The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
cybercrime and cyberespionage, which is why we have seen news about Chinese-based groups and hactivists successfully penetrating our environments, as reported by the FBI. The LegalSEC Solution All of these common challenges, all of these conversations and about 18 months of research led ILTA's Server Operations and Security Peer Group to craft a concept that seeks to deliver guidance and a framework that law firms can adapt in their efforts to develop stronger, more comprehensive security and risk management programs that meet current client demands, while protecting the firm's assets efficiently. management and clients. The situation varies from firm to firm, and one of our goals is to provide help regardless of firm practice, size or geographic location. • Deliver a Set of Policies and Procedures Templates. It's important to streamline communications and become more efficient. How many times have you reached out to your peers requesting templates? Or how many times have you been contacted for help? We will have a central repository with this type of documentation available. We expect to start delivering some of these templates this year by tackling the most sought- after policies, followed by those that are not always thought about in our industry but can provide a wealth of assistance when facing a client audit. Technology is not enough when it comes to security. In May, ILTA's Executive Director, Randi Mayes, announced the creation of the Legal Information Security Council, LegalSEC — a coalition of law firm professionals with the following mission statement: "To enhance the delivery of secure services to clients by raising and maintaining security awareness and by providing an asset protection framework for law firms" The way to achieve this is by leveraging the biggest strengths of the organization: collective knowledge and collaboration. Our research led us to identify five primary objectives that we will translate into deliverables: • Analyze and Adapt Current Standards. We are not trying to reinvent the wheel. There are many great standards available such as those by ISO and NIST that we can leverage. Our teams will review such documents in order to guide firms through certifications and provide guidance to those that need help building or enhancing their security strategy (not necessarily seeking certification). This will allow firms to more effectively use current firm resources and anticipate future needs. Not every firm needs or can get a data center certification; in fact, many don't know that they can certify specific systems (e.g., your DMS only). That might be enough to satisfy both • Recommend Technical Controls (A Defense-in-Depth Approach). Security should be tackled with a layered approach. You may have the best firewall on the market, but if you don't inspect and filter Web access, then you are not doing enough. Likewise, you may have a strong messaging system, but if you don't protect your mobile devices properly, then chances are your email system is at risk. LegalSEC will make recommendations on what may work within our profession by leveraging available resources, such as ILTA's technology survey, SAN's 20 Security Controls and the Australian DSD 35 Security Controls. An international law firm with hundreds of lawyers will have different needs than the 15-attorney boutique firm. Both are equally important to us because the bad guys will try to exploit common vulnerabilities across the profession. • Provide a Security Awareness Program Template. The members of LegalSEC believe that this is one of the weakest areas in our environments and one where we can make a significant and meaningful contribution. Many attorneys and staff don't know what threats exist and how or why they should try to avoid them. For example, if your firm does not encrypt outbound email messages or otherwise secure the messaging system, you might find it interesting to send a quick survey asking your users if they think your messaging system ensures secure end-to-end message delivery. If you don't know whether your firm has these types of controls in place, then this is the time for you to ask. Hactivist groups are looking for "controversial" cases and attacking firms handling cases they might not see as in line with their views. We need to educate our firms, and a security awareness template will help ease the creation process. • Create More Networking Opportunities. This objective was generated by you — our ILTA members. Once LegalSEC was announced, we started having deeper conversations with many of you. We realized that many firms are bringing Peer to Peer 51