Over the last couple years there has been a steady increase in the number of law firms that have been required to participate in a security audit by a potential or existing client.
Let’s face it. No-one likes an audit. But they happen and it’s best to be prepared. Red flags raised during a law firm security audit could pose a number of potential issues.
For those who have never been involved in a security audit, this article will go through an overview of what to expect and how you can be prepared to respond.
This isn’t by any means an exhaustive list of what’s involved or the questions that may be asked, but these items will appear in virtually every security audit.
Below are just a few of the policies and plans that your firm should have. There are more, but ensuring you have these is a good starting point. Many firms already have practices and procedures in place and it’s really about formalizing those into actual documents and getting management buy-in and approval.
Information Security Policy – this critical document actually contains multiple policies. The purpose of these policies is to provide rules and guidelines for the organization’s personnel and networks to secure and protect information. These policies govern information stored and transmitted by the organization (usually digitally, but it should include physical information as well). This generally will include physical and logical security measures such as bollards, door looking mechanisms, authentication methods, encryption and even fire suppression.
Password Policy – critical to a security audit is a strong password policy. After all most systems are typically secured by a password in conjunction with another piece of information, such as a username. It is important that a password policy be available, in-line with industry security best practices and that it is enforced.
Business Continuity Plan (BCP) & Disaster Recovery (DR) Plan – another critical document is the BCP & DR plan. These plans are designed to provide details and instruction on what to do in the event that business operations are affected by a disaster. They also define what constitutes a disaster, what acceptable recovery time objective (RTO) and recovery point objectives (RPO) are, and who the key people are. These key people are not only the ones informed of the disaster, but they are the most necessary to keep the firm operating. The DR plan component is generally aligned with recovering the IT infrastructure and restoring services. This typically involves the use of a DR site facility in another location.
Acceptable Use Policy (AUP) – This policy governs what acceptable use of the firm’s systems are. The AUP is directed at the users in the firm and users must agree to the AUP prior to being given access to the corporate network.
Internet & Email Policy – This policy governs acceptable use of the firm’s internet and email systems. This typically includes clauses about ownership of email and monitoring of electronic communications. This can be included in the acceptable use policy or provided separately.
Incident Management Policy – This policy describes the process to follow in the event of an unplanned interruption to service. This could be an outage or it could be a security breach. In any case, it is important that there is a procedure for handling incidents.
Risk Management Policy – This policy describes the process for identification, assessment and prioritization of risks. It is important for a firm to understand its risk profile and continually evolve this policy.
Change Management Policy – This policy describes how changes are undertaken. Is a process followed to minimize impact when a new system is implemented, an old system is decommissioned, or a change is made to an existing system? This typically includes policies on requesting, reviewing, testing, and rolling back changes and documentation.
So how do these audits usually come about and what happens?
Basically, a client will send you a security audit questionnaire (typically a spreadsheet), either expected or completely out of the blue. The questionnaire will go through a series of items to determine what the posture of the firm is from a policy and process perspective. It may also ask whether the firm has had security assessments conducted (risk, vulnerability assessments and penetration testing) and how long ago and/or how frequently they’ve been conducted.
Remember that clients may be subject to regulations of their own such as HIPAA (Health Insurance Portability and Accounting Act of 1996), SOX (Sarbanes-Oxley Act of 2002), PCI DSS (Payment Card Industry Data Security Standard) or GLBA (Gramm Leach Bliley Act) to name a few. Requirements they have due to these regulations will likely extend to your firm when working on their matters.
After submitting the review, feedback is generally given based on the answers provided. In cases where a firm has a relatively good security posture but does need to do some remediation, it’s common for these issues to be highlighted and a grace period to be set to remediate these gaps. During this grace period, the firm has time to remediate issues and inform the client that the issues have now been resolved. In addition to items that are marked for remediation, there may be responses that are going to be considered as red flags. These red flags may increase the likelihood of a physical audit, or even result in a client restricting future work.
Security audits can be very stressful, but they don’t need to be – even though there’s no guarantee that a physical audit won’t take place or a client won’t question one of your responses. Ensuring that you have the critical components of a security program in place before getting audited can go a long way to reducing that stress and potentially having to rush a remediation effort.
Even if you’re not being audited, it’s good practice to have the adequate policies and procedures in place to give you peace of mind, enhance your overall security posture, and minimize potential risk.