View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Peter Brudenall & Caroline Evans- Simmons & Simmons
Marsh Technology Conference 2005Zurich, Switzerland.
Managing the Security Landscape – Legal and Risk Management Aspects of the Business
May 26 & 27
2
The Truth about Network Security
“The only way to make a computer completely secure is to turn it off, disconnect it from the network, put it in a safe and throw away the combination!”
Anonymous
3
Legal and Risk Management Issues
Why is IT Security critical from a Legal Perspective?
Why is IT Security critical from a Risk Management perspective?
4
Why is IT Security so Important?
Prevent losses and damage to the business and customers
– Time to react is getting shorter
– Costs are increasing
A regulatory compliance issue
Critical for business trust
5
What are the key security risks?
Viruses and worms
Identity theft
Targeted attacks
Spam
Supply chain and partners added to the network
Mobile Workers
6
Legal Drivers for IT Security
Legislation
– Data Protection Act
– US Trends
Corporate Governance
– Basel II
– FSA
– SOX
Negligence
– Concept of “reasonable care”
– Compliance with standards
Contract
7
Building Security into Contracts
Importance of not losing control
Major Contracts Issues
– confidential information
– audit rights
– service levels
– liability issues
– tackling the unexpected
Importance of managing the operational risk
8
Summary
Be proactive about security
Ensure contract is flexible
Keep suppliers to a high standard and “security conscious”.
Customer to have control over the relationship
Marsh Technology Conference 2005Zurich, Switzerland.
Risk Management
10
Risk Management and Best PracticesNetworking Issues
Formal security program
Encryption/Firewalls
Monitor security threats
Vulnerability scanning
Investigate all security threats
Formal DRP
Crisis management plan
Access authorization procedures
Background checks
Employee training
11
Security and Your Customers
Do your products or services include security components?
Do you generate revenue from providing to others mission critical (products or) services involving the handling, processing, transferring, storing or securing of non public, personal information used in the banking, financial service or medical or retail industries?
12
Risk Management and Best Practices
Quality and support of products and services
Contracts and agreements
Operational controls
Network reliability, redundancy and availability
13
Risk Management and Best PracticesQuality and Support
Alpha and Beta testing
Formal customer acceptance procedures
Vendor certification process
Outsourced services
14
Risk Management and Best PracticesContracts and Agreements
Standard contracts
Limitation of liability to avoid consequential loss
Disclaimers
15
Risk Management and Best PracticesOperational Controls
Contractual agreements with subcontractors and vendors
Obtain proof of insurance
16
Risk Management and Best PracticesNetwork Reliability, Redundancy and Availability
Data back up
Mirror sites
Security updates (patches) on a timely basis
17
Examples of scenarios leading to claims
Healthcare facility buys and installs a patient information management package
Retailer uses software package for accepting and validating credit card information
18
Thank You