Developing and ImplementingInformation Security Policies to

Protect Financial Institution Data

American Conference InstituteOutsourcing in Financial Services

Michael J. SilvermanPartner

Duane Morris LLP227 West Monroe Street, Suite 3400

Chicago, Illinois 60606(312) 499-6700

mjsilverman@duanemorris.com

Henry L. JudyOf Counsel

Kirkpatrick & Lockhart LLP 1800 Massachusetts Avenue, NW

Washington, DC 20036Phone: 202-778-9032

hjudy@kl.com

Eric J. SinrodPartner

Duane Morris LLPOne Market Spear Tower, Suite

2000San Francisco, CA 94105

(415) 371-2219ejsinrod@duanemorris.com

March 9, 2004 2

CONTENTS

I PoliciesII Authentication and Identity ManagementIII Monitoring/Access (Outsourcer’s Access To Service Provider’s Systems)IV Personnel (May Be Point

Of Greatest Vulnerability)V Incident Reporting and ResponseVI Disaster Recovery Planning VII Cross-Border IssuesVIII Network/Logical SecurityIX Physical SecurityX Records Retention and ArchivingXI Reverse Migration/TransitionXII Audit Process and Certifications

March 9, 2004 3

POLICIESWhose Policies control?

Default position, such as whichever party’s policy is more protective of information should be the controlling policy.Practical issues in negotiating to merge the gap between service provider and Outsourcer policies.

Changes to Policies Over TimeChanges arising out of new technologiesChanges required by lawOther changed circumstances

March 9, 2004 4

POLICIES (Cont’d.)Process for implementing changes• Notice of proposed changes

– Mutual?– Opportunity to comment– Allocation of costs – Ability to terminate relationship due to

changes in policies and practices.

Approach for dealing with third parties or downstream contractors

March 9, 2004 5

AUTHENTICATION AND IDENTITY MANAGEMENT

Control of personsTechnology• User ID and

password• Other controls

– Tokens– Biometric– Other

March 9, 2004 6

AUTHENTICATION AND IDENTITY MANAGEMENT (Cont’d.)

Control of documentsPermissionsEncryption and other security

Who is responsible for administration (changes, updating, lost passwords, etc.)?Liability for failure

March 9, 2004 7

MONITORING/ACCESS (OUTSOURCER’S ACCESS TO SERVICE PROVIDER’S SYSTEMS)

How to define “systems” for these purposesInstallation of outsourcer’s monitoring technologies on Service Provider’s systemsCost allocation

March 9, 2004 8

MONITORING/ACCESS (Cont’d.)

Requirements that Outsourcer must follow

Access controlUse of appropriate technologiesTrainingOutsourcer security procedures

March 9, 2004 9

PERSONNEL (MAY BE POINTOF GREATEST VULNERABILITY)

Screening requirementsCompliance with Codes of ConductMonitoring of employeesTemporary personnelTransitional (rotating) personnelRemote access

Telecommuting personnel of Service Provider Confidentiality Agreements

March 9, 2004 10

PERSONNEL (Cont’d.)

TrainingTreatment of Personnel RecordsIdentity management (i.e., use of technology to support rules re: enterprise wide access to systems based on unified source of information about employee)Limitations on right to change/remove personnel (including Outsourcer’s right to request changes).

March 9, 2004 11

INCIDENT REPORTINGAND RESPONSE

Severity level definitions Trouble ticketsDispute resolution

Defined escalation pathInternal dispute resolution processes

Suspension of ServiceNotice requirementsEmergency/Incident response teamCooperation with internal and external investigations

March 9, 2004 12

DISASTER RECOVERY PLANNINGSecurity aspects of disaster recovery plan

Use of hot sites, backup tapes, mirrored sites.Application of contract requirements re: security to 3d parties providing disaster recovery services

Service provider testing, updating and maintenance of plan.Notice to Outsourcer of service provider changes to disaster recovery plans.Code escrows for mission critical systemsOutsourcer’s right to access control systems if Service Provider fails.

March 9, 2004 13

CROSS-BORDER ISSUES

Need for enhanced security in jurisdictions with weak IP protectionData protection (another panel)Impact of local laws on Outsourcer, 3d party access to Outsourcer data (e.g., ability of US litigant to obtain Outsourcer’s data from the service provider located in a foreign jurisdiction)

March 9, 2004 14

NETWORK/LOGICAL SECURITYFirewall managementPatch managementPeriodic (annual) re-certification of network informationAudit rightObligation to update technologyService provider’s requirements re: Outsourcer use, access to service provider’s systems and Outsourcer’s obligation to use certain technologies and processes.

Service provider does not want to create weaknesses in its systems because its Outsourcers are not using appropriate technologies or processes or are circumventing security requirements.

March 9, 2004 15

PHYSICAL SECURITY (as opposed to logical security)

Coverage of subcontractorsConsideration of Outsourcer’s and Service Provider’s various locations and use of mobile, remote access technology.

March 9, 2004 16

RECORDS RETENTIONAND ARCHIVING

What must Service Provider maintainHow long?Outsourcer’s access right, including pre and post-termination Local jurisdiction legal/regulatory environment re: Outsourcer’s, third party’s rights to obtain data.

March 9, 2004 17

REVERSE MIGRATION/TRANSITION

Upon completion, “sanitize” all Service Provider equipment of Outsourcer’s data

Include downstream providers working for Service Provider, employees, others with access to Outsourcer data.

Service Provider’s obligation to maintain Outsourcer information confidential

Application to Service Provider personnel

Audit rights

March 9, 2004 18

AUDIT PROCESS AND CERTIFICATIONS

Changes to DRP, Security IssuesGeneral audit of security issues, requirementsCertifications of compliance with ISO StandardsAudit of confidentiality requirements, post termination obligations, etc.Audit of downstream providers, third parties.

March 9, 2004 19

SPECIAL SITUATIONS

Will Service Provider also be developing applications and code for Outsourcer?

March 9, 2004 20

LEGAL ISSUES

OCC – 2001-47FTC – RulesGuess, Eli Lilly DecisionsIndemnityRepresentations, WarrantiesGramm-Leach-BlileyBasel II Conference

March 9, 2004 21

PRACTICAL APPLICATION

Hank is a senior in-house technology lawyer at BIG BANK, a financial services conglomerate. BIG BANK is a considering a proposal to outsource to GLOBAL, a multinational service provider, the processing of all of its credit card receivables. The transaction has an estimated value of $550 million in service fees per year for five years. Mike is outside technology legal counsel for GLOBAL. Hank and Mike are negotiating the outsourcing contract and related agreements.

March 9, 2004 22

Real time data on all payments will be sent from BIG BANK’s various operations to BIG BANK’S data center in Denver. Data is then sent to a GLOBAL hub across a secure VPN (virtual private network operated across the Internet). GLOBAL will then distribute the processing to different facilities. GLOBAL plans to do a great deal of the work at three different new campuses at which GLOBAL has installed campus-wide wireless networking. The campuses are located in Dhaka (capital of Bangladesh), Costa Rica and Dublin. Among BIG BANK’s clients are certain Federal agencies that have issued credit cards to their employees. BIG BANK also performs a number of functions under contract with the federal Treasury Department and a number of state agencies.

March 9, 2004 23

While the negotiation of most of the contract has proceeded smoothly, consideration of certain issues have been deferred as being “harder.” Today is the day they turn to these “harder” issues:BIG BANK’s CIO is very troubled by the extensive use of wireless technology and reports that he has been reading about the relative lack of security of the technology. He has charged Hank with getting “bullet-proof” legal protections in the contract.

March 9, 2004 24

BIG BANK wants (a) “regular” reports from GLOBAL on all incidents and disruptions (“trouble tickets’) that are reported on GLOBAL’s systems and GLOBAL’s network carriers; (b) an “immediate” report on all “serious” trouble tickets; and (c) “appropriate” indications of status and resolution of the incidents. Both sides recognize that reporting is necessary but are having a good deal of trouble calibrating a reporting system that meets their respective needs and risks (for example, all hits vs. only hits directly impacting BIG BANK’s data).

March 9, 2004 25

BIG BANK wants to share the results of the foregoing reports with certain Federal and State agencies, certain industry consortia and various information security organizations like CERT and SANS. BIG BANK may be willing to so do on an anonymized and aggregated basis, but knows that under the Homeland Security Act, potentially all of this information could be submitted as Critical Infrastructure Information to Federal agencies, which can deliver it in turn to state agencies. GLOBAL has a number of concerns. Mike has been charged with making sure GLOBAL’s interests are protected both legally and reputationally.

March 9, 2004 26

GLOBAL wants to be able to subcontract future software development work on the applications that serve BIG BANK to a variety of developers, including developers in Eastern Europe, Malaysia and Israel. BIG BANK’s CIO is extremely nervous about this from a security standpoint and also as a matter of knowing to whom the payments to the vendors are going. He has charged Hank with “covering us totally.”

March 9, 2004 27

After extensive effort and responding to enhanced public sensitivity to security issues, BIG BANK has adopted an updated and very thorough incident response for responding to compromises of any of its “critical” information systems. The plan has been reviewed by internal and external legal counsel, a number of information security consultants, several government agencies, internal IT, information security and risk management staff, and other internal staff, such as BIG BANK’s Chief Privacy Officer (disclosures of non-public personal information in credit card files) and HR (for HIPAA compliance), etc.

March 9, 2004 28

Two of the fundamental principles in BIG BANK’s plan are (a) extensive and immediate reporting to national governments, including all relevant law enforcement agencies, with as much confidentiality as possible; and (b) prompt and open public disclosure to shareholders of all material incidents as soon as facts can be determined with adequate certainty. GLOBAL’s equally thorough policy adopts what has been described to Mike as “a more cautious policy toward information availability.” Both sides agree that the contract must specify without much ambiguity what disclosures may be made if there is a serious penetration of the network. Each side wants its approach to be followed.

CHI/173566.1