The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
Team Leaders In conjunction with committing to seek certification, Bond Pearce appointed Paul ("Mack") McKay (who volunteered enthusiastically) as the firm's Information Security Officer. Appointing someone from within the IT department who would maintain a dual role as a network analyst was a bit of a bold move since the information security officer would have firmwide responsibility well beyond IT. In order to alleviate perceived concerns that IT might not be risk champions who could appreciate the value of the certification beyond IT systems, the firm sought external assistance from an experienced consultancy, represented by Peter Badger. Peter was enthusiastic and inspirational — and he confirmed that our goal to seek certification was realistic and achievable in the timeframe allotted. Gap Analysis With team leaders in place, the project commenced with a standard gap analysis to measure the firm's information security practices against the ISO 27001 requirements. It was a pleasant surprise to learn that the firm wasn't far off base. Once the gap analysis was completed and the report reviewed, it was possible to quantify the work needed to achieve certification. This led to the discussion regarding "how far" to take that certification within the overall business. At the time, a couple of other firms in the U.K. had achieved ISO 27001 certification; however, their certifications were limited to either their document management systems or to aspects of their IT departments, not their entire operations. Bond Pearce chose to certify the entire business end-to-end. The firm was motivated by the fact that Bond Pearce would be the first law firm in the U.K. to be certified across its entire business and that there was significant buy-in from executive management. Project Steering Group The next stage entailed forming a project steering group, which held monthly meetings to gauge and report on progress and tackle key issues. With help from the team leaders, the group first reviewed the gap analysis report and focused on fixing the problems that had been identified. As part of their initial effort, the group reviewed all existing documentation regarding policies and procedures as well as all guidelines that had been set by the firm's various departments. Many documents had to be amended to reflect aspects of information security, and they needed to be standardized to ensure a consistent look and feel. In addition, all documents required essential information regarding document history and revision controls. This provided the ability to determine at a glance how up- to-date each document was. After reviewing existing documents, other essential documents had to be created. These would later become the firm's information security management system (ISMS). Risk Assessment After reviewing and creating policies and new guidelines, it was necessary to conduct a thorough risk assessment of all information assets. This sounded easy enough, but it turned out we had more than 150 unique information assets, ranging from people/staff to data centers and written notes. The firm adopted the AS/NZ 4360 risk management standard for its approach to risk assessment methodology. Each asset was measured for associated threats and vulnerabilities using a defined list of 44 possible threats and 44 distinct vulnerabilities. At the time, a manual method was employed to calculate the risks, and scoring was done based on the "CIA" principle of Confidentiality, Integrity and Availability. The threats, which were multiple, were linked to vulnerabilities for each asset. The risk assessment spreadsheet produced was in excess of 6,000 lines. As one can imagine, this was a very time-consuming exercise; however, it's an annual requirement of the standard. Subsequently, the firm acquired the Abriska software package that performs this function and simplifies ongoing management of the standard. Training Once the risk assessment and all documentation were completed, reviewed, approved and set for release, it was essential to begin training. The firm had to make all personnel aware of the new policies and accompanying guidelines, as the Peer to Peer 121