Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/how-to-build-and-implement-your-companys-information-security-program-2021/
How to Build and Implement your Company's Information Security Program
1.
2. 2
Practical and entertaining education for
attorneys, accountants, business owners and
executives, and investors.
3. Disclaimer
The material in this webinar is for informational purposes only. It should not be considered
legal, financial or other professional advice. You should consult with an attorney or other
appropriate professional to determine what may be best for your individual needs. While
Financial Poise™ takes reasonable steps to ensure that information it publishes is accurate,
Financial Poise™ makes no guaranty in this regard.
3
4.
5. Meet the Faculty
MODERATOR:
Kathryn Nadro – Sugar, Felsenthal, Grais & Helsinger LLP
PANELISTS:
J. Eduardo Campos – Embedded-Knowledge, Inc.
Anna Mercado Clark – Phillips Lytle LLP
5
6. About This Webinar-
How to Build and Implement your Company's
Information Security Program
Data is one of your business’s most valuable assets and requires protection like any other asset. How
can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your
company’s data and information technology assets. Federal, state, or international law may also require
your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program,
beginning with identifying your incident response team, putting applicable insurance policies into place,
and closing any gaps in the security of your data.
6
7. About This Series
Cyber Security & Data Privacy 2021
Cybersecurity and data privacy are critical topics of concern for every business in today’s
environment. Data breaches are a threat to every business and can cause both direct losses
from business interruption and loss of data to indirect losses from unwanted publicity and
damage to your business’s reputation. Compliance with a patchwork of potentially applicable
state and federal laws and regulations may cost your business in terms of money and time.
This series discusses the various laws and regulations that affect businesses in the United
States and in Europe, as well as the best practices to use in creating an information security
program and preparing for and responding to data breaches.
Each Financial Poise Webinar is delivered in Plain English, understandable to investors, business owners, and
executives without much background in these areas, yet is of primary value to attorneys, accountants, and other
seasoned professionals. Each episode brings you into engaging, sometimes humorous, conversations designed to
entertain as it teaches. Each episode in the series is designed to be viewed independently of the other episodes so that
participants will enhance their knowledge of this area whether they attend one, some, or all episodes.
7
8. Episodes in this Series
#1 Introduction to US Privacy and Data Security: Regulations and Requirements
Premiere date: 08/04/21
#2: Introduction to EU General Data Protection Regulation: Planning, Implementation, and
Compliance
Premiere date: 9/01/21
#3: How to Build and Implement your Company's Information Security Program
Premiere date: 10/06/21
#4: Data Breach Response: Before and After the Breach
Premiere date: 11/03/21
8
9. Episode #3: How to Build and Implement your
Company's Information Security Program
9
10. Introduction
• Information security programs are a documented set of a company or agency’s
information security policies, guidelines and procedures
• Majority of security programs aim to assess risk, monitor threats, and mitigate cyber
security attacks
• Massachusetts and New York are currently the only states with strict information
security requirements
√ Other states starting to implement similar laws
• Implemented in any industry that deals with personally identifiable information
11. Information Security Programs – Then and
Now
• Early information security efforts identified confidentiality, integrity, and availability
(“CIA Triad”) as primary security factors
• The rise of information security programs -
√ 1967 - military computers were hacked and CIA Triad found to be inadequate -
not much was changed
√ 1970s - “phreakers” exploit vulnerabilities in telephone network to make free long-
distance calls
√ 1980s - First National Bank of Chicago hacked for $70 million
√ 1990s & 2000s - computers become targets as more people provide personal
information online
12. Information Security Programs – Then and
Now
• Today, the CIA Triad eventually evolved into “Parkerian Hexad”
√ Parkerian Hexad factors –
o Confidentiality/control
o Information integrity
o Authenticity
o Availability
o Utility
13. What is Information Security?
• Information security refers to processes and methodologies designed and implemented to
protect print, electronic, or any other form of information or data, including –
√ Confidential, private, and sensitive information; or
√ Data derived from unauthorized access, use, misuse, disclosure,
destruction, modification, or disruption
14. Information Security vs. Computer Security vs.
Information Assurance
• Share the common goals of protecting confidentiality, integrity, and availability of
information
• Terms used interchangeably but do not have the exact same meaning
√ Differences lie in the approach to subject, methodologies used, and areas of
concentration
• Information security is concerned with the protection of the CIA Triad regardless of the
form the data may take: print, electronic, or other
15. What Information is Protected?
• Personally identifiable information (PII) or sensitive personal information
√ Home address
√ Social security #
√ Credit card #
√ Date birth
√ Username or account number with password and/or access code
16. What Information is Protected? (cont’d)
• Health information
√ Medical records
• Other proprietary information
√ Financial data
• Trade secrets
17. Key Elements of an Effective Information
Security Program (ISP)
• Purpose
• Scope
• Information security objectives
√ CIA Triad
• Authority and access control policy
• Classification of data
• Data support and operations
• Security awareness sessions
• Responsibilities and duties of personnel
• Relevant laws
18. The Purpose
• Different institutions may create ISPs for various reasons, but they generally share
few similarities, including -
√ Establish a general approach to information security
√ Detect and forestall the compromise of information security
• o i.e. misuse of data, networks, computer systems and
applications
√ Protect reputation of the company with respect to its ethical and legal
obligations
√ Recognize the rights of customers
o i.e. providing effective mechanism for responding to complaints
19. The Scope
• Generally, ISPs address:
√ All data
√ Programs
√ Systems
√ Facilities
√ Other tech infrastructure
20. Information Security Objectives
• An organization looking to implement ISP needs to have well-defined objectives
• Information security systems are deemed to safeguard 3 main objectives -
√ Confidentiality
√ Integrity
√ Availability
21. The CIA Triad
• Confidentiality
√ Controlling who gets to read information
√ Ensuring only individuals who need access to this information to do their jobs get
to see it
√ Access restricted to only authorized individuals
• Integrity
√ Ensuring information and programs are changed only in a specified and
authorized manner
o E.g. information has not been tampered with or deleted by those with
unauthorized access
22. The CIA Triad (cont’d)
• Availability
√ Ensuring authorized users have continued access to information and resources
o Information is readily available to those who need it to successfully
conduct an organization’s business
23. Authority Access & Control Policy
• Typically, a security policy has a hierarchical pattern:
√ Junior staff usually bound not to share the little amount of information they have
unless explicitly authorized
√ Senior manager may have enough authority to make a decision on what data
can be shared and with whom
√ Policies governing senior employees may not be the same policy governing
junior employees
√ ISP should address every basic position in the organization with specifications
that will clarify their authoritative status
24. Classification of Data
• Data can have different value and thus may impose separation and specific handling
regimes/procedures for each kind of data
• Information classification system is commonly sorted as:
√ High risk or highly confidential class
√ Confidential class
√ Public class
25. Classification of Data (cont’d)
• High risk class - generally data protected by state and/or federal legislation or regulations
√ Information covered under HIPAA, FERPA, or other federal regulations
√ Financial data
√ Payroll
√ Personnel (privacy requirements)
• Confidential Class
√ Data in this class may not be covered by any laws or regulations, but
the data owner judges that it should be protected against unauthorized
disclosure
√ Information protected by NDAs, trade secrets, confidential business
information
•
26. Classification of Data (cont’d)
• Public Class
√ Information freely distributed
• Data owners should determine both the data classification and the exact measures a
data custodian needs to take to preserve integrity in accordance to that level
27. Data Support and Operations
• The regulation of general system mechanisms responsible for data protection n
√ Data backup
√ Movement of data
28. Security Awareness Employee Meetings
• Security awareness training could help provide employees with information
regarding how to collect/use/delete data, maintain data quality, records
management, confidentiality, privacy, appropriate utilization of IT systems, correct
usage of social networking, etc.
29. Responsibilities and Duties of Personnel
• Not unusual for institutions to hire an ISP person with the sole responsibility for
√ implementation
√ education and training
√ incident response
√ user access reviews
√ periodic updates of an ISP
30. Relevant Laws and Other ISP Items
• An ISP is likely to include reference to relevant laws
√ i.e. HIPAA, GLBA, international data protection laws like the EU General
Data Protection Regulation (GDPR)
• ISP may also include -
√ Virus Protection Procedure
√ Intrusion Detection Procedure
√ Remote Work Procedure
√ Technical Guidelines
√ Consequences for Non-compliance
√ Disciplinary Actions
√ Terminated Employees
31. Massachusetts Standard: 201 C.M.R. 17
• Standards for the Protection of Personal Information of Residents of the
Commonwealth
• Implemented in 2010 - the top personal information protection law in the US when
enacted
• Makes every person or entity that owns personal information of a Massachusetts
resident to adopt a written information security program (WISP) designed with
appropriate safeguards
32. Massachusetts Information System Law
• In Massachusetts, every information security program must include:
√ At least one employee maintaining the information security program;
√ Identify foreseeable security risks, both internal and external;
√ Employee security policies dealing with access and transportation of
personal information outside of the business;
√ Disciplinary measures for violations;
√ Methods of how to prevent terminated employees from reaching
personal information.
33. Massachusetts Information System Law (cont’d)
√ Oversee third-party service providers by taking reasonably steps to
adopt and maintain security measures consistent with the entity;
√ Restrictions on stored personal information access;
√ Regular monitoring to ensure compliance with the implemented
information security program and stop unauthorized access;
√ Annual review of the security program, or whenever there is a material
change in the business practices; and
√ Document any incident involving a security breach and actions taken in
response to breaches, and any review of business practices to protect
personal information, if necessary.
34. NY Department of Financial Services
Cybersecurity Regulation, 23 NYCRR Part 500
• Requires that all financial service companies maintain an ISP
√ Any company regulated by the Department of Financial Services
√ Exceptions -
o Organization with fewer than 10 employees, less than $5 million
in gross annual revenue for three years, or less than $10 million
in year-end total assets
35. NY Department of Financial Services
Cybersecurity Regulation
• The ISP must address:
√ information security;
√ data governance and classification;
√ asset inventory and device management;
√ access controls and identity management;
√ business continuity and disaster recovery planning and resources;
√ systems operations and availability concerns;
√ systems and network security;
√ systems and network monitoring;
36. NY Department of Financial Services
Cybersecurity Regulation (cont’d)
• The ISP must address:
√ systems and application development and quality assurance;
√ physical security and environmental controls;
√ customer data privacy;
√ vendor and Third Party Service Provider management;
√ risk assessment; and
√ incident response.
37. NY Stop Hacks and Improve Electronic Data
Act (“SHIELD Act”)
• Expands NY breach notification law and imposes data security program
requirements on businesses that possess the private information of New York State
residents
• • Applies regardless of whether the businesses have any physical
presence in New York State
• Program requirements include administrative, technical, and physical safeguards
for detecting and responding to intrusions and maintaining security of information
• Businesses subject to and in compliance with Gramm-Leach-Bliley, HIPAA, or the
NY Dept. of Financial Services Cybersecurity Requirements are exempted from
this requirement under the SHIELD Act
38. NY Stop Hacks and Improve Electronic Data
Act (“SHIELD Act”) (cont’d)
• Limited reprieve for “small businesses” with fewer than fifty employees, less than
$3 million in gross revenues in the last three fiscal years, or less than $5 million in
year-end total assets
• Expands the definition of “private information” subject to NY data breach
notification law
• NY Attorney General can pursue civil penalties, but there is no private right of
action
39. California Consumer Privacy Act
• Effective January 1, 2020
• Mandates companies do the following:
√ Inform consumers about the categories of personal information
collected and the purposes for which the information is being used;
√ Respond to verifiable consumer requests to access certain information;
√ Allow customers to opt-out of the sale of their personal information; and
√ Enable consumers (subject to carve outs) to request that businesses
delete their personal information.
40. California Consumer Privacy Act (cont’d)
• Applies to business if they are for-profit businesses that collect and control
California residents’ personal information, do business in California, and satisfy
one of the following:
√ Have annual gross revenues in excess of $25 million, or
√ Receive or disclose the personal information of 50,000 or more
California residents, households, or devices on an annual basis, or
√ Derive 50 percent or more of their annual revenues from selling
California residents’ personal information.
41. CCPA Private Right of Action
• Limited private right of action for consumers when there is an “unauthorized
access and exfiltration, theft, disclosure of a consumer’s nonencrypted or
nonredacted personal information” for a business’s violation of “the duty to
implement and maintain reasonable security procedures and practices”
• Consumer has to give the business 30 days to cure the alleged violation and to
respond with a written statement that the violation has been cured
√ Consumers can then bring a civil suit for statutory damages of between
$100 and $750 “per consumer per incident or actual damages,
whichever is greater.”
o Cal. Civ. Code § 1798.150(a)(1)(A)
• Attorney General may also issue fines of up to $7,500 per violation, with
maximum penalties reserved for intentional noncompliance
42. What Businesses Subject to CCPA Should Do
• While there is no explicit requirement for an information security program in the
CCPA, having one in place will help defend a business from an accusation that it
didn’t “maintain reasonable security procedures and practices” prior to any data
breach
√ In 2016, the California Attorney General issued a “Data Breach Report”
which identified safeguards the then-Attorney General viewed as
constituting reasonable security practices, including data security
controls published by the Center for Internet Security
√ Those controls include a written information security program, oversight
by a dedicated security officer or supervisor, employee training, vendor
management, an incident response plan, and ongoing risk assessment
and management
43. Employee Maintaining the Information
Security Program
• Employee is the designated officer for handling every aspect of the program.
√ A designated security officer is responsible for coordinating and
maintaining the security program.
• This person should maintain independence by reporting to someone outside of the
IT department.
44. Assessing Risk
• What risks could your organization face?
√ Examples: loss of data, unauthorized access, data corruption, hack,
third-party data sharing, etc.
• What would be appropriate, cost-effective management techniques for these risks?
45. Additional Elements of a Good Information
Security Program
• Designated security officer (DSO)
• Risk Assessment
• Policies and Procedures
• Organizational security awareness
• Regulatory standards compliance
• Audit compliance plan
47. About The Faculty
Kathryn Nadro - knadro@sfgh.com
Kathryn (“Katie”) Nadro leads Sugar Felsenthal Grais & Helsinger’s Data Security and Privacy practice.
Katie advises clients on a diverse array of business matters, including data security and privacy
compliance, commercial and business disputes, and employment issues. Katie works with individuals
and businesses of all sizes to craft successful resolutions tailored to each individual matter.
Katie is a Certified Information Privacy Professional (CIPP/US) and counsels clients on a variety of data
security and privacy issues, including breach response, policy drafting, program management, data
collection, vendor management, and compliance with ever-changing state, federal, and international
privacy law. Katie also has broad litigation experience representing companies and individuals in
contract, non-compete, discrimination, harassment, fiduciary duty, and trade secret litigation in state
and federal court. With a background as both in-house and outside counsel, Katie understands that
business objectives, time, and resources play an important role in reaching a favorable outcome for
each client.
47
48. About The Faculty
Anna Mercado Clark - AClark@phillipslytle.com
As leader of Phillips Lytle’s Data Security & Privacy and E-Discovery & Digital Forensics Practice Teams, Ms. Clark
focuses on complex e-discovery and digital forensics, cybersecurity and data privacy, and complex commercial
litigation. As a former Assistant District Attorney, she also handles white collar criminal matters and investigations.
Additionally, Ms. Clark has been awarded the following ANSI-accredited credentials by the International
Association of Privacy Professionals (IAPP): Certified Information Privacy Professional/Europe (CIPP/E) and
Certified Information Privacy Professional for the U.S. Private Sector (CIPP/US), preeminent certifications for
advanced concentration in European data protection laws and U.S. private-sector laws, standards and practices,
respectively. Ms. Clark routinely counsels sophisticated clients on data governance issues to address business
needs while minimizing risks and complying with a rapidly evolving regulatory landscape and other legal
obligations. She has extensive experience advising businesses in the technology, consumer, health care and
financial industries regarding information management and disposition policies, litigation readiness, data transfers,
third-party/vendor negotiation and management relative to data administration, and disaster recovery and
avoidance.
To read more, go to https://www.financialpoise.com/webinar-faculty/anna-mercado-clark/
48
49. About The Faculty
J. Eduardo Campos - jeduardo.campos@embedded-knowledge.com
After creating business growth opportunities on four continents, J. Eduardo Campos spent
thirteen years at Microsoft, first as a cybersecurity advisor, then leading innovative projects
at the highest levels of government in the U.S. and abroad. Today, Eduardo is living his
dream of building a better tomorrow through his consulting firm, Embedded-Knowledge,
Inc. Working with organizations and entrepreneurs, he develops customized business
strategies and forms partnerships focused on designing creative solutions to complex
problems.
49
50. Questions or Comments?
If you have any questions about this webinar that you did not get to ask during the live
premiere, or if you are watching this webinar On Demand, please do not hesitate to email us
at info@financialpoise.com with any questions or comments you may have. Please include
the name of the webinar in your email and we will do our best to provide a timely response.
IMPORTANT NOTE: The material in this presentation is for general educational purposes
only. It has been prepared primarily for attorneys and accountants for use in the pursuit of
their continuing legal education and continuing professional education.
50
51. About Financial Poise
51
DailyDAC LLC, d/b/a Financial Poise™ provides
continuing education to attorneys, accountants,
business owners and executives, and investors. It’s
websites, webinars, and books provide Plain English,
entertaining, explanations about legal, financial, and
other subjects of interest to these audiences.
Visit us at www.financialpoise.com
Our free weekly newsletter, Financial Poise
Weekly, updates you on new articles published
on our website and Upcoming Webinars you
may be interested in.
To join our email list, please visit:
https://www.financialpoise.com/subscribe/