Key questions to consider when structuring your information security policies
Over the course of my career managing large US-based law firm’s IT operations, I’ve discovered several key concepts when building an effective information security program. Chief among them are automation, simplicity and repeatability. I’ve adapted my experience working for large law firms to become an industry consultant to leaders in professional service firms, Silicon Valley startups and Fortune 500 companies.
My mission has been to help these organisations to align their technology practices to some of the most stringent standards so they could develop a meaningful information security program. Being secure is rarely about compliance; it’s about protecting your organisation and clients from winding up in the Wall Street Journal (unless they plan on being in it).
By now, everyone understands that data security and privacy, third-party vendor management, and compliance procedures are table stakes in business today. That’s why it is especially important to understand exactly what your third-party business partners are doing to protect you from risk. From the moment your organisation’s data enters into a third-party environment, you need to know that they’ve thought deeply about how to protect you and your stakeholders.
Key questions to ask about your information security
How is access monitored and restricted into areas where your organisation’s business data is stored, processed or transferred? Are all facilities carefully selected to mitigate environmental risks, continuously monitored for appropriate access and designed to provide you with the highest availability possible?
How are outside service providers vetted and monitored to ensure their compliance with your requirements. Does each contract include a security service level agreement and are all ongoing relationships are tied to upholding your security standards?
Is all data encrypted and monitored to prevent malicious code or threat actors from finding your data? Are you using real-time intrusion detection and prevention systems (backed by service level agreements) to spot and resolve threats quickly? Are you told when any of these things occur?
Identity control and access management
Before being allowed access to data stored in your environment, are service providers and workforce members subjected to an extensive background vetting process? Once permitted access, are they are given the least amount of access necessary to get their job done efficiently? And, are access rights subjected to regular reviews to make sure the right people have the right access for the least amount of time necessary?
Do you and your service providers use specially managed and carefully controlled mobile devices to store, process and transmit your data? Are those mobile devices secured so your data can be removed if they’re ever lost or stolen?
Do you conduct periodic self-assessments to determine how well you’re able to spot threats and stop them? Is everyone who is responsible for helping respond to threats trained on an ongoing basis so they are well-prepared? Do you test your third-parties regularly? Does your organisation’s senior leadership regularly review third-party evaluations of your organisation’s security posture?
Policies and procedures
When employees begin working with your organisation, are they immediately required to review and agree to follow policies and procedures tied to industry-recognised information security controls? Do you conduct regular security awareness training and simulations? Do you have a policy for progressive discipline for those workforce members who consistently fail to follow best practices?
Data minimisation and anonymisation
Do you have a retention policy that requires you to return data to your clients at the conclusion of each representation? Do have a data retention and destruction policy so you are not holding onto data for longer than you require? Do you have a process to remove any information that identifies your clients or your firm wherever practical as that data enters the cloud?
If you’d like to know more about best practice in IT security, then register now for ALTACON on 31 May, 2019 in Melbourne’s Docklands. John will take you on a speed-dating tour through the process of constructing your firm’s comprehensive information security policies. Check out the program packed with national and international legal + technology luminaries and thought leaders!
About John Stambelos
John Stambelos was the IT manager for a large Chicago-based law firm for 11 years before becoming the IT director for one of the most well-regarded law firms in the country based in Los Angeles. John formed his own cybersecurity consultancy in 2018. John is also the Chief Information Security Officer for automated attorney timekeeping company Ping, based in San Francisco. Today, he helps clients ranging from Silicon Valley startups to some of the largest law firms in the world understand how best to invest resources in cybersecurity. Because it’s easy to get lost or overwhelmed, John helps clients understand how people, policy and technology must all fit together so their security program matches their capabilities.