By Michael P. Kolb, Chief Information & Security Officer, Dickinson Wright PLLC
With audits and inquiries on the rise, and clients increasingly demanding that law firms demonstrate a significant commitment to information security, it may be time for a systematic approach.
Consider ISO/IEC 27001:2013 certification, a set of standards to show there is an information security management system in place.
At Dickinson Wright, we have seen a substantial increase in information technology audits and requests from our clients over the past several years, particularly in the financial services industry. Although we have always been strong within the security space, the firm decided, as a result of these ongoing requests, to take a more formal approach by obtaining ISO/IEC 27001:2013 certification. This path put formal security and risk management controls in place to reassure clients that we are following industry best practices with regard to the security of their data. It has not been an easy process, as certification took several years of documentation and validation of all of the various security controls contained within the standard, but it’s a necessary step in today’s information security management environment.
The ISO/IEC 27001:2013 standards have been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. It is designed to preserve the confidentiality, integrity and availability of information by applying a risk management process while providing confidence to interested parties, particularly clients, that risks are being adequately managed.
1. Inter-Departmental Cooperation
Although many law firms believe that information security management is solely an IT function, it is in reality a firm-wide responsibility. Through the ISO 27001 certification process, we worked with various departments within the firm (Accounting, HR, etc.) to develop and implement firm-wide processes to keep the firm’s information and assets secure. Sometimes this meant refining processes that were already in place and combining them with new processes to make one streamlined set of policies and procedures. The result is that instead of each department having its own processes, we now have a unified and efficient approach to information security.
2. Educating Employees on the Importance of Information Security
Once a law firm receives ISO/IEC 27001:2013 certification, the process doesn’t simply stop. To maintain ISO certification a law firm must be annually audited to ensure that the processes developed as part of the ISO implementation are continually followed and updates to the process, where needed, have been applied. This also means that all employees must be trained and educated on the firm’s information security management tools. For example, we periodically test our employees with a phony phishing attack to make certain that they do not compromise the security of the firm by giving away their network credentials, and provide them re-training when necessary.
3. Developing a Proactive Approach to Information Security
As client interest in information security grows, including audits that are conducted by the clients themselves, ISO 27001certification is becoming an essential step in maintaining and acquiring new clients. ISO certification can be seen as proof that any security issues are being proactively addressed, reassuring existing, as well as new clients that the firm is taking information security management seriously. Additionally, employees and management alike can rest easy, knowing that the firm has plans in place for contingencies ranging from every-day tasks to significant catastrophes.
Although the process of obtaining ISO/IEC 27001:2013 certification was not easy, I have already seen the benefits take hold with increased inter-departmental cooperation as well as an increased awareness among our employees regarding the importance of information security management. Furthermore, the firm is significantly better prepared to respond to client inquires and better able to assure them that their data is secure.