Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1472128
83 I L T A N E T . O R G in developing and enforcing information security policies (the average score on the maturity curve is 4.4). Firms consistently rank security as their most mature IG process. This is good news. In second place is remote access at 4.1, which makes sense given the need to "up-the-game" as a response to the Covid workforce. But even so, the largest law firms still rated themselves below Level 4 in this category, which means there is much to do to improve upon the policies, procedures and enforcement mechanisms required to achieve a highly mature remote access posture. In descending order, below are some selected processes and their ratings: Process Average Maturity Level Matter opening 3.60 File sharing 3.5 Client requests/OCGs 3.25 Records management policy 3.15 Records retention policy 2.95 Email management 2.60 Email policy 2.45 Records retention process 2.45 Process for retaining documents as exemplars 2.15 IG compliance monitoring processes 2.05 Administrative records 1.95 Knowledge management organization 1.85 The overall maturity average of IG frameworks for 2022 for all firms is 2.84 – roughly Level 3. It is not a stellar performance and indicates there is room for improvement in attaining a mature IG posture. And you probably are not surprised to see Administration and Knowledge Management at the bottom of the list. Firms just don't prioritize these functions, and it shows. But there are ways to improve your IG posture and we discuss them in the following sections. The key IG disciplines that mitigate risk Information is the lifeblood of law firms, but the absence of adequate controls can be dangerous in several ways. At the most basic level, firms need to ensure that they and their lawyers meet their professional and ethical obligations to manage client information properly. With that backdrop, let's look at what can get in the way. There is an ever-growing number of regulatory requirements, particularly in terms of security and privacy of personal information. As well as working with GDPR, the California Consumer Privacy Act governs how firms collect, store, and process personal data on identifiable persons. In addition, firms have to comply with a slew of other regulatory requirements regarding financial information and data protection, not to mention Freedom of Information, Money Laundering, and the US Foreign Corrupt Practices Act (FCPA). Evolving international data residency and cross-border data transfers further complicate information technology strategies. Any failure to achieve regulatory and legal compliance risks heavy regulatory fines and reputational damage. And then, there are Outside Counsel Guidelines (OCGs). Firms need to adhere to the contractual agreements made with clients concerning the increasing range and complexity of OCGs, including "Need-to-Know"