The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/810339
Ovid ut lab in necae nonsedis mil mo optatem faccae. Inctem nes molore volor ad ut dolenem atet et dolupis eum ra sum et faccae NAME IN CAPS Nonsequo oditatur re rem nimin et et diciam quam et, quam etur, omnia con conempe niminvenda dunt quatiam diam quis isquam essit dolumqui tor sedis del modipsum estrunto il et ipsam, ea que iuntin reruptus ex et elenis aut alignam sundusda doloribusa vent fuga. Maionet es doloria ectio. Tia nume coreperiori dest il istia necera conIt repero etur aliquam enetureperio in natae. Nam re con con nimincitis doloristiam verferum in es il Harchitae aut quam dolorit aquae. Nam fugiae porum sollaboriam non reniet que nam qui occulpa risciunt labore miliciuris eumquid ucitatio quas maiorerum eos mod ex et, occum antinve ndebita ersperum restia dolum a et velenietum reptatincite derum, quas nones susanihit fugitatem lignien itassera et et arum verum utem elit aut odition sequunt iberrovit quo eliquis etur audam ut int eos as plabores excest, optatia ipsus qui beria consequ idernam venducimi, volupiciet diciis sum evelesseque suntia corate nos ide estion cuptae adi berum aditintiam a verore commosamet placimu stionse precto ma doloria ndigenda dolorep erchit re sus porpora ecerecte pratios am faccus exerum aut lam doluptatur? Voles sit aut quideni musantur? Eque res ulparcid mos et, a dentios exerum ex experovit quatiant rerferro experio necustruptas vento dolore, vere velia earchillab inum solorpo rporiorate nonsend essuntios eum fugiati autat ius seque pa eius dolupta turisquia sunt as voloribus nonsequ idebitium faccusa viti dolorumquat dolorum rendita speresequi dolumque nobit adis am facepudae nam lantibus seque lanimilic tem lanis idemolor repta dus et porerun tiatum ipsam aut rem eaquisi tatiatumque moluptiorum rationemoCea quas que con restist aut vollandit qui dolenditi blandel iquibus. Soluptas et fugia vel exceaquunt quodi dolenima volupicab ipitis cus pariae plique vent, aut et quia dellacc aborum iligeni occatem hitio. Es amusant ipiet labo. Nem. Nam sit apieniet offictas eiur, occaectum nulparum re ma volorere volorem remperspero vidunt optatio nseque excearuntus dellant est, tes es cusa cum quo quiandebis se volest, corepudit rae venditem que reictatia del iditate volupisit, ut fuga. Iciisim andi odis volor aliantes sum sum qui cum aut laboriatiati cuptatures et occulpa dolor modia se alit, nimus receribust a con cusda volorae omnimust, totatur am quatem sit, illesti cuptistiae porpor audi tem acearum et, adiostet rat ut quas ducides et volupis re consed modissitatia nos repe ma cum quatur? Sed molutat utemo doluptionet eos ut offic tempos vel molupta eceribus sum fugiasperis min prectem reris autemquatio magnam lam ut quos et licim earum faci cus evel ipsa nimi, aut que con reium voluptur? NAME IN CAPS Nonsequo oditatur re rem nimin et et diciam quam et, quam etur, omnia con conempe niminvenda dunt quatiam diam quis isquam essit dolumqui tor sedis del modipsum estrunto il et ipsam, ea que iuntin reruptus ex et elenis aut alignam sundusda doloribusa vent fuga. Maionet es doloria ectio. Tia nume coreperiori dest il istia necera conIt repero etur aliquam enetureperio in natae. Nam re con con nimincitis doloristiam verferum in es il Be Prepared for Client Security Audits 55 WWW.ILTANET.ORG by David Hansen of NetDocuments More outside counsel are demanding onsite security audits of law firm clients. A security review five years ago might have comprised a few general questions on a couple of sheets of paper; three years ago, audits expanded to include detailed security questionnaires, follow-up clarification questions, webinar reviews of policies and occasional onsite visits. Today, client audits regularly comprise expansive security questionnaires that can include hundreds of questions, broad requests for copies of policies and procedures and evidence demonstrating their implementation, multiple rounds of live webinars and phone calls to clarify controls, extended onsite audits reviewing all aspects of relevant operations, and calls for external security certifications and independent third-party security audits. How can law firms manage and survive the growing burden of client security audits? Here are best practices to consider: Identify defined areas where security is needed. These typically include: » Internal Operations: How client information is received, handled, used and shared within the law firm as part of day-to-day operations » Corporate Network: The communications infrastructure that must be made and kept secure » Information Storage: The way client information is stored to keep it both safe and accessible Identify controls and procedures for each area of security. Use industry standards as a starting point, and then modify/expand them to meet your unique requirements. Consultants and vendors can assist. It is probably no surprise that respondents to the ILTA's 2016 Technology Survey chose security compliance/risk management as their top "issue or annoyance." As the survey's executive summary explains, "The industry is under a great deal of pressure to respond to the sharp rise in malicious activity, coupled with efforts by clients to ensure their business partners' security posture matches their own." Preparedness responses include security awareness training (up 29 percent from 2013), outside security assessments (45 percent of responding firms have them performed annually) and client- driven onsite security audits (34 percent have received these). EXTRAS Be Prepared for Client Security Audits Document the controls and procedures you will use, and implement them. Include reviews to ensure controls and procedures are being followed. Beware of creating a "paper wall" of security that is fundamentally meaningless. Implement your own annual security audit. Use independent, third-party auditors to review your security infrastructure and make recommendations for improvement. Utilize either of these two industry standards as your baseline: SOC 2 security audits or ISO 27001. Develop a standard "response package" containing a summary of your security infrastructure. Include evidence of implementation in the package. This streamlines your security documentation work and provides you with a standard response you can share with clients to address client audit requirements. » Rely on the legal ecosystem. Rather than incur the full cost of implementing and maintaining your own security infrastructure, leverage the expertise and infrastructures of vendors that specialize either in assisting law firms with security or providing safe and secure infrastructures. Ensure that your vendors will assist and support your firm with the security support your clients are demanding. Will your vendors support "pass-through" audits? Are they independently certified to industry standards? As would-be assailants develop evermore sophisticated aacks, laws firms must respond by improving their own security defenses. This means implementing appropriate internal controls and increasingly leveraging the security of trusted vendors. Security is not a destination, it is a journey. P2P