The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1195860
P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 1 9 23 creation date on the document will be checked so it should be updated annually. • Review current security standards and government regulations to be sure you are updating your security policies with new regulations like the GDPR which addresses data protection and privacy for all citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU. • Set reachable remediation schedules. Critical issues identified during the audit will usually require resolution very quickly (<90 days) where as low priority findings may allow 6 months to resolve. Depending on how critical the request and its impact to our firm, the auditor will usually agree to extend the deadline if you the solution is involved and you need more time to resolve it. • Business Continuity and Disaster Recovery plans need to be tested and proved that they are working. I once reviewed a disaster recovery plan (which we paid for monthly for 3 years prior.) It was assumed by the firm that it worked fine. But no one ever bothered testing it. In the initial test I found all user accounts were set to "guest access ", so no one could actually access any data they needed to access at the cloud DR site. This access rights issue took several days to resolve, required new database tables be added to the daily transfer to the DR site and then required retesting, which was finally 100% successful. • A lack of facility security can fail your audit. A facility must be secure with ID badges, door locks, video cameras, been assigned to a team or function? • Are secure collection containers for confidential waste locked at all times? After completing this audit we began receiving numerous cybersecurity questionnaires and audits from other clients in other industries. At times we were working on 3 client audits at once. Some were 10-20 questions and others were even larger than 300 questions. We quickly realized that the technolo landscape was changing. We needed to hire additional staff skilled in cybersecurity and utilize outsourced help to stay compliant. We also needed to develop a global formal information security policy document. What was learned from this initial Cybersecurity assessment? • Most important is that senior management must be standing behind the firm's Cybersecurity initiatives. It is not only expensive but is usually a cultural change to implement new security measures at a law firm. • Be prepared, cybersecurity is now in the mainstream. Most corporations are paranoid about how their confidential data is being stored and how law firms are securing it, especially with the use of cloud providers. Clients are including security questions in their RFPs and they are happy to move their business to a more secure law firm if you fail to meet their security compliancy levels. • Document all policies, date the documents and include all technical diagrams. Most auditors want formal policy documentation as proof. You need to have these documents created in advance and should already have this done. And remember that the elevator access, parking garages and access into the firm's office. In the audit mentioned above the auditor asked for a sample video to confirm that the security camera at the data center was recording, kept 30 days of video and that he could see people's faces clearly. • Be careful of agreeing to and setting deadlines for new legal policies that require General Counsel and Partner input. These types of legal policies may take the partnership months to complete if they agree to creation of that policy. • Beware of requests to audit third parties. One client asked we perform a detailed audit of all third party vendors (over 100), a request which would have costed millions of dollars to properly complete. This required some push back and a compromise was finally made to have these vendors attest to having specific security measures in place at their firms, rather than we incur the cost to thoroughly audit each vendor ourselves. The cost was 0$. • Try to network with other law firms. They may have experience addressing compliancy issues with the same vendor and can advise on acceptable workarounds they put in place. • If the request seems impossible to comply and impacts the business then push back. Most auditors will accept a plan to address an open issue at a future date if the request requires extensive work and if it would impact the business itself they may allow skipping it. Once an auditor said we will fail the audit if we allow USB flash drive use on a PC. Our solution, use the Anti-Virus program and force