanding the limitation of liability in Section [], [Third party] shall indemnify [Customer] from any damages and costs resulting from [Third party]’s breach of its confidentiality obligations, including without limitation (x) identity protection assistance and similar services, (y) reasonable attorneys’ and technical consultant fees and (z) costs for any notifications provided, whether made directly to affected individuals or otherwise (e.g. via the media).

Other considerations

If customer information is involved, how do you make sure that the way you’re sharing information is consistent with what your policies say?

[Third party] has been provided with a copy of [Customer]’s [Privacy Policy] and will comply with the limitations on sharing [Customer]’s Confidential Information contained therein.

Are there any other agreements that need to be referenced (e.g. a business associate agreement)?

The parties have separately entered into a Business Associate Agreement (“BAA”) providing for their respective rights and obligations arising under [HIPAA].

LEO46

LEO CYBER SECURITY REFERENCE DESK 2017 · LEO1. Seth Jaffe - General Counsel and VP, Incident...

Documents

Transcript of LEO CYBER SECURITY REFERENCE DESK 2017 · LEO1. Seth Jaffe - General Counsel and VP, Incident...