Bench & Bar

JAN 2018

The Bench & Bar magazine is published to provide members of the KBA with information that will increase their knowledge of the law, improve the practice of law, and assist in improving the quality of legal services for the citizenry.

Issue link:

Contents of this Issue


Page 32 of 75

31 BENCH & BAR | Q: DO YOU HAVE A THIRD-PARTY REVIEW YOUR IT PROCESSES? A: Most small companies do not have this today. Look for a "SOC 2" 6 from an IT auditor. A recent, unqualified SOC for the vendor should give you a pretty good feeling that they know what they are doing. Sometimes a vendor will hand you the SOC 2 for the vendor storing their data. It shows they are concerned about who stores their data, but nothing about the vendor itself. Q: DO YOU HAVE AN INFORMATION SECURITY PROGRAM THAT IS SUPPORTED BY MAN- AGEMENT AND INCLUDES TRAINING OF YOUR EMPLOYEES? A: e written InfoSec program should exist. While a Chief Information Security Officer (CISO) is preferred, they should have someone in management who is ultimately responsible for InfoSec. I just want it on record that they train their people. Q: WHAT EXTERNAL STANDARDS OR BENCH - MARKS DO YOU USE FOR INFORMATION SECURITY AND WHY DID YOU MAKE THAT DECISION? A: e answer will likely look completely foreign, but you should learn that they are using an external security frame- work and have a reason for selecting it. Examples: ISO, NIST, COBIT, COSO, and HITRUST. Be wary if they are creating and following their own security framework. Q: DO YOU HAVE PROCESSES IN PLACE TO MAINTAIN AN INVENTORY OF DATA YOU HAVE, WHERE IT IS LOCATED, AND WHAT PROTECTIONS YOU HAVE IN PLACE FOR THAT DATA? A: Do not expect to receive an inventory. Expect to learn about their datacenter and how it has restricted access, backup power, etc. Expect encryption for all workstation drives and removable storage. Q: DO YOU PROTECT YOUR NETWORK WITH STANDARD SYSTEMS LIKE FIREWALLS, PROXY SERVERS, INTRUSION PREVENTION SYSTEMS, DATA LOSS PREVENTIONS SYS- TEMS AND VPNS? A: You want to know that they are not just letting anyone access their network. e more technology in place, the greater the chance the vendor will be able to protect, detect, and respond to a security incident. A good follow-up question is to verify that the default passwords on these systems have been changed. Q: DO YOU HAVE AN INCIDENT RESPONSE PLAN (IRP) THAT HAS BEEN TESTED? A: Look for the plan to exist. ey should know what to do, whom to call, and what kind of notification is required. It is important to test the plan. Plans often miss steps and assume key personnel will be available. An untested plan is unacceptable. Q: DO YOU HAVE A DISASTER RECOVERY PLAN THAT HAS BEEN TESTED? A: A plan should exist and be tested annually. You are relying on the vendor to provide a service. Ensure your contract specifies how long you can go without that service. Cloud vendors are usually willing to refund the previous month's cost of the service if something goes wrong, but they will clearly state that they are not liable for any consequence of the business disruptions. e refund is essentially worthless. is is a basic set of questions. You may need a more in-depth review with some vendors. To get some practice in evaluating your vendors, start with a self-evaluation. Your clients may be asking for this information sooner rather than later. ENDNOTES 1. Day two, track two session: Technology for Lawyers: What is My Ethical Duty and What Do I Need to Know? resmgr/klu_materials/2017klu/2017_KLU_PROGRAM_HANDBOOK. pdf 2. Opinions_(Part_2)_/kba_e-437.pdf 3. SCR_3.130_(5.3).pdf 4. al_security/ABA%20Formal%20Opinion%20477.authcheckdam.pdf 5. e NIST Cybersecurity Framework is fully explained at this site: https:// 6. For an overview of the various SOC (Service Organization Controls) reports, see Services/Pages/ServiceOrganization%27sManagement.aspx WHAT QUESTIONS AND ANSWERS SHOULD I ASK? ese are the high level questions, and the answers you should expect from your vendors: ABOUT THE AUTHOR JEFF SALLEE is a member of West- ern & Southern's Information Security team, which he joined after retiring from Procter & Gamble. He is an alumnus of the Defense Language Institute, received three undergraduate degrees from Purdue University, obtained his J.D. from Chase College of Law, and is currently an adjunct professor at the University of the Cumberlands. His certifications include Certified Information Systems Security Professional (CISSP) and Certified Informa- tion Systems Auditor (CISA). Sallee is licensed to practice in Kentucky, Indiana, and before the Supreme Court of the US.

Articles in this issue

Links on this page

Archives of this issue

view archives of Bench & Bar - JAN 2018