The public comment version of the Sedona Conference's Commentary on Law Firm Data Security was released this month. It includes a questionnaire that clients can use to assess a law firm's ability to keep data secure.
The six sections of the questionnaire focus on:
1. General - an information security program; security certifications; document retention and destruction policies; and third party assessments.
2. Risk Assessment - information segregation; business continuity; disaster recovery; event reporting; incident response plan; and network updates & security patches.
3. Asset Security - device and software inventory; internal vulnerability assessments; physical security; malware defenses; and firewall configurations.
4. Communications - data encryption; monitoring of audit logs; protection of wifi; use of transport layer security for email; restricted access to websites that can be used to exfiltrate data; use of intrusion detection systems.
5. Identity and Access Management - user access control.
6. Security Operations - confidentiality agreements; training programs.