Sunday, June 21, 2015

Risk News: Screening, Security (ISO 27001) and Cloud Concerns (or Not)


For those in the US, Happy post-Fourth of July. Here's a set of interesting updates to kick of the month on a variety of topics. First up: "DC Bar Revisiting Ethical Screening: Comments Sought on Move to Amend Rules 1.10, 1.15, and 7.1" --
  • "The proposed amendments were submitted to the court by the D.C. Bar Board of Governors on recommendation of the Bar’s Rules of Professional Conduct Review Committee. The proposed amendments [include]:"
  • "A. Rule 1.10 (Imputed Disqualification: General Rule)
    Amend Rule 1.10 and its comments to allow ethical screening (without client consent) of lawyers moving laterally between private employers with certain initial notice requirements to former clients. The committee further recommends the addition of a new subparagraph (f) to address situations in which a law firm cannot provide required notifications without violating confidentiality obligations to an existing client."
Jeff Brandt at Pinhawk noted a resource of interest to the security-focused: "The brain of an ISO auditor – What to expect at a certification audit" by Advisera, a consultancy --
  • "If your company is going for the ISO certification (e.g., ISO 9001, ISO 14001, OHSAS 18001, ISO 20000, ISO 22000, ISO 22301, or ISO 27001), you’re probably not very happy about it – certification auditors are usually perceived as persons who are not very open minded and who will insist on a whole bunch of unnecessary details. But the truth is, it doesn’t have to be this way – if you understand how the auditor thinks, your audit can turn out to be much more pleasant and useful. Here’s what you need to know."
We also recently noted several updates concerning law firm risk and information governance practices tied to cloud services. (Watching the industry discussion unfold on this topic conjures memories of the industry's adoption and debate about electronic mail...) Here's another bit of commentary from outside of the legal space, which raises some important points: "Enterprise financials in the cloud? Why the fog of skepticism may be lifting" --
  • "Spreadsheets and email documents are a bigger threat than the cloud, says Forrester Research’s Liz Herbert"
  • "One of the HubbleUp speakers was Liz Herbert, a vice president and analyst at Forrester Research. During her talk, she emphasized that when it comes to keeping private data inside the enterprise, the horse has already left the barn. She talked about one customer engagement, which the C-level officers brought Forrester in to begin – to begin! – a feasibility study of placing some corporate information into the cloud. However, once onsite, she learned that the company was already using Saleforce.com to manage its customer interactions. The lesson: The company was already storing sensitive information in the cloud, but didn’t even realize it."
  • "Herbert urged business to 'get real' and accept that security breaches, such as HIPAA violations, occurred from the use and misuse and abuse of locally stored data, not data in the cloud. The common scenario, she said: documents and spreadsheets being emailed around the company. It’s very, very easy to accidentally send critical information to the wrong address, or intentionally leak the information via email, or even copy it off a hard drive onto a USB key. 'Spreadsheets and email documents are a bigger threat than the cloud,' she said."

No comments:

Post a Comment