Three Benefits to Using the NIST Security Framework as an IT Foundation
The NIST Cybersecurity Framework provides a structure for managing data security today, as well as a roadmap for improving data security in the future with ongoing development, alignment and collaboration between industry and government.
September 05, 2019 at 07:00 AM
5 minute read
The treasure trove of valuable client data residing inside of law firms—such as financial information related to potential corporate transactions and confidential litigation documents or trade secrets—has made law firms top-priority targets of cyber criminals. Indeed, nearly one in four firms reported they have been the victim of a data breach, according to the ABA's 2018 Legal Technology Survey Report.
Law firms have responded to this challenge by making substantial investments in information security systems, technologies and procedures. Part of this response has been the search for the optimal IT framework, a mission complicated by the seemingly endless array of ISO, SOC and COBIT standards we read about frequently in the legal technology space.
As we consult with U.S. law firms, we urge them that the superior approach is to build their IT security framework on the structure laid out in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
NIST is a division of the U.S. Commerce Department that promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security. One of NIST's key strategic initiatives has been the development of a framework of controls, guidelines and best practices to help organizations manage cybersecurity-related risk.
The NIST Cybersecurity Framework provides a structure for managing data security today, as well as a roadmap for improving data security in the future with ongoing development, alignment and collaboration between industry and government. The approach laid out in the NIST framework establishes controls for organizations to implement in their IT systems and processes, ranging from how to identify known cybersecurity risks and detect the occurrence of a potential breach to how to respond to a cyber security incident and restore any organizational capabilities that were impaired.
There are a number of reasons why law firms should consider building their IT framework on the NIST framework, but here are three specific benefits that this strategic decision can deliver to a firm:
1. Creates a Security Playbook
Following the NIST framework will lead to the creation of a "System Security Plan" that law firms can use to operationalize their IT security strategy. This security playbook creates a continuous cycle for security: design; implement; review; update; and then resume the cycle again. Firms should evaluate their information security activities, align their IT budget, implement necessary IT controls, update all relevant documentation and then conduct a comprehensive review at least annually.
2. Provides Risk Assessment
The NIST framework also functions as a built-in risk assessment exercise, helping law firms go through the process of documenting which controls they have in place—and which ones are not as mature—so they can identify areas within their security program that need additional attention. This gap analysis guides the firm's IT planning by serving as a tool for framing and directing where the firm's security framework should evolve in response to changing conditions, threats and needs. Firms can leverage these insights to identify potential weaknesses in their systems and determine where budget is best allocated to mitigate the most risk.
3. Supports Responses to Audits
Roughly one-half of law firms were subjected to a cybersecurity audit last year, according to a presentation from the Association of Legal Administrators. The NIST framework provides a structure to use in organizing important descriptions, data maps and information security processes that are commonly requested in security and compliance questionnaires sent by clients. Maintaining documented structure for the law firm's data protection framework and information security program assists in providing structured and consistent responses related to client compliance. This creates a professional reporting format to provide comfort and assurance around clients' security concerns.
The NIST Cybersecurity Framework provides a comprehensive information security approach that addresses the technical bases of concern to firm stakeholders and clients, delivers law firms with an operational playbook for the protection of their IT systems, and provides an important management tool to support a firm's information security operations. In a world where the alphabet soup of compliance standards seems to grow by the day, the NIST Cybersecurity Framework is a wise foundation for any law firm's approach to information security.
Ken Kulawiak is Vice President of Information Security and Technology for HBR Consulting. Ken provides guidance on the security strategies implemented for HBR Managed Services clients, as well as HBR Consulting's approach to information governance, information security, data privacy and technology. Prior to joining HBR, he served as a Chief Information Security Officer and led the Information Governance and Risk teams for financial institutions. For more information, please go to www.hbrconsulting.com.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Senate Democrats Advance 4th Circuit Pick Ryan Park’s Nomination
- 2Judge Rejects Meta’s Plea to Send FTC Antitrust Suit to Trash Heap
- 3How Have You Fared in 2024? Share Your Insights in the Managing Partners Survey
- 4Court Rules Mere Conduit Defense Not Suitable for a Motion to Dismiss
- 5Ironclad Officially Launches New Gen AI Assistant Jurist
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
