The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
lessons learned Tired of promises falling short? recently underwent the three-year reassessment process during November and December of 2011. The firm is proud to have retained its certification. Requirements-Tracking Software Since the middle of 2011, the firm has adopted Ultima Risk Management's (URM) Abriska tool, which is specifically designed for measuring and tracking ISO 27001 and ISO 22301 requirements. With the use of this tool, we have reduced the amount of time spent conducting the annual review and risk assessments from six to three weeks, and we can make changes as they are needed, instead of retrospectively. The system also allows the firm to generate a more accurate risk map to be shared with the firm's risk committee. For your firm's document production success 2012 See the answer, and get the solution you've been waiting for: esqinc.com/icreateanswers Smart Templates Powerful Numbering Styles Best Practices Document Renovation Focus on Prevention The obstacles that were overcome along the way were typical for an organization comprising people who are generally averse to change and who will present obstacles and, in some cases, may go to great lengths to prevent change. For example, objections were heard regarding the change to a more stringent password policy that is enforced firmwide. Some firm personnel still don't recognize the value and benefits of holding the certificate and only see its controls as a hindrance. These, unfortunately, are the same personnel who would argue that there should be no need to require a password to access the network. Mack often likens the policy, anecdotally, to using a seat belt in a car. Though he has never been involved in an accident in which he could have been or was thrown through the windshield of a car, he always wears his seat belt. A similar attitude and approach to information security should be adopted; just because certain areas of the organization believe the network has never been compromised or that attempts have not been made to compromise it does not mean that we can afford to leave the network unprotected. On the contrary, speak to any network analyst who manages the firewall for an organization and ask him to review dropped packets or the source address of failed connection attempts, and the results are likely to be alarming. Technological controls are not the only solution for ensuring an organization remains secure. The human element will always be the biggest risk for information disclosure, and that's why the ISO certification includes requirements related to awareness. The Drive To Succeed It took Bond Pearce approximately 16 months from submitting www.esqinc.com | (951) 506-5641 124 Peer to Peer the original business case for ISO 27001 certification to achieving certification. The firm's decision to seek certification was partially driven by a desire to simplify the tender process. Achieving