narca presentation - it best practice
TRANSCRIPT
Benchmarking Your Firm Against Best Practices
IT Compliance
Moderator: Mitch Hungerpiller, Mitchell-Wayne Technologies
Panelists:Mark Abendroth, Abendroth & Russell PC
Anna Alvarado, Couch, Conville & Blitt
Brenda Majewski, Kohn Law Firm S.C.
1.Where does your firm compare with information technology best practices?
2.What are those best practices that help you survive a security audit and satisfy audit exceptions for compliance?
3. What does it cost for all this security and best practice deployment and management?
4.Hear from our very experienced panel on successes and war stories to be better prepared to face your IT issues and audit within your budget!
IT Compliance from a Vendor’s Perspective
ByMitch Hungerpiller, Sr. CPA
President & Founder
IT Best Practices & Civil Procedure
• December 2006 Amendment of the Federal Rules of Civil Procedure (FRCPA) 34(a) and 34(b) cite retention policies of electronically stored information (“ESI”) used in the normal course of business for discovery in litigation.– This is driving the compliance audits – Comply with e-discovery required practices or pay
the piper– Deleted data NEVER goes away
IT Management Viewpoint
• Optimal Environment for Stable Systems are to NOT CHANGE them!– Compliance mandates that patches be applied
weekly for Microsoft OS’s– Compliance mandates that firmware be updated on
firewall’s within a reasonable period of time– Compliance mandates that policies be followed
whenever something changes– Compliance mandates all antivirus, antimalware and
content filters be updated & maintained daily
IT Professionals Do NOT Make Policy• IT professionals program, support and maintain
systems that automate tasks• IT professionals translate business policies and
program systems to comply with those policies• IT professionals carry numerous core
competences and skills similar to law, medicine, accounting and engineering
• Business Polices of Collection Law Firms and Agencies are created at the firm or agency level
Compliance Policies are Uniquely Created for Your Business
IT Compliance Budget Busters
Network & Facility• Security
– email appliances, – network, – data at rest encryption– certificate maintenance– PCI Scans
• Change Control• File Integrity Monitoring• Voice & Video Recordings
Business Continuity• Image Based Backups vs. File• DR Restores Off Premise• Vaulting of Backups• Internet Bandwidth via Fiber
(Full Duplex)• Competent IT Professionals
Summary IT Compliance Best Practices
• Use Microsoft Group Policy to Manage Security• Automate as Much as Possible• Review Logs Daily• Maintain Renewal Dates for Annual Subscriptions• Use Managed Services when Possible• Include IT Professionals in Management Meetings• Budget for Technology Refreshes at HW Warranty
Expirations• Allocate Sufficient Resources for IT
Panel Discussions
Brenda Majewski Kohn Law Firm S.C.
• Password security enforcement – Cost = 0.• The 2014 most popular passwords remained
“password” and “123456” (specopssoft.com*) Change often.
• Helpdesk “cost” to reset passwords $25/user.*• Increase length and complexity, ie:
N@rc@2015! vs. Narca2015
Malware
Firewall
Virus protection
Employees - are they your weakest information technology link?Clicking on linksProhibit downloads
Permissible purpose documentation. Business resources.
Cellphones TCPA Scrubs Dialers
Next up wearable technology – policies and permissible purposes
Get SMARTSpecific – target a specific area for improvement.Measurable – quantify or at least suggest an indicator of progress.Assignable – specify who will do it.Realistic – state what results can realistically be achieved, given available resources.Time-related – specify when the result(s) can be achieved.
Issue: Employee desktop activity in the Firm's Accounting Room is not viewable via their Surveillance (CCTV) system. The camera view in this area is able to identify employees at their desks, but does not capture their payment posting activity.
PCI requirements – when two clients conflict
One client gives you one login
What does “/” mean - remove and disable or
remove or disable
Retain docs and SOPS that control the date of the action that occurred –Don’t retain only the newest SOP –
Call Recording Retention 13 monthsCalls: 3 months Call Auditing Forms: 12 months
• The American Bar Association’s Model Rules of Professional Conduct, adopted in whole or in part by all states except California, include Rule 1.6(c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (California’s is even tougher.)
Panel Discussions
Anna Alvarado Couch, Conville & Blitt
Chief Operating Officer IT Vendor
Department Manager
Database Administrator
Database Administrator
General Best Practices…
• 3rd party vendor should be coupled with internal IT staff • IT professionals/vendors are your support system and
you should rely on them as subject matter experts• We hire IT professionals for a reason…SUPPORT,
GUIDANCE but most importantly EXPERTISE• Ask a lot of questions…most executives only have a
general/basic understanding of the IT world, it’s terms, the equipment, etc.
• Manage expectations of vendor with continuous and candid communication.
Best Practices
ommunication
• Monthly calls or at a minimum quarterly• Review written expectations…who, what, when, why and
how? • Ultimately IT Compliance is the firms responsibility
• Inspect server room, phone systems, internet, emails and camera's are functioning properly
• Ensure confirmation for server back up are received and logged daily
• Test locks on all secured doors• Test alarms for front, rear and server rooms• Make sure all logs are in place• Test internet usage for social media and/or other
prohibited sites
Helpful Tips:Daily/Weekly/Monthly Checklist
Panel Discussions
Mark AbendrothAbendroth and Russell, PC
Law Firm Security Issues to ConsiderEncryption
Full Disc Encryption of laptops and other devices
BYOD Bring your own deviceWhose phone is it?Software for a remote “wipe”Never access a free hotspot at Starbucks
Law Firm Security Issues to ConsiderVendor Management
A lawyer should be mindful of the obligation to “act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure…”
ABA Model Rule 1.6, comment 16
Law Firm Security Issues to Consider• How are your venders managing data of your
clients?• Written Contracts with Confidentiality
Agreements are crucial• Your clients will want to see these contracts