22
L
aw firms are expected to protect
confidential client data. This was
easy to do before the internet was
available, there was no cloud and before cell
phones could access client data remotely from
anywhere.
A few years back, as CIO at a 500+
attorney law firm, I received my first client
security assessment from a financial client
with over $70B in annual revenue. The audit
was over 300 questions, it covered every area
of security and the bank was very clear that a
failure to comply meant loss of business with
them. In addition, the audit required several
specific policy documents be submitted.
With no Cybersecurity staff, we divided
the 300 questions amongst the IT managers
and set aggressive deadlines to avoid missing
the bank's deadlines. In addition to the
questionnaire, the bank demanded an on- site
review of several of the firm's offices, requested
interviews with various IT and administrative
personnel, and lastly, scheduled a trip to the
hosted data center where they would perform a
full audit of that facility.
A sample of requested policy
documents from the audit:
• Screenshot showing proof of
password complexity and parameters
• A Change Management process policy
document
• Documented and approved Security
Policy for acceptable computer use
• Documented and approved Incident
Management Policy
Dealing with Client
Cybersecurity Audits
B Y M I C H A E L G A R G I U L O
• Evidence of annual Security
Awareness Training being in place
A sample of the questions from
the audit:
• Is a user's identity verified before
communicating an initial/temporary
password?
• Are third parties with access to the
bank's data required to adhere to your
policies and standards?
• Are penetration tests conducted
at least every 12 months and after
significant changes?
• Have information security/business
continuity incident responsibilities