Peter Brudenall & Caroline Evans- Simmons & Simmons

Marsh Technology Conference 2005Zurich, Switzerland.

Managing the Security Landscape – Legal and Risk Management Aspects of the Business

May 26 & 27

2

The Truth about Network Security

“The only way to make a computer completely secure is to turn it off, disconnect it from the network, put it in a safe and throw away the combination!”

Anonymous

3

Legal and Risk Management Issues

Why is IT Security critical from a Legal Perspective?

Why is IT Security critical from a Risk Management perspective?

4

Why is IT Security so Important?

Prevent losses and damage to the business and customers

– Time to react is getting shorter

– Costs are increasing

A regulatory compliance issue

Critical for business trust

5

What are the key security risks?

Viruses and worms

Identity theft

Targeted attacks

Spam

Supply chain and partners added to the network

Mobile Workers

6

Legal Drivers for IT Security

Legislation

– Data Protection Act

– US Trends

Corporate Governance

– Basel II

– FSA

– SOX

Negligence

– Concept of “reasonable care”

– Compliance with standards

Contract

7

Building Security into Contracts

Importance of not losing control

Major Contracts Issues

– confidential information

– audit rights

– service levels

– liability issues

– tackling the unexpected

Importance of managing the operational risk

8

Summary

Be proactive about security

Ensure contract is flexible

Keep suppliers to a high standard and “security conscious”.

Customer to have control over the relationship

Marsh Technology Conference 2005Zurich, Switzerland.

Risk Management

10

Risk Management and Best PracticesNetworking Issues

Formal security program

Encryption/Firewalls

Monitor security threats

Vulnerability scanning

Investigate all security threats

Formal DRP

Crisis management plan

Access authorization procedures

Background checks

Employee training

11

Security and Your Customers

Do your products or services include security components?

Do you generate revenue from providing to others mission critical (products or) services involving the handling, processing, transferring, storing or securing of non public, personal information used in the banking, financial service or medical or retail industries?

12

Risk Management and Best Practices

Quality and support of products and services

Contracts and agreements

Operational controls

Network reliability, redundancy and availability

13

Risk Management and Best PracticesQuality and Support

Alpha and Beta testing

Formal customer acceptance procedures

Vendor certification process

Outsourced services

14

Risk Management and Best PracticesContracts and Agreements

Standard contracts

Limitation of liability to avoid consequential loss

Disclaimers

15

Risk Management and Best PracticesOperational Controls

Contractual agreements with subcontractors and vendors

Obtain proof of insurance

16

Risk Management and Best PracticesNetwork Reliability, Redundancy and Availability

Data back up

Mirror sites

Security updates (patches) on a timely basis

17

Examples of scenarios leading to claims

Healthcare facility buys and installs a patient information management package

Retailer uses software package for accepting and validating credit card information

18

Thank You