For years this top tier law firm has consistently focused on improving the company’s information security posture. Law firms are entrusted with client data that is sensitive in nature and the need to maintain a secure environment is critical. The IT team had the necessary technology in place but they knew they could do better.
“Historically, law firms have thrown software at the problem, and in many cases, it is money thrown out the window,” said the firm’s information security officer. Rather than perpetuating this approach, the firm’s risk management team, along with endorsement from senior management, focused on building a comprehensive, documented information security management system (ISMS).
As a leading law firm with multiple offices across North America, they represent a wide range of clients in complex matters. The creation of an information security management system meant building a foundation for a standard, disciplined approach not just to IT and IS, but for the firm’s operations as a whole.
From the very start of the engagement, the firm’s information security officer stated that ISO 27001 certification would be a welcome outcome of the project, but not the primary focus. Instead, emphasis was placed on building a sustainable ISMS program the team could continue to iterate and improve upon. Knowing they did not have the expertise and resources in house to develop a well-thought-out ISMS program, the firm turned to Scalar to steer them through the 14-month long project. “While we had a lot of the necessary elements in place, we were lacking in methodology, procedures and policies, and that is where Scalar came into the picture, coaching us and working alongside us to build out the ISMS structure,” said the information security officer.
Threat Risk Assessment: Gap Analysis
The first step along the way was the gap analysis. Scalar analyzed where and how information is stored, producing a report that highlighted gaps in the firm’s security posture and served as a baseline for improvement. The threat risk assessment provided both the Scalar consultants and the firm’s team with an understanding of where they were currently sitting versus the standard.
Setting out a scope that covered anything that could be considered confidential, Scalar set about to build a strong security program that would fit the firm’s needs. “We endeavored to help find solutions that would allow them to maintain their business functions and processes, but also enable them to have the controls in place to satisfy ISO,” said Scalar governance, risk and compliance consultants, Anthony Khan and Benjamin Li. Analyzing everything from how assets are managed, how incidents are reported and how security issues are dealt with, Scalar worked with the firm to enhance their processes and documentation.
“We opened our doors to them and became one team with Anthony and Ben – they were an extension of the firm as far as I am concerned, and a great group to work with. We relied on their expertise and knowledge,” said the information security officer.
We endeavored to help find solutions that would allow them to maintain their business functions and processes, but also enable them to have the controls in place to satisfy ISO.
A Documented Approach to Risk Management Security
“What works for one company doesn’t necessarily work for others. The documentation developed is not only based on ISO standards, but is rooted in reality, based on what we do as a firm,” he continued, referring to it as “a documented approach to risk management,” spanning the development of policies, manuals, and evidence of compliance.
Policies are the set of rules governing the whole known as information security policy. Policies break down into sub-groups, covering areas such as email management, information governance, physical security, and human resources security. Manuals and procedures are then developed, outlining how employees should act to remain in compliance. Lastly, there needs to be evidence of compliance in place. For example, bringing on a new hire necessitates changes to the network. Before these changes can be made, a change request must go into the company-wide ticketing system outlining the change, the associated risks, the impact it may have, and the roll back plan in case anything goes wrong. “This is what a documented approach means, and I can guarantee, if you do not go through this process, you are not doing it right,” he said.
While we had a lot of the necessary elements in place, we were lacking in methodology, procedures and policies, and that is where Scalar came into the picture, coaching us and working alongside us to build out the ISMS structure.
The new service management system now combines the change management, incident management, asset management and vendor management functions. “Once you have the foundation and system in place, you can build on it – this is what the program and ISO is about – a sustained approach to managed security,” said the information security officer. But this did not happen overnight, it was the result of 14 months of team work between Scalar and the firm’s teams.
Scalar made an effort to understand our business and get to know our internal people; it became a partnership, and when you build this type of trust it is much easier to get the work done. They are patient and professional, and step by step they do whatever it takes to make the client successful.” he added, “Scalar got us through the ISO audit with a score of 100% – we are now ISO certified and have the tools and foundation in place to continue to build and improve our ISMS program.
Scalar made an effort to understand our business and get to know our internal people; it became a partnership, and when you build this type of trust it is much easier to get the work done.