Sonnenschein Nath & Rosenthal LLP - Data Protection

Search

Only in Internet, Communications & Data Protection
Advanced Search

Marc Zwillinger, Chair
888.858.6429 202.408.9171

Christian Genetski, Vice Chair
888.858.6429 202.408.6463

Randy Sabett
888.858.6429 202.408.6830

Shane McGee
888.858.6429 202.408.9216

Data Protection Attorneys & Professionals

Security Policies & Audits

The Information Security & Internet Enforcement Practice (ISIE) at Sonnenschein has extensive experience in conducting information security audits, as well as working in tandem with technical consultants in performing risk assessments and implementing solutions to address identified risks.

ISIE and its security vendor partners perform information security assessments with an eye toward the compliance requirements of an array of currently applicable laws and regulations, including state breach notification laws, California A.B. 1950, HIPAA, and GLB, as well as ensuring that an organization is meeting industry best practices set forth in standards such as National Institute of Standards and Technology (NIST) and ISO 17799. ISIE’s risk analysis includes administrative, physical security and technical assessments, and is intended to fit into organization-wide planning initiatives. The end goal is a technical infrastructure and suite of policies and procedures that not only comply with current regulatory requirements, but also serve to enable the entity to respond effectively to security incidents in a manner that minimizes potential liability.

ISIE’s methodology may differ depending on the nature of the client, its network, types of
information stored on the network, and its culture. As a general outline, however, our team will
focus on the following tasks:

Risk Analysis Interview Process - interviews of key personnel followed by a correlation of
results, analysis of data, and creation of analysis report.
Policy Review - extensive review of Network Access Policy, Facility Security Policy/Plan,
Security Training Policy/Procedure, Incident Response Plan, Contingency Operations Plan,
Privacy Policy, Customer/Patient Notification Plans, HR Policies regarding sanctions,
terminations, and background investigations.
Review of Vendor and Affiliate Contracts - review and update all contracts with third parties
with whom the entity shares customer or employee data.
Physical Security Assessment - on-site physical security assessment to examine security
policy and procedures.
Security Policy Development/Report - draft prioritized recommendations to bring entity into compliance with applicable law and industry standards.

In cases where ISIE partners with a security vendor, the vendor will perform a technical review of
the entity’s security infrastructure, including such tasks as:

External/Internal Vulnerability Assessment - Internet-based scan and vulnerability assessment of networks to vulnerabilities associated with external dial-up connectivity and internal network.
Configuration Review - scan and vulnerability assessment of more than 200 critical servers,
routers, firewalls, and individual network stations - includes detailed analysis, correlation of
findings, and a comprehensive report.