The Sedona Conference On Questions to Ask Law Firms About Data Security
The public comment version of the Sedona Conference's Commentary on Law Firm Data Security was released this month. It includes a questionnaire that clients can use to assess a law firm's ability to keep data secure.
The six sections of the questionnaire focus on:
1. General - an information security program; security certifications; document retention and destruction policies; and third party assessments.
2. Risk Assessment - information segregation; business continuity; disaster recovery; event reporting; incident response plan; and network updates & security patches.
3. Asset Security - device and software inventory; internal vulnerability assessments; physical security; malware defenses; and firewall configurations.
4. Communications - data encryption; monitoring of audit logs; protection of wifi; use of transport layer security for email; restricted access to websites that can be used to exfiltrate data; use of intrusion detection systems.
5. Identity and Access Management - user access control.
6. Security Operations - confidentiality agreements; training programs.