The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
ISO for Many firms are waking up every day to a new normal. The new normal is defined by security requirements from clients, legislation and soon the American Bar Association, which will be weighing in on the topic in an effort to make technical security standardization guidelines available to firms. In the world of security, only a few security practices are generally accepted. One is the International Organization for Standardization (ISO 27001) and another is the Federal Information Security and Management Act (FISMA). The incredible achievement of having both certifications are limited to a few Fortune 500 companies, because the process-based infrastructure required by ISO and FISMA are extensive, detailed and complex. However, the principles of the standard can be applied to any enterprise, regardless of size. In fact, standards are an efficient way to communicate a firm's security and governance posture to all interested parties. Size Up the Risk ISO requirements take risk into consideration in almost every aspect of the firm's security operations. Risk assessments determine whether or not effort, time and money should be spent mitigating a technology or process risk. Only with an effective risk assessment process can decisions be made in a systematic and methodical way. Risk management can occur in several different scenarios, but the most common to technology are project-based risk, change-based risk and process-based risk. Everyone: Upgrading (Intelligently) to the New Normal by Renee Murphy of Latham & Watkins LLP Project-Based Risk: This category is meant to determine what can go wrong in a project and how to address those risks in the planning phase. A project to implement a mobile mail solution for smartphones is a timely example for a risk assessment. The risk assessment addresses the potential for lost or stolen devices, dependability of the solution, issues with residual data residing on the device after someone leaves the firm, retention management for mobile devices, etc. These risks are expressed in a scenario, such as: "A device is lost at a coffee shop. What is the likelihood of someone getting access to that device and reading email messages related to a client matter? What would the impact be if that happened?" The likelihood, impact and consequences (reputation damage and other consequences) are quantitatively scored to determine their severity. That score will illustrate the risk associated with adopting smartphones for email. The completed assessment will determine how much risk the firm is willing to take on in order for its attorneys to have access to their email messages on a smartphone device. Change-Based Risk: This risk occurs during the change control process. Imagine a security update to the document management system in your firm. While updating the security seems like a routine change, it is happening to the most critical system in the firm's environment. The type of change control (maintenance, regular, critical or emergency) will be based on a risk assessment that takes into account the data classification, the type of change, the number of users impacted and the amount of 60 Peer to Peer