technology

Taking Control of Information Security – A How-To Guide for Law Firms

By Baan Alsinawi

Failure to protect client records and data within law practices comes with a hefty price tag. According to a 2007 ABA report, it can cost a law firm “$182 per compromised record, or an average of $4.8 million per breach.”

And yet law firms are among the slowest industry groups to implement information security—even though they are particularly at risk since they are ethically required to maintain the confidentiality of client records and data.

Obviously, properly training all members of a firm on how to protect confidential data is critical, but how do you determine what’s at risk, levels of risk, roles and responsibility, and the steps to take for each risk? Here are the steps we recommend.

The Seven, Key Steps
There are seven, fundamental steps in a Risk Management Assessment review to uncover potential risks in a firm’s information assurance practices—and the potential impact on both the firm and its clients.

1. Risk Management Strategy & Business Impact Analysis
While every step is significant and important, this first step, risk management s, is the broadest. With this step, firms acquire an in-depth understanding of their business needs, potential information security risks, the firm’s tolerance for risk, and the probable impact identified risks can have on the firm’s operations. (All things every business needs to know.)

2. Identify Risk Areas
The second, “Identify Risk Areas,” can frighten even the bravest partners when they see the full scope of potential exposure. The objective with this step is to create a high-level list of potential risk areas law practices need to consider as part of their risk management strategy. These typically include:

1. Hosting facility security policies and risk assessment status
2. Data flow encryption for internal use, remote users and with partners
3. Information sharing and collaboration (internal and external)
4. Lack of top down security policies
5. The use of wireless at home and in public areas such as airports and cafés
6. Media protection—labeling, discarding, safe-guards (paper documents, CDs, portable hard drives etc.)
7. Fax/Print policies
8. CD/USB drive encryption and protection
9. Personal, hand-held devices (Blackberry, iPad, iPhone, etc.)
10. Use of Webmail for sending corporate documents
11. Use of home computers to create and handle corporate information

3. Identify Information Types
In the next step, each firm must review the types of information handled daily in order to truly understand the different types of risk and appropriate measures of protection. These can include:

1. Public information
2. Court filings
3. Client documents
4. Client testimony / depositions / transcripts
5. Firm business plans
6. Internal firm meeting minutes and confidential documents
7. Attorney / client communications
8. Attorney work product (briefs / memoranda / notes)
9. Electronic communications
10. Information retention (paper and electronic)
11. Employee privacy information (SSN, bank accounts etc.)
12. Client privacy information (SSN, bank accounts etc.)

4. Specify Information Classifications
Step four has two parts. The first part—information Classification—is fundamental to risk management and the strategic use of security controls within the IT infrastructure of any organization. Without understanding different classes of information, it’s impossible to determine the appropriate measures required to ensure protection of the information, and the prevention of disruptive incidents.

The objective of any risk management program is to protect information in three areas: confidentiality, integrity and availability. Protecting the Confidentiality of information is making sure that only those with a need to know have access to it. Protecting the Integrity of information is making sure the information is not tampered with, changed or manipulated without proper authorization. And protecting the Availability of information is ensuring that only those with proper authorization can access the information.

The second part of classification of information measures the impact to the business in the event that specific types of information are lost or compromised. This is measured as low, moderate or high. Based on these criteria, a firm can create an information matrix that maps each type of information to an agreed-upon sensitivity level. But before completing the information classification matrix, one more factor needs to be taken into consideration: risk determination.

5. Identify Risk Levels/Business Impact Assessment
The fifth step helps firms arrive at risk determination. Once the firm identifies the level of confidentiality, integrity and availability of its information and identifies the sensitivity (low, moderate or high) for each information type, the next step is determining risk. The formula for determining risk is based on the likelihood of specific event happening and the impact it would have—Likelihood X Impact = Risk Level. Here’s an example: likelihood of a USB drive being lost or stolen? Say, Moderate. What about the impact of that loss? Depending on the information stored on that USB drive, the impact could be low, moderate or high. If high, then the formula is “Moderate X High = Level of Risk.”

6. Develop Policies
Not all risks are created equal, and policies need to be developed with that in mind. Firms can develop specific policies for managing and protecting high, moderate or low risk areas. In addition, we recommended establishing four information categories with clear information-handling guidelines and policies:

1. Classified
2. Confidential
3. Private
4. Unclassified.

7. Roles & Responsibilities
The final step is to identify roles and responsibilities. Recent “best practices” studies have determined that an effective risk strategy must begin with top management and work its way through the organization. This model has been adopted by National Institute of Standards in Technology (NIST) which stated that any strategy which begins with IT rather than management leads to a risk strategy that is “just chasing risk”—a dangerous position.

IT subject matter experts are vital to understanding and managing aspects of IT risk in a law practice, but business management makes up the most important stakeholder, as well as the most effective driver. Once roles are assigned to proper individuals or groups, the following tasks can be assigned:

1. Define IT risk analysis scope
2. Estimate IT risk
3. Identify risk response options
4. Perform a peer review of IT risk analysis

Don’t Forget Documentation
An additional, “understood” step is proper documentation of what’s uncovered in the Risk Management Assessment review.

Information security starts with policies and procedures, defining critical data, and mitigating security risks based on a business impact analysis. Properly implemented, you will have a framework that works for you and your practice, and you’ll feel a great deal better about the safety of your critical information.

About the Author

Baan Alsinawi is the founder and president of TalaTek, LLC, which she started in 2006. Ms. Alsinawi is a member of ISC2 , and is CISSP and ITIL certified. For more information, visit: www.talatek.com