Information Security Essentials: The Benefits of CSC Entity Management

Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.

Annie: Hello, everyone, and welcome to today's webinar, "Information Security Essentials and the Benefits of Entity Management." My name is Annie Triboletti, and I will be your moderator. Joining us today are Scott Plichta and David Jefferis. Scott is the Chief Information Security Officer at CSC.

In his role, Scott has global responsibility to protect CSC's customers' information assets as well as the company's assets. Previously at CSC, Scott oversaw the development and operations of software for the company's legal and financial services platform.

David is a product manager for compliance and governance services at CSC in the Wilmington Delaware headquarters office. With CSC for over 13 years, he has significant experience providing training, implementation and consultative services to clients at CSC Entity Management and consults with those evaluating CSC Matter Management Solutions. And with that, let's welcome Scott and David.

David: Annie, thank you so much. I know that Scott and I are so excited to be here today. We're really appreciative of folks joining us for what should be a very exciting webinar covering security and entity management and how those things come together. So really, just to kick things off, we've got a lot of content. We're going to start by taking a look at our agenda. And so we want to talk about why security is important, something that really should be front and center in your mind. Just as you evaluate technology as you go about your day-to-day business, we want to talk about the security measures that CSC takes to protect the infrastructure that we use to provide our client facing applications.

We'll also have Scott take us through how CSC protects our own sort of internal networks that our employees use as well. We'll talk about some of the third-party validation exercises that we go through to ensure that we have really leading edge security for our customers and for CSC.

And then the sort of the second part of the presentation is where we'll transition into talking about entity management. We'll talk in some detail about the CSC Entity Management solution, talk about why organizations implement that type of technology. And then at the very tail end, we'll go into it an actual live demonstration of the CSC Entity Management solution looking at some of the security features that are available in the solution, including a brand new upgrade to the platform itself.

And then certainly, at the tail end, we'll take some Q&A. And as Annie noted, during the course of the webinar, you can submit questions and we'll do our best to answer them. Certainly as we go along, and if we're unable to get to them due to time, certainly we'll make sure that we follow up with you with some answers to those as well.

On the next slide, we talk a little bit about who CSC is as an organization and who we serve. And so certainly, we took a look at some of the folks that registered for our session today. We do recognize that there are organizations that currently use CSC, and we're thankful for your business, excited to speak with you today. But also, there are a number of folks that have registered and joined today that are not currently doing business with CSC. So we think that this slide, in a pretty succinct fashion, talks a bit about sort of the breadth of the organizations that we do serve as an organization. So over 180,000 corporate customers utilize CSC services. We represent over 90% of the Fortune 500 with at least one of our services, whether that's registered agent, domain services, entity management, matter management. So there's a suite of solutions and again a broad spectrum of the Fortune 500 does utilize CSC services.

And really Scott I think a little bit talk about kind of how this does play into the world of security as well. But again, just a brief slide that talks about who CSC serves as an organization. And so with that, we want to get into the meat of the presentation. And I'll turn things over to Scott Plichta to talk about security.

Scott: Thanks, David. I really appreciate the ability to come talk to everyone today. It's my distinct pleasure to serve as the chief information security officer for a company that is so dedicated to security from the board of directors through executive management all the way down to the customer service reps that you'll work with on a daily basis. Security is a key concern here at CSC because of the clients that we serve, as David just talked about.

So why is it important to you, right? So you do your job and you're thinking about entity management and registered agent and why are we focusing on security? Well, what we found is the legal departments, law firms are great targets these days. As criminals branch out into learning more information about organizations creating better abilities to infiltrate an organization. They realize that there are some great data within legal departments, law firms. There's a treasure trove of data. And there's a few quotes here that you'll just see where we talk about law enforcement that said there's companies that have been breached, or will be breached, or even worse, have been breached and don't know it yet.

And law firms are just this great target of information. Recorded Future is this threat intel group that talks about what are the threats in the world and what do we deal with. And if you look at that last slide, 4.8 million records in 2019, up from 1.7 billion records, a billion records were compromised in 2019. And this could be your data in the hands of someone else. And so we're going to spend some time talking about third-party management and how do you work with your vendors to ensure that your data is secure.

So as I said before, I think that everyone should understand the security of the vendors they're looking at. So considering you're looking at CSC, I think I should explain why your data is secure with us.

So what do we do? What do I do? What does my team do? And what do we do as a company in terms of security? Well, first of all, all of our data is maintained in national class, world class data centers that are ISO 27001 certified. Big numbers and letters, but it just means that some third party, independent auditor has looked at all of our data centers to make sure they have all the things that you would expect in a world class data center.

We maintain stringent data access procedures and controls. That means that the people who have access to your data are only the people, that are limited to only the people that need access to your specific data and specific parts of data. We'll talk about that a little bit later when we talk about the application security controls and David will go into those for you.

Our business continuity and disaster recovery processes are well thought out and well tested. Obviously in the current climate our business continuity plans were put to the test as were everyone's. We were able to maintain our operations 100% as we move onto a business continuity plan due to COVID. And I think that's a real testament to the planning that we had done in preparation for any type of business continuity.

We test this regular. We do crisis drills through all kinds of security as well as availability or disasters. We do crisis drills with our senior management team. And we practice this so that it's part of muscle memory should we have an issue to deal with.

We pen test our application. So penetration testing is where we hire professional hackers, if you'll call them that, whose job is to find any flaws in our software. And we do this for every product that we offer. And we do it on a regular basis and we use very aggressive penetration testing firms. Their job is to find everything and anything that an external hacker could use. We find those anything that's found we remediate input that put into production fully fixed.

And then we maintain best in class denial of service protection. So one of the benefits of working with CSC is that we're also a data security company and we work in the domain and brand protection world. And so we get to use our own products which are best in class. So that means that if somebody unleashes a something against the CSC, we've got the protection to make sure that your data is available all the time for you.

Okay, so the purpose of this slide is to show you the layered approach that we take with security. Often you think about your own life that do you have antivirus, anti-malware installed on your computer, and that seems to be the end-be-all of security. And when you talk to your vendors with a smaller vendor that you might deal with, they may focus on antivirus. "We've got great antivirus." But it really there's many layers. Every layer of security has holes as represented by the white areas here.

The concept here is you put many layers on top to each other that work in conjunction with each other to protect you. And a good vendor will have layered many of these technologies like you see here. We've just put a representative sample. This isn't everything that we do. And so a good vendor will have all of these layers wrapped around your data. And you really need to make sure that whoever you're dealing with in any part of your systems has multiple layers, and how do you figure that out? So we're going to talk a little bit about how we protect our users and then how do you validate that?

So first you come to these webinars, you send questionnaires to my security team, you get me on the phone, or one of my guys on the phone and we'll explain what we do. But there's more than that. So when we talk about third-party management, there's kind of third-party management and fourth-party management. So if you're going to hire CSC we're your third party. We're the third party maintaining data on your behalf. But then we have what's called a fourth party to you. So they're contractors that we use or companies that we use or third parties to us that we use in the performance of our duties. And your question is, "Well, what's my fourth-party management? How does my third party . . . " Sorry, this is getting confusing. "How does CSC manage our vendors the same way that I'm saying that you need to manage your vendors?"

And so we do that very aggressively. We look at all of our vendors, and we put them through all the security controls that you saw on that last slide. We're looking to our vendors to make sure that they do that so that anybody who's related to our company has a level of security that we expect internal to ourselves. But not only that, you can ask me questions but you really shouldn't have a third-party audit. And so what we do is we hire an auditor to do an independent audit. So they come in and they actually look at data. They pull records from our systems to make sure that everything we say do we actually do do. And we represent that through what we call a SOC 2 Type 2 independent audit. And that's very important.

But the SOC 2 and the Type 2, a Type 1 says, "Have you designed a good security program?" A Type 2 says, "Do you actually operate the way that you designed it?" So that's a more aggressive test that we do with our auditors. And every year they produce a report that if you sign an NDA that you can get a copy of that report. So you can see what an independent audit of our security looks like.

But not only that. I want to go back to a slide that David had before and let's talk about what our customers are seeing in our customer base. We serve the largest customers in the world and each of those has phenomenal third-party management programs. I get to interact with some of the best third-party managers there are in the world, and prove to them that our security is up to their standards. We work with 90% of the Fortune 500. So that means that the largest companies that have the most stringent controls have looked at us, have vetted us, and have selected us as a secure partner to work with. When we say 8 of the 10 largest banks, the banks probably have the most stringent security controls of anybody out there. And we pass all of them.

All of them have looked at our controls. Many of them come on site, do audits, and have been to our facilities to make sure that what we say is what we do, and they've all come out and said, "You do." I think this is really important as we start to look at, as you look around, if you look at other vendors for any systems that you're working on is who's vetted them to what level? And we maintain very sensitive data for these customers. And they've decided that we are of a class that can not only work with them, but we can store sensitive data on their behalf. And I think that's quite important as you look at any vendor that's going to work with you in the future.

Okay, so a little bit more about how we secure our users that handle your data because we're a service company, there are pieces of data that we will work with you. You will have customer service reps that will work with you on looking at your data. We need to make sure that they're secure. So a couple things that we do. Let's go through just a few. And this is just some highlights and things that you can take back also in your daily life.

So passwords. So we move from 8 character passwords to 16 character passwords. David and Annie both probably swear me up and down every time they have to type in their 16 to 24 character passwords. But we found and the industry has shown that very long passwords more like passphrases are far more secure than those eight character passwords. Some of you on this call are still using spring 2020, COVID 2019 as your password and those are easily guessable by attackers.

We ran through an assessment before we made the switch and after to whether an attacker could guess or use a database of passwords against us. And once we moved to 16, we've yet to have an attacker be able to guess one of our user's passwords. They're just at 16 characters, they're just too difficult.

But don't trust passwords. The next level is two factor, which is something that you have versus . . . a password is something you know and the second factor is something that you have. So we have authentication mechanisms built into phones or phone numbers that all of our users have to use to access your data.

Something that I think is very important is password management. And this is something a skill that all of you who are listening this call can implement for yourself in your personal life, which is nobody can keep 16-character password times 500 sites straight. So they end up reusing passwords is probably one of the worst things that you can do in security. So we actually provide our users with a password manager knowing that they have more than just their one password on to us. And I highly recommend that all of you use a password manager in your personal life, to keep very complex passwords that can be generated that aren't well known, and make them unique per site.

Anti-phishing and antivirus, we have all those standard things on all of our user laptops, all of our systems. Intrusion protection. So if somebody's trying to get into our systems through various means. We are both protecting, meaning stopping attacks and also detecting behavior from a certain machine and then we can block that machine, etc.

We have a state of the art security operation center. So I have a staff that reports to me that works 24/7 that looks at anything that's incoming ongoing phishing attempts. We look at phishing emails, and we're constantly there for our users to answer any questions they have. And we do a regular education session with our users to make sure that they're aware of things in the world and what's going on in the security community, new types of phishing emails that are coming out, so that they're aware and looking for and forever vigilant.

So that's how we protect our users that use our systems. Let's talk about your users who access CSC's systems and your data.

First of all, your data is always encrypted when it's on our systems, whether it's in transit, everything that we do is HTTPS or SSL based security. And then when we save anything to disk, it's fully encrypted on disk so that there's all your data is always protected and secured against any threat that might be part of our third-party program. We're making sure that everything is encrypted at all time.

The best way to do password management is to enroll through our single sign-on, which means that your username and password that you would use it your company passes your authenticated, or you're logged in through your system at your company and your corporate network tells ours who you are. So we actually don't store your password at all.

If you've don't have single sign-on support and you set a username and password on our system, something very unique that we do that we're pretty proud of, instead of just saying is your password complex? One of those kind of green/red things that you see on based on how many characters you have in your password, we actually we will check your proposed password against a breach database to see if that database has been part of multiple breaches. And if it has, if you're reusing a password or using a password that multiple people use, we're going to tell you and suggest you not use that password because it's been breached. I think that's very important because it's not really is your password complex but have you reused it. And that's a big thing that users do and we like to make sure that if there's a reuse password that's been part of a breach, we stop you from using that again.

We have detailed authorization and application and data level security, which David is going to talk about really at the application level so you can see how you can protect your data within the application.

David: So the next slide that we're now looking at is meant to kind of level set that, you know, as we noted, we're going to get into some of the specifics of the CSC Entity Management solution. But really, to make sure that we're all on the same page. What are we talking about when we talk about entity management? And really what this slide really highlights is the fact that entity management is a discipline. At the end of the day, one of the things that it's really about is keeping your companies in compliance, making sure that you have annual reports that are being filed in a timely fashion making sure that you're compliant with the business licenses that you require as another example.

But really beyond that sort of basic definition, entity management really gets into the need the requirement to be able to surface information to the right people at the right time, being able to quickly provide a list of directors and officers or create a structure chart to share with investors or third parties. And so entity management, again, it's a discipline and it's all about having access to secure information that you can share with parties at the appropriate time.

So in our poll question, we were talking about the fact that we see clients that are on all ends of that spectrum, a few entities to hundreds or thousands of entities, but fundamentally why do organizations implement entity management software?

And really the short answer is it really allows them to do a job more effectively. And so one of the benefits is centralization. So organizations that don't have technology are often using spreadsheets for data. They've got documents in one or multiple shared drives. They might be manually creating organizational charts. And they really don't have any ability to do effective reporting, which is one of the other items that you're seeing on this slide. So the ability to have a single source of truth where you can go for your entity vitals, directors, officers, reporting, and having that just at your fingertips is an incredible advantage that these types of software solutions offer versus doing things in a more manual sort of traditional fashion.

Another critical benefit which gets me really excited when I talk to organizations is automation. Instead of building that org chart by hand, which is incredibly time consuming, let me click a button and have the system really build that chart for me. Instead of having to manually change director, officer records on dozens or hundreds of entities, let me click a button and have the system automatically expire or replace an officer or director across again a number of subsidiaries. So there are incredible advantages where systems can really help automate and add efficiencies into these processes.

And then collaboration is certainly another key benefit. We talked about entity management being a discipline. And certainly the legal department is at the center of the front and center of the folks that are managing that information day-to-day, but it's incredibly common, that there is a need to share information with other parts of the business, whether that's tax, accounting, HR, finance. And that's really why security starts to become critical because ultimately there's going to be some amount of information that you're managing within the entity software that you want to share with other parts of the business, but do it again in a very controlled fashion. So that's where collaboration becomes an advantage, but also why security comes right back into the equation as well.

All right. Well, Annie, I'm not sure if you could hear that, or if our audience could hear that. But during our poll, my four-year-old wandered into I guess what I would call my home office. And I'm sure people can relate. Apologies for that. But that's kind of what we're dealing with in this day and age of working from home.

So with that, getting back on track, this is a transitional slide where we're going to now really dive into the services and technology that offers in the entity management space.

So before we talk about CSC's Entity Management software solution, we want to talk about some of the services that we offer as an organization that really integrate in a tremendous fashion with that software. And really, the first thing to talk about is our registered agent service. If entity management is a house, in this analogy registered agent is the incredibly secure foundation of that house. This is a core service that we offer as an organization. And I've been doing so for over 100 years.

And critically, when CSC is serving as registered agent for an organization, there are entity vitals that become available dynamically within our platform. Things like the names of those companies, where they're formed, qualified, their entity types, dates of registrations, charter ID statuses when their annual filings are coming due. Again, this is not information that a client has to manually type in. It's information that's flowing in automatically by virtue of using CSC as your agent. And then certainly, the entity management software represents an opportunity to build on top of that critical core data.

So I mentioned on the prior slide that CSC has been offering registration services for over 100 years. Sometimes folks are not aware of the fact that for well over a decade, CSC has also been offering global corporate secretarial services as well. We call this CSC global subsidiary management, where effectively we become a corporate secretarial partner for your non-U.S. portfolio. And just to talk about this briefly, one of the critical services that we provide is what's known as a corporate health check where upon taking over sort of the day-to-day responsibility of managing those subsidiaries, we make sure that they in fact are in compliance with the local jurisdictions and then can provide remedial services if there are any deficiencies.

And then really the core service on a moving-forward basis is that we provide what we call annual compliance support, where we're doing the prescribed things to get those companies, again, in compliance sort of the equivalent of U.S. good standing, which in many cases is much more involved. And then certainly there are ad hoc services that we can offer globally where if you need a director change or if you need assistance with forming or dissolving subsidiaries around the world, certainly these are services that we provide that are part of our corporate secretarial services here. And all of the work that we do both domestically and globally, flows automatically into entity management solution.

So as we're again representing these global companies doing director changes, what have you, all that information then is populating all the data and documents related to those transactions are flowing automatically into CSC Entity Management.

So a moment ago, I noted that organization subscribe to see if the entity management because they want to build on top of that core entity data. So what are some of the additional functionality that becomes available to our entity management subscribers? And you'll see that they're noted here in bullet point form. There's quite a lot to it. But fundamentally, some of the core capabilities are tracking directors and officers which can do in a very efficient fashion.

We have an incredibly compelling document management component to our platform where organizations can create online minute books. We support drag and drop functionality to make it very simple to move documents into the solution. We support what's called folder level security, which we'll actually get into in just a little bit in some detail where you can down to the folder level dictate which documents the user would see or would not see. We support full text searching where anytime a PDF is uploaded, it automatically is rendered searchable. So a user with the appropriate permissions can plug in a word or phrase and find that underlying document in a matter of moments.

Some of the other capabilities include the ability to track ownership and from that generate graphical org charts. You can get a clear visual understanding of how your entities come together from an ownership perspective. We have robust reporting, calendaring, alerting. It's really an incredible array of functionality becomes available to organizations that subscribe to CSC Entity Management.

So in the first part of our presentation, my colleague Scott did a really fantastic job talking about how CSC handles security at somewhat of a macro level, right, how we make sure that the data centers that house our infrastructure are secure. And again, that's validated through third parties. We also make sure that the servers, the databases, etc., are secure for client facing solutions like entity management, which we'll see momentarily, but also how we apply that framework to make sure that CSC's internal solutions are secure as well.

But there's sort of another level of security that we want to talk about as well, which is something we'll see in just a moment in the demonstration, which is if you are an entity management subscriber and let's say you're building org charts and you're managing minute books and directors, officers, and other entity data, as we talked about before, there's often a desire to make that information available to other parts of the business, but in a very controlled fashion.

So there are, again, a number of controls in the system itself that give you that power as an admin to make sure that people can only see and do what you feel is appropriate. So the first thing that we always talked about is something that we call roles and permissions or role-based security, where effectively you could say, as an example, when this person logs in, they don't get to see minute books that's beyond what they should be able to do. Let this person edit director's officers because that's going to be a part of their function. And maybe when it comes to ownership records, they have a view only capability. So again, in a very granular fashion, controlling what people can and can't see what they can and can't do.

Category level security. So I think this will sort of come into focus when we're actually in the solution in the demo. But when you click on a subsidiary, there's a summary page of information that you're able to manage, which includes standard fields and custom fields that you can create. You can actually create unique sections of data. We call those categories. And those actually are sections that you can control. So for example, you might have a tax user, that you're going to let him or her actually edit some of those text fields so they can keep that information up to date and current. But maybe that's the only part of the summary record or maybe the only part of the entire platform where you want to give that tax colleague the ability to actually make changes in the solution.

I alluded to folder level security earlier but this is again ability to control which documents users will see within the platform, which is very critical. We'll highlight that in the demo. And then the thing that we're really excited about is the most recent upgrade that we launched in the platform called dynamic entity preferences. So as a software as a service solution, we offer upgrades typically every three to four months. And when those features become available, our clients automatically get those capabilities for no added fee. And entity preferences, which we'll see in some detail is where you can control which entities a user would have access to.

So certainly, as an admin, you'll see your entire portfolio companies. But it's very common with organizations that we work with where they have subsets of users that should only see certain companies maybe by country or region or division or maybe lines of business, the heritage versus acquisition companies. So this is an incredibly exciting, scalable feature where you can really determine what entities a user can ultimately see within the solution. And then certainly, something that Scott touched on as well, we do support single sign-on or what's also sometimes called federated identity to provide a very secure means of giving your end users access to the platform.