The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
ask the expert Annette: Clients want to know what processes we have in place and if we are ISO certified. They want to know that our standards of securing information are as high as theirs. It's common now to see client terms or outside counsel guidelines that require us to meet a certain level of infomation security, and those terms include a right to audit our processes. It's a competitive advantage to be able to prove that you have a high level of information security in place. Brian: Regarding audits, the pressure has been light, but soon there will be strict requirements. We need to be correctly positioned before that day arrives. Another pressure clients are placing on us is related to efficiency — provide more at a lower cost. They want us to rely on new technology and take chances with, for example, BYOD/BYO3/BYOT and cloud computing. Jeff: The last few years, clients have started implementing security controls that check the security posture of their vendors, including the law firms they deal with. What started as simple checklists of items, such as whether you have a firewall, are now turning into extremely detailed reports that sometimes even include onsite audits. Clients come from various industries, so law firms need to be positioned to comply with just about every mandate and regulation that's out there. Tom: Many of our publicly held clients are subject to regulatory requirements that can trickle down to their suppliers — namely us — which can force our hand in meeting certain requirements we might not otherwise enforce. We've often had auditors review our billing, and now we're starting to see auditors vet our security posture. We can no longer get away with simply checking a box on a form that says we meet their requirements. _________________________________________________________ Who should drive security in a firm? Jeff: Security needs to be driven from executive management in a top-down approach. Without the full backing of executive management, it is very difficult to roll out any successful security campaign. This holds true for any business and is not unique to law firms. Brian: The partners have to drive this, and any attorney that has a client. IT should supply the à la carte menu of solutions the firm can use to reach objectives. Annette: There are a wide variety of threats increasing the potential for breach of data. Therefore, it's important that the right people within the firm are involved. There are physical, technical and procedural controls that need to be addressed. I think risk management working with IT, with buy-in from senior management, is the right mix. Tom: Security has no finish line. It's never complete. It requires buy-in of management and IT to continually educate and adapt to the security needs of the lines of business. If we're letting our clients drive all our security initiatives, then we're doing things wrong. The drive should be developed internally to address weaknesses and processes. Matt: There has to be a person or set of people who have security as part of their basic tasks — whether they are part of IT, facilities or risk management. Otherwise, you lose focus. Some larger firms have chief security officers, and that's probably the wave of the future. _________________________________________________________ Is ISO 27001 or a similar certification the solution for law firms and legal departments? Annette: ISO 27001 is a really reliable framework. It's a standard that clients know, understand and trust. On the other hand, it's not useful to have the certification just for the purpose of being able to say you have it — you need to be sure you're prepared for all the unique threats that apply to your particular firm. Brian: Along the lines of what Annette said, building the framework to become certified in ISO is what I value. Meeting various governance, risk management and compliance requirements is most important — the certification is simply proving it to others. Tom: Exactly — I believe certifications like ISO 27001 are useful as a marketing tool to differentiate firms in the bid for new business. Meeting the requirements of ISO is an ongoing process and can require changing processes both in IT and the business to maintain certification. If you have the resources to meet the certification, then by all means do it. Your firm will have a feather in its cap that very few others will have. Jeff: I agree that ISO 27001 is a great information security framework for any organization, including law firms. By implementing a set of IT security standards, the department will deliver a more consistent, secure product with every project. Matt: While I'm very supportive of the kind of regimen that ISO 27001 put forth, I'm not sure it's always applicable to the mid-size business models of most law firms. It is a good set of standards, and it's useful to think about your IT and data security and information in that context. But I think these standardizations will be more applicable as they focus on the legal profession. _________________________________________________________ 112 Peer to Peer