Thursday, April 3, 2014

The New Standard for Law Firm Information Governance : Policy-Based Security

Intapp's Kathryn Hume writes in with another update, relating to her collaboration with Iron Mountain's Information Governance working group: "Policy-Based Security: the new standard for law firm information governance and access management" --

I wouldn’t be the first to make the bold statement that "the perimeter is dead," as articles praising the value of an information security model founded upon the idea of a "secure breach" have been circulating throughout the information security community for the past couple of years. This information governance strategy, which Forrester Research refers to as a "Zero Trust Model," takes a fundamentally different conceptual approach to risk management than the traditional “perimeter” security model it is meant to replace.

The traditional, "perimeter" approach uses tools like firewalls, password policies and anti-virus software to keep bad guys out. These defensive bulwarks were developed in an age where businesses housed all of their information on local, private servers. In those days, the IT or security manager followed absolute dogmas: do what it takes to keep intruders out at all costs and make sure that business users within our environment benefit from maximum sharing, flexibility and productivity.

The oxymoronic character of the "secure breach" model to security indexes a vastly different approach to security. Here, IT and Security managers use outcomes-focused logic and work backgrounds to design their information governance strategy. They start by assuming that, in a world where employees lose mobile devices, share information outside their organizations and click on links in spear-phishing emails, a breach is bound to occur. They then assign access control rights and implement technologies inside the perimeter to mitigate the impact of a breach when it WILL eventually occur. Acceptance of risk is embedded into the very fabric of this new strategy.

As law firms, pushed by client requirements and regulations like HIPAA, pay increasing attention to information security, they are also increasingly adopting this secure breach approach. At last month’s LMRM conference, Tom Browne (General Counsel, Hinshaw) and Donald Campbell (Attorney, Collins Einhorn Farrell) highlighted the importance of developing a classification program to assign access control rights to data of varying sensitive. And Iron Mountain now advises information governance professionals on methods to adopt what they call "policy-based" security, where "firms identify which items must be classified as private, confidential or otherwise protected with ethical walls and security polic[ies] travel with the data asset no matter where a file goes."

Over the past year, we’ve seen our law firm customers drastically change the way they configure Wall Builder to support a policy-based security strategy. Multiple firms have developed data classification programs, assigning access control rights to data as it enters the firm at intake whose strictness varies with the data’s sensitivity. This approach generates layers of information security that requires a new approach to managing access controls.

That’s why firms now leverage our unique security capabilities to lock down practice groups with high densities of sensitive data (like Trust & Estates, Business Law and Litigation or M&A), while respecting more granular need-to-know access controls and ethical walls within these larger groups. The standard of care has shifted away from an open-by-default information access model to a policy-based security strategy that will clip the carte blanche to client data in the event of a breach.

We also see firms complementing policy-based security with policy-based monitoring. Many firms aren’t quite ready to lock down every practice groups, and instead seek a compensating control to have visibility into unauthorized behavior that may signal a problem. To address, firms set information access policies without enabling security, monitoring activity on information flagged by the policy and receiving alerts of unsanctioned behavior (e.g. an associate from the real estate practice looking at materials in the medical malpractice defense practice). Firms also monitor activity on very sensitive information like PHI or PII to identify traffic to personal email addresses or spikes in activity that may signify a problem.

As a member of Iron Mountain’s Law Firm Information Governance Symposium HIPAA Task Force, I look forward to the upcoming symposium discussions on policy-based security in Washington, D.C.

And our upcoming information security presentation hosted by the Australasian Legal Practice Management Association in Melbourne will explores how firms can execute a policy-based security model successfully.

To discuss policy-based security in your law firm, please feel free to contact me at

No comments:

Post a Comment