Like what you see so far?

Sign up for our newsletter and get great content delivered straight to your inbox.

Client Story

Scalar Guides Law Firm Towards Sustainable Information Security Program

Scalar helped this top tier law firm improve their information and security posture by building a sustainable information security management system (ISMS) program that the team could continue to iterate and improve upon.

law-firm-case-study-pic

Anonymous

North America

Law

Objective

Build a sustainable Information Security Management System (ISMS) program

  • Implemented security management policies and procedures entailing an internal audit program, set up of a management committee, and development of a process for ongoing continuous corrective action
  • Passed ISO 27001 certification with a score of 100%
  • Audit Management
  • Information Security Management System (ISMS)
  • Threat Risk Assessment and Gap Analysis

For years this top tier law firm has consistently focused on improving the company’s information security posture. Law firms are entrusted with client data that is sensitive in nature and the need to maintain a secure environment is critical. The IT team had the necessary technology in place but they knew they could do better.

“Historically, law firms have thrown software at the problem, and in many cases, it is money thrown out the window,” said the firm’s information security officer. Rather than perpetuating this approach, the firm’s risk management team, along with endorsement from senior management, focused on building a comprehensive, documented information security management system (ISMS).

As a leading law firm with multiple offices across North America, they represent a wide range of clients in complex matters. The creation of an information security management system meant building a foundation for a standard, disciplined approach not just to IT and IS, but for the firm’s operations as a whole.

Approach

From the very start of the engagement, the firm’s information security officer stated that ISO 27001 certification would be a welcome outcome of the project, but not the primary focus. Instead, emphasis was placed on building a sustainable ISMS program the team could continue to iterate and improve upon. Knowing they did not have the expertise and resources in house to develop a well-thought-out ISMS program, the firm turned to Scalar to steer them through the 14-month long project. “While we had a lot of the necessary elements in place, we were lacking in methodology, procedures and policies, and that is where Scalar came into the picture, coaching us and working alongside us to build out the ISMS structure,” said the information security officer.

Threat Risk Assessment: Gap Analysis

The first step along the way was the gap analysis. Scalar analyzed where and how information is stored, producing a report that highlighted gaps in the firm’s security posture and served as a baseline for improvement. The threat risk assessment provided both the Scalar consultants and the firm’s team with an understanding of where they were currently sitting versus the standard.

Setting out a scope that covered anything that could be considered confidential, Scalar set about to build a strong security program that would fit the firm’s needs. “We endeavored to help find solutions that would allow them to maintain their business functions and processes, but also enable them to have the controls in place to satisfy ISO,” said Scalar governance, risk and compliance consultants, Anthony Khan and Benjamin Li. Analyzing everything from how assets are managed, how incidents are reported and how security issues are dealt with, Scalar worked with the firm to enhance their processes and documentation.

“We opened our doors to them and became one team with Anthony and Ben – they were an extension of the firm as far as I am concerned, and a great group to work with. We relied on their expertise and knowledge,” said the information security officer.

 

We endeavored to help find solutions that would allow them to maintain their business functions and processes, but also enable them to have the controls in place to satisfy ISO.

Anthony Khan and Benjamin Li

Scalar

A Documented Approach to Risk Management Security

“What works for one company doesn’t necessarily work for others. The documentation developed is not only based on ISO standards, but is rooted in reality, based on what we do as a firm,” he continued, referring to it as “a documented approach to risk management,” spanning the development of policies, manuals, and evidence of compliance.

Policies are the set of rules governing the whole known as information security policy. Policies break down into sub-groups, covering areas such as email management, information governance, physical security, and human resources security. Manuals and procedures are then developed, outlining how employees should act to remain in compliance. Lastly, there needs to be evidence of compliance in place. For example, bringing on a new hire necessitates changes to the network. Before these changes can be made, a change request must go into the company-wide ticketing system outlining the change, the associated risks, the impact it may have, and the roll back plan in case anything goes wrong. “This is what a documented approach means, and I can guarantee, if you do not go through this process, you are not doing it right,” he said.

While we had a lot of the necessary elements in place, we were lacking in methodology, procedures and policies, and that is where Scalar came into the picture, coaching us and working alongside us to build out the ISMS structure.

Information Security Officer

Law Firm

Solution

The new service management system now combines the change management, incident management, asset management and vendor management functions. “Once you have the foundation and system in place, you can build on it – this is what the program and ISO is about – a sustained approach to managed security,” said the information security officer. But this did not happen overnight, it was the result of 14 months of team work between Scalar and the firm’s teams.

Scalar made an effort to understand our business and get to know our internal people; it became a partnership, and when you build this type of trust it is much easier to get the work done. They are patient and professional, and step by step they do whatever it takes to make the client successful.” he added, “Scalar got us through the ISO audit with a score of 100% – we are now ISO certified and have the tools and foundation in place to continue to build and improve our ISMS program.

Scalar made an effort to understand our business and get to know our internal people; it became a partnership, and when you build this type of trust it is much easier to get the work done.

Information Security Officer

Law Firm

Outcomes

  • Implemented security management policies and procedures entailing an internal audit program
  • Passed ISO 27001 certification with a score of 100%
  • Tools now in place to continue to build and improve their ISMS program
Need Help?

Speak To An Expert

1-866-364-5588

Neil Bunn

How can we help?

We love talking about this stuff so if there's something on your mind and you're not sure how to go about executing it, set up a conversation with one of us.