Peer to Peer Magazine

INFORMATION SECURITY AUDITORS ON THE RISE by Tim Golden of McGuireWoods LLP "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." — ABA Rule 1.6: Confidentiality of Information Information security assessments (often referred to as "security audits") have become a common occurrence for law firms of all sizes over the last few years. Whether responding to client-initiated assessments, reviewing internal capabilities or auditing the firm's downstream suppliers, there are some key considerations to keep in mind when deciding who should take on this lead role at the firm. The knowledge and experience required to deal with assessments effectively will expose at times skill gaps that the firm must address, either by developing existing staff or bringing in new staff to handle the load. Enter the information security auditor. CLIENT ASSESSMENTS Client-imposed security reviews can be as simple as a 15-question survey emailed to the client-responsible attorney. However, these assessments can also take the form of onsite visits to multiple firm locations by the client's own security personnel to verify evidence the firm has enacted policy, process and controls to safeguard the client's data. Many times these assessments align with specific standards, such as PCI-DSS or ISO 270xx. The increase in assessment frequency and depth can be attributed to changes in the client regulatory environment (e.g., the Gramm-Leach-Bliley Act for financial services clients or HIPAA/HITECH for health care clients), increasing maturity of clients' risk management practices and recent security breaches involving law firms or firms' downstream suppliers. FIRM ASSESSMENTS While client assessments of legal service providers are on the rise, so are firm-sponsored assessments of their own vendors/suppliers. A key consideration here is which of your suppliers store, process 68 Peer to Peer or transmit nonpublic client information while performing services for the firm. Work with your business services/procurement group(s), as well as general counsel, to improve understanding of vendor scope of work and access to client nonpublic data. Make sure any new supplier agreements and renewals of existing agreements include "right to audit" language. AUDITORS TO LEAD ASSESSMENTS Who should be given the lead in these assessments? The person in this role needs a fine attention to detail, strong organization skills and excellent follow through. The lead should also be comfortable speaking with individuals at all levels of the organization. Communication skills and situational awareness also are important, since in some cases the lead will need to engage in difficult conversations with firm attorneys and staff, the firm's suppliers and/or the client. The lead should not be prone to "off the cuff" responses and must be comfortable with phrases like, "I don't know, but I'll find out." Putting your most technical person in the lead role may not always be the best option given the attributes listed so far. When defining the role of information security assessor, certifications can help. The Certified Information Systems Security Professional (CISSP) certification provides a common language for discussing security capabilities with client assessors or vendor security staff. The Certified Information Systems Auditor (CISA) certification helps provide an understanding of the common assessment framework (i.e., COBIT) used in most audits. AN EFFECTIVE ADDITION The role of information security auditor is complex and should be evaluated for how it applies to your firm, regardless of size. By effectively responding to client assessments and evaluating your firm's (as well as your suppliers') performance, you can improve your relationship with your business partners. You are stewards of your client's information and must be able to attest "reasonable efforts" have been made to safeguard the confidentiality of that information.

• Cover