Legal teams have long played an important role in information security (infosec) and compliance programs. The expertise...
that attorneys bring to the table complements the knowledge of technical subject matter that IT professionals posess and, when working toward a common purpose, contributes to a well-rounded IT risk management program.
In this tip, I look at three different areas in which legal teams can contribute to information security efforts in enterprises of all sizes, and how to ensure the two groups work together successfully.
Legal departments often find themselves thrust into the middle of enterprise risk management (ERM) programs for two reasons. First, they are normally privy to many of the sensitive risks facing different areas of the business. Second, many organizational risks are legal in nature, requiring the expertise of attorneys to assist in interpreting laws and regulations, and to estimate the impact on the organization should a violation occur.
Information security professionals often perform their own risk assessments, but obviously the risks an infosec team looks for are quite different from those of concern to the legal department. Plus, security-driven risk assessments tend to be done in a vacuum and are rarely shared outside of the IT department, due to their highly technical nature.
IT leaders who are able to bridge the technical gap and provide a coherent layperson's assessment of information security risk can partner with their legal teams to feed these assessments into the organization's broader ERM program. Every reasonably large enterprise should have an ERM program that gathers risk data from throughout the organization to assess and mitigate any and all risk to the business, and information security risks like malware instances, unpatched systems, policy violations and many others should be incorporated into that broader risk management effort.
To ensure this collaboration happens, infosec leaders should reach out to and establish a relationship with their legal counterparts. Foster discussions about risk from each perspective, and no doubt this will lead to common areas of interest and ways each team can support the other's objectives, including risk management. This collaborative approach will ultimately help ensure the organization's leadership has a clear view into security risks, and increases the likelihood that they will allocate resources to address IT risks.
Compliance and incident response
Most legal teams first become involved in IT security matters when they provide assistance to IT and functional teams seeking to comply with security laws and regulations. The Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and many other regulations create a confusing maze of requirements for IT organizations, which often lack the training and experience needed to interpret and apply complex laws and industry guidelines.
Attorneys can assist by helping the IT team clearly understand what regulations apply to the organization and the scope of their applicability. They are also able to provide advice about the acceptability of planned controls when the rules appear ambiguous. Information security teams shouldn't hesitate to reach out to the legal team for any discussion about how to interpret and apply compliance mandates. It takes some practice for each group to learn how to understand each other's language, so remember that patience will be needed on both sides of the table.
Legal teams also play an important role when a data breach or other major security incident occurs. They have the expertise to help guide the response from a legal perspective and advise the organization's leadership on the laws related to breach notification and response. Before an incident occurs, it is absolutely critical that the legal team have a seat at the incident response-planning table. This should include simulating the legal issues that will come into play alongside the IT issues as part of tabletop exercises. When an incident does happen, the legal department should be among those notified immediately and should participate in the rapid response effort.
Most organizations already rely on their legal teams to review IT contracts (if yours doesn't, it should). It is a natural extension of this work to also ask the legal team to ensure the security language in contracts adequately protects the organization's interests. This should apply to contracts with both vendors and customers, and should include coverage of issues, including security controls, auditing, breach notification, indemnification and other issues important to your organization.
One of the best ways to facilitate this process is for security and legal teams to jointly develop a set of standard contract language documents that addresses these issues. That way, the information security team can add this language to any contract it receives or develops, ensuring that key legal concerns are automatically addressed. When the other party to a contract accepts the standard terms, the contract may then be quickly approved. On the other hand, any proposed changes to the standard terms may then trigger an in-depth review by both the legal and information security teams.
Building a strong relationship with your legal department is one of the quick paths to success for information security professionals. The entire enterprise stands to benefit when experts from both sides -- information security and lawyers -- join forces to tackle the difficult problems infosec presents.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for SearchSecurity.com andInformation Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.
Veteran CISO Ernie Hayden offers advice on how information security can communicate effectively with the legal team.
Domain 8 of SearchSecurity's CISSP Essentials Security School offers detailed information on how legal, regulations, investigations and compliance affect information security.