The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
CHANGING SECURITY NEEDS "No gains without pains." — Poor Richard's Almanack Enterprise information security programs used to focus on preventing external (and presumably malicious) users from penetrating an organization's network perimeter. Vendors designed tools like firewalls and antivirus software to provide protection around valued assets housed internally, while IT professionals selected and deployed cost- effective tools to protect systems. Perimeter security went virtually unnoticed by users, who merely had to power up their desktops and access the firm's network. Today, information no longer resides exclusively on a firm's internal databases, servers and desktops; it proliferates everywhere via the use of mobile devices and cloud services. A tool as common as email often provides the greatest risk of exposure, since a single spear phishing attack on a user with the right credentials could provide a hacker access to all information in the firm. In this brave new world, a perimeter-based security strategy no longer protects sensitive client data; firms have been forced to apply more stringent and granular controls to protect client information. And therein lies the rub. A security program that includes more stringent controls, such as enterprise data FEATURES About the Authors With more than 25 years of experience, Rudy Moliere has worked at multiple firms, assisting in the development of practices and policies related to records management. Rudy is a former ILTA Records Management Peer Group Vice President and is a frequent speaker at RIM seminars and conferences. He has also co-chaired the Law Firm Information Governance Symposium, sponsored by Iron Mountain. Rudy is currently the Director of Records & Information at Morgan, Lewis & Bockius, L.L.P. Contact him at rmoliere@morganlewis.com. PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 42 classification and role-based access controls, will inevitably have some impact on lawyer and staff behavior, habits and productivity. Everyone must understand how an innocent mistake like losing a smartphone or tablet could have drastic consequences. They must also make informed decisions on how much risk the firm is willing to accept to maintain normal levels of productivity and, conversely, how great a hit on efficiency the firm can accept to achieve a desired level of security. As security becomes a business issue, IT and security professionals must also adapt their approach, doing less watching around the perimeter and more negotiating with those inside it about the level of security required — in other words, working to guarantee the republic. COMMUNICATING WITH FIRM MANAGEMENT "Would you persuade, speak of interest, not of reason." — Poor Richard's Almanack Security and risk management professionals frequently stress how important it is to gain management support to successfully execute an information security program within the firm. Management is only likely to push initiatives through if they truly believe it is in the firm's best interest to do so. To convince management, IT professionals must position arguments that align with management's interests and concerns, abandoning tech jargon for the language and concerns management cares about most. As the Director of Records & Information at Morgan Lewis, Rudy Moliere oversees a regular communication program to help his firm management understand how emerging information governance policies and protocols differ from traditional records management responsibilities. For Rudy's team, drafting a sound information governance policy is only one step in the long process of executing an information Develop defensible policies, guidelines and procedures Provide uniform retention processes across practice groups and offices Implement content management technologies that enable efficient and secure filing methods Ensure that the firm has the right IG personnel to perform daily activities and support non-records staff Develop communication and training plans to increase program awareness and systems adoption Implement sound governance and review protocols to monitor program success