Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management for Law Firm Executive Management.

Published byProsper Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Management for Law Firm Executive Management."— Presentation transcript:

1 Risk Management for Law Firm Executive Management

2 Dave Cunningham Chief Information Officer - Winston & Strawn LLP Jeffrey Lolley Head of Global Information Security - Hogan Lovells Lindsay Philiben Counsel in Attorneys’ Liability Assurance Society - ALAS Dan Sheeran Chief Financial Officer - Duane Morris LLP Introductions

3  Confidentiality o Information security o Sovereign hacking o Closed vs. open document management environment o Intrusion detection/prevention o Data on mobile devices, including laptops  Integrity / compliance o Regulatory compliance o Electronic client files (beyond records management) o Internal, global e-discovery o Copyright compliance o Jurisdictional considerations  Availability o IT continuity o High availability applications Risks

4  Right to Audit  Client RFPs, Outside Counsel Guidelines, and Audits  Compliance requirements  Business Associate / Vendor Compliance  Example of Canadian firms targeted and breached  BYOD considerations  Insurance needs analysis Pressures

5 We All Know About the Headlines… 5 January 30, 2013 Hackers in China Attacked The Times for Last 4 Months NICOLE PERLROTH SAN FRANCISCO — For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and security experts have expelled the attackers and kept them from breaking back in. February 1, 2013 Twitter Hacked: Data for 250,000 Users May Be Stolen NICOLE PERLROTH Twitter announced late Friday that it had been breached and that data for 250,000 Twitter users was vulnerable. The company said in a blog post that it detected unusual access patterns earlier this week and found that user information — usernames, e-mail addresses and encrypted passwords — for 250,000 users may have been accessed in what it described as a “sophisticated attack.” February 1, 2013 A Cybersecurity Blanket: New Executive Order Means a Broad Review for Lawyers, Clients TODD RUGER The federal government’s new push to bolster cybersecurity will create an array of legal questions and potential pitfalls for companies in the coming months.

6 Many Specific to Legal 6

7 And They Have Lead To Client mandated security requirements integrated into Outside Counsel Guidelines (OCG’s) ABA Rule 1.6 (c) HIPAA & Various State Regulations EU Data Protection Directive Presidential Executive Order on Cybersecurity 7

8 Risk Program

9 Governance at Hogan Lovells 1.Understand the strategic implications and outcomes of initiatives being pursued in the protection of information and assets 2.Appreciate the significance of information security for all major stakeholders and represent their interests 3.Be an advocate for broad support of information security initiatives and projects Information Security Governance Committee The primary function of the Information Security Governance Committee is to make decisions related to protecting stakeholder information and securing the enterprise that enables the delivery of services to those stakeholders. The committee will also provide strategic direction and oversight over the information security function at Hogan Lovells.

10 What is Risk Management You need a process…whatever it is Decisions need to follow that process It’s about making informed decisions

11 Risk management process (ISO 27002/5) Must have a consistent and repeatable process for assessment and decision making relative to security risk in order to: –Ensure compliance with all applicable laws –Protect information and assets –Protect the brand New Projects Assessments Regulatory Constraints Someone must analyze and quantify risks Input should be gathered from all impacted stakeholders and presented as part of the decision process Actions with limited fiscal or business process impact are made outside of governance All impacting decisions are inclusive of governance All open and accepted risks are tracked and reported regularly Step 1: Identify Risks Step 2: Analyze & Quantify Step 3: Determine Action Step 4: Track & Report Yearly re-analysis and quantification

12 How You Make the Decision Risk was identified and rated Controls were applied Risk was re-evaluated Decision was made

13 Policy Structure Defines the firms commitment to Information Security and management processes Outlines policies covering the entire firm Outlines policies covering an local country or office Provides technical guidelines for configuring products to meet policies The goal of the structure of Information Security Policies for Hogan Lovells is to provide a hierarchical set of policy documents that allow for both overarching policies that cover the entire firm and policies unique to operating locations. Policy Statement Global Security Operating Standards Local Security Operating Standards Configuration Guidelines

14 Identifying and Managing Policies? Publish Policy Need Identified Develop/Refine Policy Educate Review & Evaluate Policies must be evaluated on a yearly basis to insure a continued need and determine if defined controls are adequate. Refinement must be made if necessary. Impacted parties must be educated on both the existence and need for a new policy. Policy development must incorporate all stakeholders and have buy-in at the highest levels of the company. A need must exist before any policy is created. Policies must be published in a consistent manor and readily available to stakeholders. 1 2 3 4 5

15 Example Policy Issues Texting as a Client Record Security of Personal Devices Unique Passwords Retention / Destruction of Paper and Electronic Records 15

16 Certifications/Best Practices/Regulations ISO 27000 HIPAA EU DPD It’s a process, not a one-time activity! Use assessments to drive your program!

17 As a table group, discuss the question “What to do when a PC is lost?” Talk about developing roles, processes, communications, and timing to react appropriately. (10 minutes) A few tables will be asked to share their comments Audience Exercise

18 Q & A

Download ppt "Risk Management for Law Firm Executive Management."

Similar presentations

ETHICS AS CULTURE KEY ELEMENTS Stage One (primary) – Key Elements of a Culture of Ethics Appoint an ethics program manager to oversee your ethics-related.

ETHICS AS CULTURE KEY ELEMENTS Stage One (primary) – Key Elements of a Culture of Ethics Appoint an ethics program manager to oversee your ethics-related.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Steps to Compliance: Risk Assessment PRESENTED BY.

Steps to Compliance: Risk Assessment PRESENTED BY.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 3 Internal Controls.

McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 3 Internal Controls.
Chapter 4 Internal Controls McGraw-Hill/Irwin

Chapter 4 Internal Controls McGraw-Hill/Irwin
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google