Compliance audits. Most companies dread them, but for law firm Javitch, Block & Rathbone, multiple audits are a weekly event. To manage the resources needed to meet this onslaught of data demands, the firm turned to the Unified Compliance Framework.
The UCF enabled Javitch, Block & Rathbone to reduce the number of unique controls they need to comply with from 2050 to 850. And the firm has seen a 40% reduction in the time spent with the audit teams, a 30% reduction in the time required to gather data for an audit, and a 50% reduction in remediation requests.
Imagine being audited for compliance a dozen or so times each month. It may sound like the plot of a horror movie intended to terrorize audiences comprised only of corporate executives—but for Javitch, Block & Rathbone, LLC, it’s just business as usual.
Javitch, Block & Rathbone (JB&R) is one of the United States’ largest creditor’s rights law firms, employing more than 400 people, including 52 attorneys. The vast majority of the firm’s client portfolio consists of companies from the financial services industry. JB&R receives, on average, 11,000 new file placements each month, and the file data typically remains in the care of the firm for years. This large volume of confidential financial account data is subject to numerous state privacy and information security laws.
JB&R has identified over 40 governing regulations and standards they must comply with. These include the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act (GLBA), Fair and Accurate Credit Transaction Act (FACTA) and collections laws.
Financial services companies are a prime target for cybercriminals, with some of the highest annualized cyber-crime costs of all U.S. companies, according to the “Second Annual Cost of Cyber Crime Study,” conducted by the Ponemon Institute and sponsored by HP ArcSight. This naturally results in JB&R being heavily audited for security compliance. In any given month, JB&R averages eight remote audits consisting of questionnaires and evidence requests and three on-site audits at the firm’s headquarters in Cleveland. JB&R must meet each audit request with unique answer sets.
Keith Payne has been the information systems security officer at JB&R since 2005. Prior to that, he served 20 years in the U.S. Air Force, where one of his duties was to serve as an IS security officer. He is JB&R’s one-person information security department, plus he leads and manages IS compliance for the firm as a whole, as well as for each area of practice with its own overlapping and unique governance and operations.
Payne says the greatest challenge for the company was determining what controls were overlapping in the 40 standards and regulations that JB&R needs to comply with, many of which have controls that are not clearly categorized. Plus, the firm’s Legal and IS teams often struggled to prioritize control implementation. JB&R’s Legal Compliance (LC) team worked to meet their needs for governance through their own analysis and implementation of controls. This resulted in Information Security Compliance (IS) having a reactionary posture to the LC’s guidelines, with IS often not being able to implement control policy until LC was able to identify the need.
The ability to clearly define a single mandated control and determine if the proposed control would meet with one of those 40 governing regulations or standards also required greater resources than either team could spare.
“Since legal compliance is an integral core competency of our firm, we determined that IS security compliance needed to be separated from the legal compliance department and become an independently managed system. The newly formed information security department was designed to complement and work hand in hand with the firm’s legal compliance function,” says Payne.
To accomplish this, Payne and his project team—comprised of a managing partner of the firm, the director of information development, the director of information technology, and the chief operations officer— developed an Information Security Management System (ISMS) based on ISO 27001, a risk-based, bestpractice standard for building and maintaining data security systems.
The new ISMS was a great improvement, but a few problems remained. The primary issue was that the continual changes that are typically made to controls resulted in the company churning the requirements. This increased the possibility that, as Payne explained, “tunnel vision on some of the regulations may result in other regulations not getting the attention they required.”
Payne says that JB&R searched for years to find a solution that would meet their needs for the management of complex, overlapping and ever-changing compliance control management. Finally, they discovered that the issue could be effectively addressed with the use of the UCF, teamed with LockPath’s Keylight Governance, Risk and Compliance (GRC) platform.
“The greatest limitation that I found in other offerings is that they were focused only on either a specific regulation or segment of our business,” says Payne. “The UCF, by far, has the greatest diversity in identifying the regulations/standards of our entire enterprise and mapping an independently maintained control list to those regulations thus removing overlaps and duplicates.”
The UCF mandates policy for the entire firm. Audit is performed to the identified controls to ensure the regional offices are meeting the regulatory requirements. Each regional office has the ability to customize their policy and procedures to meet their local culture, but is held to the expectation of meeting the controls that ensure compliance to the governing regulations and standards that have been identified by the head office. Every regional office is also able to implement additional controls with the understanding that they must also be mapped via the UCF to a governing regulation.
Payne was surprised by how smoothly the UCF solution was deployed. In a single two hour meeting the Legal Compliance Officer and the Information Security Officer were able to review the list of regulations and standards, quickly marking the appropriate ones as active to the global function of the firm. This process ensured that all controls mapped (linked) to the standards were immediately classified as applying to their business.
Harmonizing all the overlaps provided a far more manageable list of controls to be addressed. When the regulations JB&R must comply with are taken individually, the firm is obligated to implement over 2050 controls. Harmonizing controls with the UCF shrank that list of unique controls to approximately 850.
“We also found that prioritization based on how often the control appears made the entire system more efficient for us,” says Payne. “By cross-referencing all of the active controls with a count of how often the control appears in the different regulations, we are able to dedicate resources to adoption of controls that will have the greatest impact on meeting our obligations.”
UCF content is updated quarterly. Payne says these additions can be evaluated with regard to potential gaps in the firm’s existing policy and procedures, “with exceptions being properly documented and remediation plans and/or justifications being managed with minimal disruptions to day to day operations.”
“And having an independent third party (UCF) providing the updates gives the IS Committee greater creditability when changes (primarily additional controls) are communicated to the business units in the firm,” explains Payne. “There’s much less conversation about ‘do we really need this,’ so now we can focus on how to implement changes efficiently and effectively.”
By leveraging the UCF in the mapping of JB&R’s control implementation, the firm has seen a 40% reduction in the time spent with the audit teams for IS and a 50% reduction in remediation requests. Payne says that the firm’s clients have a “greater sense of our security posture and their requests for additional controls to mitigate their risks fit into our ISMS structure more logically.”
“The time required to complete an audit, specifically the data gathering part, has also been reduced by 30% as JB&R’s efforts are now so clearly documented and measurable,” says Payne.
“The greatest benefit to JB&R using UCF is the clear vision to compliance,” says Payne. “Leveraging the UCF content allows the firm to use our resources on the implementation and continual improvement of our security posture. We are no longer required to continually research in order to translate governing regulations and standards into a meaningful set of controls.”
Payne also discovered one totally unexpected but very real benefit of the UCF: leveraging its reputation.
“When JB&R has in-depth audits conducted on our Information Security Management System (ISMS), the fact that we use the UCF to identify the needed controls results in almost instant acceptance among JB&R staff, clients and outside auditors that we have the requirements fully scoped.”
Information Systems Security Officer
Javitch, Block and Rathbone