The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
The ISO standard requires change control as a documented process, so a policy and procedure is required. The change control requirements are simple enough. The industry standard should include management oversight, a documented backout plan, security review before and after the change, business owner notification, risk assessment (impact analysis) and a date and time of the change. Don't forget that leveraging risk management and data classification will enable technology teams to manage the amount of documentation created in support of this process. Security Awareness Security awareness is not to be confused with security training. They are two very different requirements. Security training is a formalized program designed to teach and then evaluate the understanding of the security-related policies of the firm. This would require an application that can test for the content of the training, evaluate the test taker's understanding of the material and ensure that everyone has participated in the security training process. Before implementing this sort of solution, a risk assessment should be performed to determine what true risk is associated with not having a full-fledged security training program. Unfortunately, security awareness is not something that can be "risked" away. Security awareness is the process of notifying users of potential threats. These notifications can be posted near copiers to remind people of the shredding requirements of the firm, or placards in conference rooms can remind people to log off of shared computers. Email messages reminding users not to open doors for strangers and a refresh of the technology acceptable-use policy are popular as well. For users of the firm's confidential and private data, security awareness is essential to understanding that they too have a stake in the security of the firm. The ISO standard looks for security awareness as a process, so policy, procedure and evidence are required. While these were only a few of the 48 policies that require documentation for ISO compliance, it would be unfair not to include some hints on how to write appropriate technology policies. Policies Require Proof! Policies are controls, and they need to deliver evidence to prove they exist and are effective. Evidence of process relies on documentation. How can you prove that you review logs daily? You can create a ticket in your helpdesk system every time you review a log, or you can keep a record on paper of the date and time of the review. Each ticket that is created or paper record that is made in support of the log review process then becomes evidence. Making the Most of the New Normal If a firm chooses to take on the task of ISO compliance, these controls are the foundation of the process engineering that takes Renee Murphy, Manager of Internal Audit (Technology) at Latham & Watkins, LLP, has over 20 years of technology experience implementing Control Objectives for Information and Related Technology (COBIT) standards frameworks for auditable IT controls and technical operations for generally accepted practices in support of regulatory compliance. Renee's extensive experience includes serving as an external Sarbanes-Oxley (Section 404) auditor for a large accounting firm and in various technology leadership roles. She can be contacted at renee.murphy@lw.com. place during that endeavor. By implementing a data classification process, the technical environment will have the appropriate resources and solutions in place to protect the firm from risk associated with the use of client and firm confidential data, and will secure that information from inappropriate internal access and external breach. The data classification information, used in conjunction with risk management, enables the technology team to align itself with the business to produce a strategy that is in line with the risk tolerance of the firm. This data classification and risk analysis form the basis of the strategy for the firm's technology infrastructure. Controlled change in the environment provides metrics and data to support the treatment of critical systems that contain private and confidential data. This will reduce the risk associated with the inappropriate access to these systems and its data. Ensuring that changes do not reduce the availability of the system or the security of the data is the primary objective of the change control process — that would be beneficial to any enterprise, regardless of size. Security awareness reminds the entire firm of their responsibility to the firm's data security and privacy. If a firm is not ready to take on ISO compliance, there is still value in the implementation of these processes as they will allow firms to measure what they manage with focused and planned consistency, leading to a more secure, risk-centric technical operation. 64 Peer to Peer