Have You Asked Your CIO These 10 Information Security Questions?
Note: I wrote this with my partner David Katz, and it was originally published here .
Highly publicized data breaches and newly enacted statutory and regulatory requirements (e.g., GDPR, CCPA and breach notification statutes in all 50 states) are forcing long-overdue discussions around data security and incident response preparedness.
While the threat of a data breach is not a new or emerging risk, many organizations may only now be starting in earnest to assess their ability to manage information and respond to an information incident.
A clear understanding of how various information security obligations apply to an organization requires ongoing communication between the legal department and the Chief Information Officer (CIO), Chief Information Security Officer (CISO) or other individual responsible for the oversight of information technology (IT) systems. These communications can prove difficult given the different languages spoken by attorneys and technology/security professionals.
In order to begin to bridge the gap that may exist between the General Counsel’s office and the IT department, below are 10 questions a General Counsel must ask a CIO in order to move toward an effective information security and governance program.
- Can you show me our data map?
If you don’t know what information you store, where and how you store it, and who and what is responsible for protecting that information, then you can’t quickly or effectively respond when information goes missing or is compromised. Has the company created a written document that maps data (visually and otherwise) by repository (where it is stored), inventories the data stored in those repositories, identifies the data owners/managers and classifies the data’s sensitivity?
The time and resources invested in understanding these important facts will serve the organization well if a data breach or data loss occurs. Additionally, this document can further serve as a basis for mapping the legal and regulatory obligations surrounding such data. In particular, those organizations subject to litigation or other legal hold have learned very quickly that an accurate data map makes the implementation and management of those holds a substantially less painful exercise.
Once completed the document can be updated and utilized by individual data owners, the IT department and the legal department.
2. With whom are we sharing our data? What third-party vendors have access to our data, how is this access tracked and how are we monitoring access?
The General Counsel must determine if each vendor will have access to the organization’s data. There should be a corresponding written agreement between the organization and the vendor addressing responsibility in the event of a data breach. These agreements should require the vendor to implement and maintain appropriate data security controls, and require the vendor to indemnify the organization in the event of a data breach.
3. What percentage of the total IT budget is spent on data security?
General Counsel may feel uncomfortable raising questions concerning the budget of another department. However, the answer could be a potential red flag or a source of comfort. The implications are obvious. Too little money spent could suggest the failure to implement reasonable security controls in the event of a data breach. Ultimately, the objective is to understand the number in its proper context: the size of the organization, the nature of its existing legal and regulatory obligations and its risk tolerances.
At a minimum, the General Counsel needs to know the answer to this question before a data breach occurs in order to appropriately benchmark the organization against similarly situated organizations.
4. What percentage of IT personnel have expertise in data security?
The same logic applies to personnel as it does with budget. General Counsel need to know before a breach occurs. Can the organization credibly defend its security measures based upon its existing personnel? Do you have the right people in place to respond appropriately?
5. What have we done in the last six months to identify and address vulnerabilities in our security program?
General Counsel need to understand in detail what information risks a company faces, and what measures are in place to assess and address these risks. This information will be important in determining the risk of a data breach.
The results of such an assessment could also be Exhibit A for regulators and plaintiff’s lawyers, especially in the event that the risks identified thereon have not been addressed. This is not a document that should be reviewed for the first time in response to a subpoena or as part of a document production.
6. Do we have an incident response plan and is it current?
This is critical and should be addressed as soon as possible. The mere act of putting a plan together can deliver valuable information and allow the organization to respond effectively in the event of a crisis. Detailing in advance the measures that will be taken in response to a data breach (absent the urgency and pressures that exist during an actual data breach) will result in a more refined, well-thought-out plan.
7. How are we controlling access to sensitive data?
General Counsel should understand the controls that are in place to ensure the principle of least privilege — meaning an employee only has access to that data necessary for her to perform her job — applies throughout the organization. This needs to be monitored closely by the IT department. Giving all employees access to the organization’s most sensitive data outside of their normal job function can create a potential information security incident. The knowledge obtained through the creation of a data map and classification of the organization’s data can be leveraged to ensure the organization is applying the principle of least privilege.
8. Do we encrypt sensitive data?
When the organization stores sensitive information or sends that information outside the organization, are encryption technologies employed to secure that information? Encryption is rapidly becoming a “best practice,” and in fact is considered “safe harbor” under some breach notification statutes.
9. How do we protect our sensitive data when we hire and evaluate third-party IT contractors?
IT is no different from any other part of the organization. The rules surrounding temporary or contract employees should be strictly enforced in the IT department, with careful compliance oversight for hiring and retention of third-party contractors. If the IT department were a bank full of cash, every single individual with access to the cash would be scrutinized.
In reality, the organization’s data is like cash and the controls for who can access and work with the “data cash” should be strictly enforced. In some organizations, the IT department is moving fast to “keep the lights on” for the business. The pressure to support the business whether it is continuing to develop and write code or keep the network operating can be intense. If the lack of qualified employees is an issue, requiring temporary employees to maintain operations, this is an area to monitor closely.
10. How are we using or planning to use customer, consumer, or employee data, and have we considered security and privacy issues?
General Counsel need to be engaged constantly on this topic. This question applies to departments beyond IT because many organizations are trying to capture and monetize data. The reality is these departments will need IT to support, or be directly involved in, these efforts. For this reason, the IT department will likely be a clearinghouse for any corporate initiative involving data. If the legal department is in the dark about these initiatives, then the privacy and regulatory implications may not be fully addressed at the outset of the project.
General Counsel should be at the table at the beginning of these initiatives, not as an obstacle but as a partner. Legal department participation can help ensure the project complies with current and evolving security and privacy regimes.
Conclusion
This list is not exhaustive, and these questions and others can’t be asked just once. Information security is a process, and as technologies and risks evolve, so too must the controls your organizations uses to manage information risk. Best to start and continue an ongoing conversation around these topics.