Data Governance

           The use of technology in our lives has given rise to a wealth of data amassed by businesses and organizations. This prolific age of data has been rapidly gaining a foothold in all industries. Information is now the currency in which the world generates a wealth of knowledge and experiences. This free-flowing network of personal data has become a target for those seeking to take advantage at the expense of the end-user. Data breaches are now common in today’s rapid evolution of informational exchanges. Whether its Facebook, Experian, or Capital One, no organization is too big to ward off cyber-attacks that face us globally. Even nation-states are not immune to cyber warfare and have expanded the theater of war to a digital front. Law firms, in particular, are expected to adhere to a strict standard of client confidentiality to protect their client information. Our industry has access to sensitive client data that makes law firms prime targets for cyber-attacks (Irwin, 2017). The use of an information security management system (ISMS) is paramount to achieve compliance with data governance and information security.

           The most practical way for the law firm to achieve compliance with data governance and information security is to adopt a cybersecurity policy and ISMS capable of being certified as complying with ISO 27001 (Calder, 2015). ISO 27001 is an open standard that lays down broad building blocks for establishing an ISMS (Varde, 2010). Having a certified ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed (ISO/IEC 27001:2013). This allows the law firm to retain existing clients and win new clients that are security conscious. The law firm will also limit any financial losses associated with data breaches and help reduce insurance premiums. The best way to organize the program is to use the PDCA (Plan-Do-Check-Act) approach.  

           In the planning stage, we must first create the initial framework between management and the law firm and consider the security issues to define the scope of the ISMS. After getting support from senior management and setting up a committee, we will draft our data policy and delegate roles and responsibilities. The committee will consider risk exposures and draft criteria to delineate risk tolerance. The committee will assess the data assets that are utilized throughout the organization and assess any exposure to cybersecurity attacks. After identifying any weak points, the committee will execute any actions to reduce and limit cybersecurity risks and assemble this risk plan. Once that is ascertained, we move on to the Do stage. The finalized risk plan is documented and implemented throughout the organization while training is set up for staff. Procedures are then enabled to help detect and respond to any breaches while managing operations and resources of the ISMS. The check stage consists of continuous monitoring and testing of the ISMS. The check stage will include setting up internal audits of the system that are reviewed by management. In the act stage, management will take the information gathered previously and make modifications in light of new cybersecurity threats and risk environments. We also must pay close attention to documentation throughout the entire process so we can follow up and adjust the system when new protocols are created. 

           By developing and implementing an ISMS, the law firm will be prepared to protect its confidential data from being leaked, damaged, destroyed, or exposed to nefarious third parties by proactively limiting the impact of a data breach (Dutton, 2018). Key members of management, senior executives, and even independent security experts are all people that can be involved to develop and implement the ISMS across the organization. The initial member or director of the ISMS team should look to the CEO or senior board member to establish company-wide support from the onset. Key members of the forum should include senior members from HR, Training, IT, and others that will have their working practices significantly impacted when implementing the ISMS (Calder, 2015). It is also a good idea to consider the perspective of junior members of the organization as well as clients to align design and development themes with a pragmatic implementation of the ISMS.  

Once the development of the ISMS has been thoroughly developed and implemented. It is necessary to make sure that all information security responsibilities are defined. Since we are working closely with IT, it is a good idea to define the roles they will be performing. IT departments are accountable for the overall security of the systems that are developed by management (Calder, 2015). This includes threat identification, risk evaluation, reporting to management, and hardware asset security. Local site managers, system managers, network managers will be accountable for their responsibilities, but as a whole, the department needs to be aware of the organization’s security policy and procedures.

Additionally, the use of an external expert security adviser is recommended to help cover any area where the law firm is deficient in managing any known or unknown risks and facilitating proper treatment and training of staff to limit exposure. This brief provides a cursory analysis of the organization and implementation of an ISMS and information security policy, including relevant players. A detailed report should be reviewed to further illustrate the complexity of this project and its implementation.

Bibliography

Calder, A., & Watkins, S. (2015). It governance: an international guide to data security and ISO27001/ISO27002(6th ed.). London: Kogan Page.

Irwin, L. (2017, August 24). Why law firms should certify to ISO 27001. Retrieved from https://www.itgovernanceusa.com/blog/why-law-firms-should-certify-to-iso-27001

Varde, D. (2010, May 12). ISO 27001 ISMS design tips for your organization. Retrieved from https://www.computerweekly.com/tip/ISO-27001-ISMS-design-tips-for-your-organization

Dutton, J. (2018, July 27). What exactly is an information security management system (ISMS)? Retrieved from https://www.itgovernanceusa.com/blog/what-exactly-is-an-information-security-management-system-isms-2

ISO/IEC (2013). ISO/IEC 27001. Switzerland: ISO/IEC, pp.1-23.