The public comment version of the Sedona Conference's Commentary on Law Firm Data Security was released this month. It includes a questionnaire that clients can use to assess a law firm's ability to keep data secure.

The six sections of the questionnaire focus on:

1. General - an information security program; security certifications; document retention and destruction policies; and third party assessments.

2. Risk Assessment - information segregation; business continuity; disaster recovery; event reporting; incident response plan; and network updates & security patches.

3. Asset Security - device and software inventory; internal vulnerability assessments; physical security; malware defenses; and firewall configurations.

4. Communications - data encryption; monitoring of audit logs; protection of wifi; use of transport layer security for email; restricted access to websites that can be used to exfiltrate data; use of intrusion detection systems.

5. Identity and Access Management - user access control.

6. Security Operations - confidentiality agreements; training programs.