Upload
ec-council
View
652
Download
0
Embed Size (px)
Citation preview
THE CISO LEGAL PARTNERSHIPWhat CISOs can do Better
DISCLAIMER
The views and opinions expressed during this presentation represent my personal and professional experiences and do not necessarily reflect the opinion or position of my current or previous employers, and/or educational institutions.
SPEAKER: ALEJANDRO VILLEGAS
Ethical Hacker with a Business and Legal Education
• Seasoned Cyber Security Engineer with over a decade of experience working for various leading tech companies. • Law school graduate.• Education: JD, MBA, MS, BBA• Certifications: CEH, CISSP, CISA, CHFI, ECSA, LPT, MCITP, ISO 27K Lead
Auditor.
QUESTION
Raise your hand if you are 100% assured that your company will never experience a security
breach.
OPERATIONAL TRIFECTA
Engineering
Business
Legal
WHY A LEGAL PARTNERSHIP?Cyber Security has become a predominant challenge for organizations responsible for protecting and safeguarding customer data such as Cloud Service Providers (CSPs).Attorneys serve a critical function ensuring that companies conduct due diligence and adhere to the cyber security requirements mandated by local, national, international and industry information security frameworks.
RELEVANT COURT CASES
SONY: Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 962 (S.D.Cal.2014)
TARGET: Target Corp. Customer Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1177–78 (D.Minn.2014)
TJMAXX: TJX Co. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007)
ASSUME SECURITY BREACH
Proactive engagement with Legal.
Pre-breach continuous interaction with Legal.
Always assume security breach.
THE LEGAL LIFECYCLE
Avoid reactive Attorney
engagement (Incident Response
Phase)
Attorney engagement
throughout the entire Software Development
Lifecycle
Attorney engagement
throughout the entire Secure Operations Lifecycle
QUESTION
How often do you proactively talk to your attorneys on a regular basis?
END TO END LEGAL DILIGENCE
Attorney
Roles:Advisory Complian
ce Drafting Audit Litigation
CISOs must partner with attorneys on every applicable role:
ATTORNEY ADVISORY ROLE
Proactive discuss cyber security challenges such as Ransomware.Determine whether you should pursue security breach insurance.Discuss your cyber security program with your attorneys.
Advisory
ATTORNEY ADVISORY ROLE Advisory
Cyber Security Incident Response Plan Cyber Security Liability Insurance Post-Attack Public Relations Cooperation with Law Enforcement (Apple) Reporting Cyber Crimes
ATTORNEY COMPLIANCE ROLEDiscuss what security compliance certifications are worth pursuing and which ones are not.
What is the cost of non-compliance?
How do you plan to be continuously compliant not just during the audit engagements?
Talk about the Security vs Compliance dilemma.
Compliance
ATTORNEY COMPLIANCE ROLE Compliance
National Cyber Security Compliance: FISMA, FedRAMP, CJIS (FBI), NIST 800:53.
International Cyber Security Compliance: ISO 27001; 27018, EUMC, GDPR.
Territorial Cyber Security Compliance: MTCS Singapore, IRAP Australia, UK G-Cloud.
Industry Cyber Security Compliance: HIPAA,PCI DSS.
ATTORNEY DRAFTING ROLEReview contract security addendums from a security engineering perspective.
Evaluate the feasibility of the clauses and contract obligations.
Determine if you are prepared to meet the security contract requirements.
Are you getting the right assurances from your vendors?
Drafting
ATTORNEY DRAFTING ROLE Drafting
Do the cyber security provisions make sense to engineers?
Do the cyber security controls address the risk adequately?
Are both parties equally agreeing to manage the cyber security risks?
Is it best to use broad language? Is staying silent on a specific provision the best
approach?
ATTORNEY AUDIT ROLEAre you comfortable with the Right to Audit clauses?
Can your company manage multiple concurrent audits?
Have you consider the legal implications of audit findings?
Are your audit papers and artifacts ACP protected?
Audit
ATTORNEY AUDIT ROLE Audit
Terms of Right to AuditDuration of the Audit(s) Scope of the Audit(s) Limit amount of concurrent Audits
ATTORNEY LITIGATION ROLEAre you currently conducting due diligence throughout your entire engineering lifecycle?
Are you prepared for a subpoena or a deposition?
Do you adequately invoke the Attorney Client Privilege during your day to day security operations?
Proactively talk about litigation strategies.
Litigation
ATTORNEY LITIGATION ROLE Litigation
The value of due diligence: Pre, During & Post a Security Breach
Diligence vs Negligence
VENDOR MANAGEMENTVendor
Security Do your vendors meet the same security bar than your company?How often do you audit vendor security compliance?Do your vendors have vendors? Do they also meet the security bar?
QUESTION
Do you get involved in the attorney recruitment process?
HIRE ENGINEER ATTORNEYS
Patent Attorneys generally have a science background to prosecute patents with the US Patent Office.Cyber Security Attorneys must be qualified to understand the engineering intricacies of your Cyber Security Program.
END TO END LEGAL PARTNERSHIP
Ultimately you must proactively engage your legal team and leverage your attorneys throughout the entire lifecycle of your security engineering operations.
Conduct End to End Legal Cyber Security Due Diligence!
Q & A