Three Benefits to Using the NIST Security Framework as an IT Foundation
The NIST Cybersecurity Framework provides a structure for managing data security today, as well as a roadmap for improving data security in the future with ongoing development, alignment and collaboration between industry and government.
September 05, 2019 at 07:00 AM
5 minute read
The treasure trove of valuable client data residing inside of law firms—such as financial information related to potential corporate transactions and confidential litigation documents or trade secrets—has made law firms top-priority targets of cyber criminals. Indeed, nearly one in four firms reported they have been the victim of a data breach, according to the ABA's 2018 Legal Technology Survey Report.
Law firms have responded to this challenge by making substantial investments in information security systems, technologies and procedures. Part of this response has been the search for the optimal IT framework, a mission complicated by the seemingly endless array of ISO, SOC and COBIT standards we read about frequently in the legal technology space.
As we consult with U.S. law firms, we urge them that the superior approach is to build their IT security framework on the structure laid out in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
NIST is a division of the U.S. Commerce Department that promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security. One of NIST's key strategic initiatives has been the development of a framework of controls, guidelines and best practices to help organizations manage cybersecurity-related risk.
The NIST Cybersecurity Framework provides a structure for managing data security today, as well as a roadmap for improving data security in the future with ongoing development, alignment and collaboration between industry and government. The approach laid out in the NIST framework establishes controls for organizations to implement in their IT systems and processes, ranging from how to identify known cybersecurity risks and detect the occurrence of a potential breach to how to respond to a cyber security incident and restore any organizational capabilities that were impaired.
There are a number of reasons why law firms should consider building their IT framework on the NIST framework, but here are three specific benefits that this strategic decision can deliver to a firm:
1. Creates a Security Playbook
Following the NIST framework will lead to the creation of a "System Security Plan" that law firms can use to operationalize their IT security strategy. This security playbook creates a continuous cycle for security: design; implement; review; update; and then resume the cycle again. Firms should evaluate their information security activities, align their IT budget, implement necessary IT controls, update all relevant documentation and then conduct a comprehensive review at least annually.
2. Provides Risk Assessment
The NIST framework also functions as a built-in risk assessment exercise, helping law firms go through the process of documenting which controls they have in place—and which ones are not as mature—so they can identify areas within their security program that need additional attention. This gap analysis guides the firm's IT planning by serving as a tool for framing and directing where the firm's security framework should evolve in response to changing conditions, threats and needs. Firms can leverage these insights to identify potential weaknesses in their systems and determine where budget is best allocated to mitigate the most risk.
3. Supports Responses to Audits
Roughly one-half of law firms were subjected to a cybersecurity audit last year, according to a presentation from the Association of Legal Administrators. The NIST framework provides a structure to use in organizing important descriptions, data maps and information security processes that are commonly requested in security and compliance questionnaires sent by clients. Maintaining documented structure for the law firm's data protection framework and information security program assists in providing structured and consistent responses related to client compliance. This creates a professional reporting format to provide comfort and assurance around clients' security concerns.
The NIST Cybersecurity Framework provides a comprehensive information security approach that addresses the technical bases of concern to firm stakeholders and clients, delivers law firms with an operational playbook for the protection of their IT systems, and provides an important management tool to support a firm's information security operations. In a world where the alphabet soup of compliance standards seems to grow by the day, the NIST Cybersecurity Framework is a wise foundation for any law firm's approach to information security.
Ken Kulawiak is Vice President of Information Security and Technology for HBR Consulting. Ken provides guidance on the security strategies implemented for HBR Managed Services clients, as well as HBR Consulting's approach to information governance, information security, data privacy and technology. Prior to joining HBR, he served as a Chief Information Security Officer and led the Information Governance and Risk teams for financial institutions. For more information, please go to www.hbrconsulting.com.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Marriott to Pay $52M, Upgrade Cybersecurity to Settle Probes Into 3 Big Breaches
Judges Say Social Media and Political Polarization Puts Them in Danger
ClioCon 2024 Takeaways: Navigating Law Firms' AI Future
Just 11% of Legal Departments Predict Gen AI Will Be 'Transformative,' as Its Honeymoon Phase Fades
7 minute readTrending Stories
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Who Got The Work
Attorneys from Cadwalader, Wickersham & Taft and Pryor Cashman have entered appearances for Diageo Americas Supply d/b/a Ciroc Distilling Co. and Sony Songs, a division of Sony Music Publishing, respectively, in a pending lawsuit. The case was filed Sept. 10 in New York Southern District Court by the Bloom Firm and IP Legal Studio on behalf of Dawn Angelique Richard. The plaintiff, who performed as a member of producer Sean 'Diddy' Combs girl group Danity Kane and later his band, Diddy - Dirty Money, claims that she was financially exploited by Combs and subjected to inhumane working conditions. Among other violations, Richard claims that Combs required group members to remain at his residences and studios, deprived them of adequate food and sleep and forced them to rehearse for 36 to 48 hours without breaks. The case, assigned to U.S. District Judge Katherine Polk Failla, is 1:24-cv-06848, Richard v. Combs et al.
Who Got The Work
Mathilda McGee-Tubb and Kevin M. McGinty of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, as well as Jesse W. Belcher-Timme of Doherty, Wallace, Pillsbury & Murphy, have stepped in to defend Peter Pan Bus Lines in a pending consumer class action. The suit, filed Sept. 4 in Massachusetts District Court by Hackett Feinberg PC and KalielGold PLLC, accuses the defendant of charging undisclosed 'junk fees' on top of ticket prices during checkout. The case, assigned to U.S. District Judge Mark G. Mastroianni, is 3:24-cv-12277, Mulani et al v. Peter Pan Bus Lines, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
