SPRING 2018 TODAY’S GENER AL COUNSEL
Cybersecurity
Information Security as Legal/Business Partnership By Jeff Franks and Erik Collasius Further details around the criteria for properly handling that data is included in NIST SP 800-171 (updated in November 2017), which provides recommended requirements for the protection of the confidentiality of controlled unclassified information as defined by the National Archives. It includes the following controls:
30
I
nformation security is a regular topic of discussion for corporate legal teams today, as threats continue to emerge at an alarming rate and the cost of security incidents continues to rise. Increasingly complex information security regulations, together with expanding reliance on digital information, significant cost and impact of security incidents, make information security a risk that must be addressed decisively. There are many regulations that address the topic, among them one that our department deals with regularly, the Defense Federal Acquisition Regulations Supplement (DFARS), which includes safeguarding and incident reporting requirements. Compliance with information security regulations should not be viewed simply as sunk cost or minimal value-add activity. Instead, it should be viewed
as an opportunity for the legal team to engage with its business partners to establish regulatory compliance as a differentiator. Done effectively, the legal team’s involvement in driving the implementation of controls will not only reduce risks, but will result in an improved partnership with the business, and increased credibility and influence for the legal function. To further illustrate this premise, let’s take a look at the DFARS requirements, which require businesses supporting U.S. Department of Defense contracts or subcontracts to provide “adequate security” for information known as Controlled Defense Information, and “rapid reporting” of security incidents. Department of Defense contractors can expect these requirements to increase and evolve over time to deal with the changing threat landscape.
1. Access Control: How are users identified and authorized and insider threats identified? 2. Awareness and Training: Are users regularly trained on information security risks? 3. Audit and Accountability: Are the systems regularly reviewed and tested? 4. Configuration Management: Are security configurations established and maintained on hardware and software throughout their lifecycles? 5. Identification and Authentication: Are users required to use complex passwords that are verified by multi-factor authentication? 6. Incident Response: Is a plan established and successfully tested? 7. Maintenance: Are systems properly maintained from a patch and vulnerability perspective? 8. Media Protection: Is information properly marked, encrypted and sanitized before disposal? 9. Personnel Security: Are employees adequately screened? 10. Physical Protection: Are visitors logged and escorted? 11. Risk Assessment: Are systems tested for vulnerabilities? 12. Security Assessment: Are processes regularly updated and assessed? 13. System and Communications Protection: Is information monitored and controlled at egress points?