Legal & law enforcement: Information access compliance
A guide to US and UK user security compliance for legal and law enforcement.
Published January 9, 2018)
Legal professionals have access to a broader array of sensitive information than any other sector. As, naturally, law can apply to virtually any area of our working and professional lives, those working in the legal profession can have access to anything from personal case data, to the finer points of a merger, through to volatile crime information.
This is why the legal sector has some of the most stringent regulations with regards to security, providing particularly granular requirements for those organisations under their jurisdiction. In the UK, the Law Society, the legal sector’s professional representative organisation, has set out Lexcel – as set of required security standards for the solicitors and law firms working under it. All legal organisations are also required to work within the Data Protection Act (DPA). In the US, any federal agency (i.e. police forces, courts) must comply with The Federal Information Security Management Act of 2002 (FISMA).
Within this guide, we’re looking at the specific requirements of these regulations. We’ve also included ISO 27001 and its more specific sub-requirement ISO 27002, as although it is not specific to law, its status as a global ‘gold standard’ for security across industries makes it well suited for an organisation in the law, which is pan-sector by nature. We’ve conducted research among works in the legal sector in the UK and US, to discover how compliant they are, and provided a compliance checklist to help you with your compliance strategy.
User security is never simple, and in the legal sector where sensitive data can span almost literally anything, it is even more complex.
The research results revealed in this report show that legal firms and law enforcement agencies across the UK and the US have significant areas for improvement. We have seen that a significant proportion do not even meet the relatively minimal requirements of their requisite regulations, failing to meet compliance.
Hopefully the guidance offered here will help you reach beyond compliance to protect your client, crime or case data.
With the breadth of often the most sensitive kinds of information, such as crime case data, at the disposal of those within the legal sector, it is imperative that organisations operate securely.
Unfortunately, the one area that is most often not secure is a complex area to address – human nature. The fact is that most risk stems not from technology, but from human error. All it takes is an absent-minded employee sharing a password or deciding to use the intel to which they shouldn’t have access to do something illegal.
The potential threats are dire, with sever penalties in place for non-compliance with regulations like FISMA or the DPA. But if you can prove your adherence to a standard, like with an ISO 27001 certification, you in a strong position to win clients and customers.
The foundation of user security regulations is all around data being restricted on a ‘need to know’ basis. This means that access requirements should be set according to role, giving employees clearance up to and not beyond what they require in order to do their job.
This approach limits the risk of human error by reducing the amount of data users have access to to a minimum, meaning the possibility of a breach is minimised. However it is not necessarily simple to implement, and is far from the only element of a stringent user security approach.
Naturally in order to limit access to the user’s requirement, you need to be able to identify individual users, for which unique logins are an absolute must.
Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis, it is also essential in tracking and monitoring. If a breach does occur, you cannot detect how it occurred without being able to identify individuals and their network access activity.
This guide does go into detail on how to comply to the various regulations we’ve mentioned, however it is important to note that meeting a set standard does not mean ‘job done’. This is particularly the case with very broad and non-specific regulations like the Data Protection Act, which are deliberately open to interpretation.
But it is also true of the much more detailed ‘gold standard’ of ISO 27001. Although the standard offers a lot of good guidance, there is always more that can be achieved. Security is not black or white, it is a process of mitigating risk to the most achievable degree, and often compliance is the minimum requirement, not the end goal.
What are legal and law enforcement agencies doing with new employees to safeguard sensitive information?
New employee on-boarding is the process of helping new staff adjust to the social and performance part of their new role quickly and smoothly. Most organisations already have a process in place to implement and track on-boarding to ensure that employees are given the right guidance, but it doesn’t always include guidance on how to protect the organisation and its clients’ sensitive information. This process is especially important in the legal sector where that information can be particularly sensitive.
The ethical standards designed to protect attorney-client privileged communications and other legally privileged information such as patents, copyright and trade secrets are well known in law. Legal firms need to train and educate their employees from day one on how to work in a way that protects the organisation and its clients’ information. Meanwhile law enforcement bodies have an obligation to keep criminal data private.
This is why having a security policy which is shared with all employees is a basic requirement of all user security regulations. For instance the ISO 27001, the international Standard that specifies best practice for information security management systems (ISMS), includes a security policy in its set of information security objectives. However, it was surprising to see that almost a third (28.8%) of professionals in legal practices in the US were not given information security training during on-boarding. The number in the UK was similar (31.2%).
When asked if employees had seen a security policy during on-boarding, only 60% (US) and a lower 47% (UK) said they did. Similar figures 58% (US) and 46% (UK) were asked to sign an information security document.
In the UK, Lexcel, the legal practice quality mark for excellence in practice management and excellence in client care, states that practices must have an information management and security policy in place including the management of user accounts and training personnel on information security.
For most organisations in highly regulated industries like the legal sector, integrity is of the utmost importance – in fact, the organisation’s reputation will rest on it. Without background checks on candidates, you won’t know who you are inviting into your organisation. However only 60% (US) and 43% (UK) of professionals said that they were aware that their organisation runs background checks on new employees.
Lexcel stipulates in its People Management section that practices should have procedures to deal effectively with recruitment section and this should include references and identity checking.
How are legal and law enforcement agencies implementing security training and enforcing security processes?
As we have mentioned, arguably the weakest point in any organisation’s security defences is its employees. People are by their nature human and mistakes happen with regards to IT security. In fact many external breaches occur irrespective of how strong the perimeter defences, firewalls and anti-virus tools are, because of employees who suffer a lapse in judgement or who are oblivious to good IT security practices.
One of the keys to minimising the ‘human’ risk is to ensure that employees receive regular IT security training and to enforce and communicate airtight security policies and procedures. You should never rely on technology alone to protect data.
Some of the high-profile attacks on organisations in 2014 and 2015, such as those as Sony Entertainment and JP Morgan, occurred as a result of compromised employee credentials, so companies are placing more and more importance on security training. Indeed, section 3 of ‘Lexcel England and Wales v6 Standard for legal practices’ specifically states that practices must conduct “training for personnel on information security.”
But despite the importance of training, far too many legal practices are putting data at risk by ignoring training at various stages of employment — and are therefore non-compliant. 69% of employees at legal practices in the UK and 71% in the US did not receive IT security training when they first joined the company. In addition, more than half (55%) in the UK and 48% in the US say that their organisation does not provide any security training whatsoever.
Policies and procedures are the third part in the trinity of effective IT security along with training and technology. The legal industry in the US and the UK faces plenty of clear requirements around what to do in terms of policy and procedure — perhaps more so than in other industries. Lexcel, ISO 27001 and FISMA leave no stone unturned.
Section 3 of “Lexcel England and Wales v6” states that legal organisations must have separate documented policies for information management and security, email, internet access and social media. Section 5 states that legal practices must include a compliance plan as part of their risk management plan. Practices must also have a procedure for regular, independent file reviews of either the management of the file or its substantive legal content, or both.
In the US, one of NIST’s steps to FISMA compliance is to refine controls using a risk assessment procedure and document the controls in the system security plan.
ISO 27001 and 27002 go into more granular detail than any other standard or government law on what companies must do with regards to their IT security polices and procedures. Organisations must conduct a risk assessment and define a security policy. Within that security policy, organisations must define and allocate all information security responsibilities — and the contractual agreements with employees and contractors should state their and the organisation’s responsibilities for information security. All employees and contractors must apply information security in accordance with the policies and procedures of the organisation. Organisations must also establish, document and regularly review an access control policy based on the business’s information security requirements.
Despite the granular detail and clear guidance on what organisations must do to achieve compliance, many are failing miserably to put in place effective policies and procedures. Just 71% UK employees in the legal world and 76% in the US are aware that their practice has a documented security policy at all, and 67% in the UK and 54% in the US are unaware if their organisation produces regular security audit reports. Furthermore, only 62% of UK and 69% of US practices enforce basic security like secure passwords, and 57% of UK and 43% of US practices do not clearly define roles and responsibilities with regards to IT security.
The lack of awareness among employees on policies extends to procedures in the event of a breach. More than half do not know who to report a breach to — lengthening the crucial time period in which an IT administrator can find and mitigate any damage. And as for internal breaches, just 29% of British employees are aware of the penalties the organisation would impose for data theft or leakages compared with 42% of US employees — despite clear guidance from ISO 27001 that states organisations must enforce and communicate a formal disciplinary process for those who have committed a breach.
Following the human elements of on-boarding employees and raising security awareness through training, technology has an extremely important role in taking user security further in mitigating risk.
Technology is necessary to fill the gaps, as even with a well educated and alert workforce we know that it is still human nature to let our guards drop.
Technology can assist in implementing restrictions to the sensitive data on your network, and there are multiple levels at which this must (or should) be addressed.
We’ve talked about having unique user logins as a minimum requirement. As far as technology goes, it is the foundation of a good user security approach as it enables all other elements from restrictions to monitoring.
Subsequently is is a requirement of all of the regulations covered in this guide.
However, despite unique user logins being such a basic requirement, 34% of law sector employees in the UK and 28% in the US do not have a unique user login. Worse still, 24% in the UK and 23% in the US are not required to login to their employers network at all, suggesting access is fully open and not being tracked.
More worryingly, it seems that some workers in the legal sector are sharing their logins with the approval of their employers. 19% in the UK and 21% in the US told us they are permitted to share logins with their colleagues.
Of course even where users have a unique login, there is still significant openness to the risks of human fallibility. A particular area of concern is how these logins are used – if a user is never required or forced to logoff, the benefits of having a login profile at all are minimal. And we know that even when told users rarely take the time to login and logoff every time they leave their desk.
This is why automatic timed forced logoff procedure is important, halting network access after a set period of inactivity to reduce the risk of individuals getting access where they shouldn’t.
Despite this being a relatively simple procedure to put in place, less than half of employees in either the UK or US legal sector are automatically logged off their employer’s network after a set period (40% in UK and 49% in US). 44% in the UK and 51% in the US are required to manually log off the network – the likely reality being that many do not.
If you consider security to be ‘multidimensional’, you want to be able to minimise risk in as many of those dimensions as possible. Which is why limiting access by time and location is a very effective way of achieving what is known as ‘reduced vulnerable surface area of attack’.
By restricting user access to the times they need (standard business hours, for example) and the departments, offices or workstations required, you are reducing this vulnerable surface area.
This sensible approach is not all too common in the legal sector however, with 28% of organisations in the UK and 36% in the US restricting access by location and just 18% in the UK and 27% in the US restricting according to time.
One of the reasons that unique logins are such a strict requirement is the need to be able to attribute actions to individuals. The ability to do this is a requirement of Lexcel, FISMA, the DPA and ISO 27001/2.
Firstly, a minority of our research base in the legal sector felt that their actions on their employer’s network could be attributable to them – just 38% in the UK and 48% in the US. Whether this is actually the case or not (administrators may have a closer eye on users than they are aware of) it is still bad practice – if actions are attributable, user awareness of this is key to combatting any malicious, ignorant or accidental wrongdoing.
Another aspect of attribution is the issue of concurrent logins. If users are allowed to login to more than one machine at a time, then ability to attribute actions is significantly decreased. Which logged in machine is the user actually using? But only 28% of law sector employees in the UK and 39% in the US are prevented from using their credentials to login to more than one machine at once.
Of course the next step following the management and restriction of user access is to monitor that access. Half of US legal sector workers and 42% of those in the UK are aware that their employers are monitoring network access. The real figures may be higher than this, but employee awareness will lead to better behaviour, so it is always best to be transparent about what’s being monitored.
What are legal and law enforcement agencies doing to ensure employees have only the necessary access to sensitive data?
We have discussed the importance of integrity and reputation and the very reputation of legal practices and law enforcement agencies rests on their ability to protect personal, criminal and case data. It is so important that it no longer is just an IT problem but a whole-organisation problem and everyone has a part to play in protecting this information.
The ISO 27002 information security guidelines are intended to help organisations implement, maintain and improve information security management and one of the procedures states that an access control policy should be established, documented and reviewed. This means that access control should be specified to specific users and user groups. The research showed that 81% both in the US and UK have access to data that is necessary for their role.
ISO 27002 also recommends that organisations have a process that authenticates and authorises functions, such as access to information that employees need in order to do their jobs but not more than that. However, it was worrying to see that 25% of professionals both in the US and UK have access that is greater than necessary.
There is a responsibility to protect case and crime data from risk of loss through a breach, such as a cyberattack, and managing access to files and folders on a role-specific level, plays an important part. We can see that some legal organisations have awakened to this key issue as 44% (US) and 37% (UK) of professionals have a specific level of user access, meaning they can access some files and folders but not others. These numbers are fairly low indicating that the industry as a whole has a quite a long way to go.
Once legal firms and law enforcement agencies have implemented a process that makes users identifiable, the next step will be to monitor their actions. The research showed that only 36% (US) and 30% (UK) were aware that their organisation monitors or logs their access to specific files and folders. Some organisations may monitor access activities without the knowledge of the employees, mostly to identify unusual movement or deletion of files that may not necessarily be caused by the employee.
As discussed earlier, employees should only be able to access the information they need to do their job, so those who move roles within an organisation can be a risk if you do not review their network and file access rights. Their access rights should be adjusted appropriately as their role changes. As for employees who leave your company altogether, revoking access from the minute the person walks out of the door is an absolute necessity. Nobody wants to risk a former employee accessing the company network (particularly given ex-employees have less incentive to keep sensitive data secure).
Section 4 of Lexcel England and Wales v6 Standard for legal practices states that practices must have a procedure that details steps to follow when a member of personnel ceases to be an employee, including the “handover of work, exit interviews, the return of property belonging to the practice.”
ISO 27001 states that organisations must define and enforce information security responsibilities and duties that remain valid after termination or change of employment. And when an employee leaves, organisations must conduct a formal user de-registration process.
Alarmingly, 52% of UK and 48% of US legal practices do not review and adapt access rights to files and folders when employees move roles within the organisation. By doing nothing, employees have more access to data and networks than they need — and therefore you widen the window of opportunity for a potential attack, not to mention the fact that you’re non-compliant.
Even more worryingly still, 54% of UK and 39% of US legal practices do not immediately revoke network access rights when an employee leaves the company. Access from former employees is an extremely dangerous prospect because systems do not alert network activity because it believes the access to be genuine and authorised, meaning that an employee could go months on your systems before you detect them.
)
)
)