This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Data leaks: How to test your firm's data protection systems

News
Share:
Data leaks: How to test your firm's data protection systems

By

Sheila Pancholi and David Morris reveal how to perform a maintenance check of your firm's data protection systems

Four things you will learn from this Masterclass:

  1. How to manage potential security risks with limited resources

  2. How to check if your firm is adequately protecting sensitive data

  3. How to determine the security of your firm’s network and data storage

  4. How to test if staff are following your firm’s data security policy

 

Given that law firms often hold highly-sensitive ?information on companies and individuals, it has ?always been recognised that there is a fundamental requirement to establish a proper control environment to ?protect this data.

However, this has now been given new impetus by the increasing number of organised external attacks on businesses, new governance requirements and fresh demands from larger clients for increased information about the adequacy of ?controls over their data.

Checking that your firm’s controls are actually working will provide you and your clients with the assurance that your information security risks continue to be controlled. This article provides practical guidance on putting together a programme ?to test if your data is adequately protected.

Preparation

Firstly, before you do any testing, you should check that you ?have properly identified the data that you want to protect. ?Firms often miss the very obvious, such as remuneration lists, ?as well as the less obvious. It is relatively easy to overlook ?the importance of seemingly mundane data and how useful it ?may be to outsiders.

For example, data lost from Royal Air Force Innsworth in Gloucestershire, England in 2008 included details of individuals’ extra-marital affairs, debts and drug use, which in turn increased the threat of blackmail and extortion of RAF staff.

Key to this process is good data categorisation and classification. This should be based upon a formal risk ?assessment – what is going to cause your firm the greatest problems if it is leaked or lost? Putting data in groups like this allows you to focus potentially limited resources on the areas ?that matter. It also allows you to ensure data is properly ?handled and archived.

Another issue to address is to ensure that responsibility for information security has been properly allocated. In larger firms, consideration should be given to establishing the role of an information security manager. If it is not clearly defined who is responsible, it is entirely possible that data protection issues may occur because of oversights and errors.

The UK Information Commissioner’s Office (ICO) has the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act. To date, it has issued 25 penalties totalling £2.75m for data loss incidents, with the single largest penalty being £325,000.

The causes of data protection breaches have included the mailing, faxing or emailing of sensitive information to incorrect recipients, the loss of unencrypted laptops and other portable media devices, and poor data destruction practices.

Testing your data protection protocols

  • Check that your data risk assessment and subsequent categorisation is up to date and reflects all recent systems, business processes and data changes. If the categorisation is wrong, the protection afforded could also be wrong.

  • Perform privacy impact assessments or the equivalent. These assess how personally-identifiable information is collected, stored, protected, shared and managed.

  • Ensure you have up-to-date information security policies ?that are known to all staff. Check that staff have current copies and that you have a signed confirmation of receipt of the policy from all staff. If you use centralised software to distribute and control policy updates, review the records to see who is not accepting them.

  • Ensure the member of staff responsible for information security clearly understands his responsibilities and is given the time and resources required to undertake the role effectively.

External perimeter

The spectre of the invisible hacker looms over all organisations ?with an external presence. Not only are there experienced ?gangs who are dedicated to attacking network perimeters and websites (for either fun or profit), but there are also plenty of enthusiastic amateurs.

Easy-to-use tools that facilitate hacking are freely available ?on the web and can even come with detailed guides and ?unpacking instructions. Recent high-profile events have included concerted attacks against JP Morgan, Bank of America and ?Wells Fargo in the US.

First, you need to establish what your external perimeter actually is. Is it just your network? Does it include a key third ?party who hosts some systems for you? Does it include the disaster recovery centre that your data is mirrored to? Once you have established what your boundaries are, you can determine how to test them.

In December 2008, the Bar Council had to write to all barristers in England and Wales to inform them that, during a break-in at its central London office, a laptop computer and four hard drives had been stolen. The data taken had included financial records of barristers who paid by direct debit and details of complaints made against some barristers.

The trend of home and mobile working also extends the ‘physical’ perimeter to be protected.

In November 2011, an official undertaking to the ICO was signed by an Edinburgh QC following the theft of an unencrypted laptop computer. The laptop contained the sensitive personal data of a number of individuals who were involved in cases on which the QC as a data controller was instructed to act.

While the ICO noted that physical security measures were in place at the time of the incident, there were insufficient technical security controls employed on the laptop to protect the data. This demonstrates that a set of complimentary controls need to be in place to protect the personal data of others which is being processed on a daily basis.

Checking your external perimeter

  • Perform regular tests that probe your perimeter, either using ?your own staff or external specialists.

  • Don’t tell IT staff about planned tests, except on a strictly ?need-to-know basis – this will mean that their reaction to any security events or alerts they notice will also be tested.

  • Consider performing some social engineering tests, for example ringing the helpdesk and trying to get the password ?for a sensitive account or important user.

  • Check how third parties and suppliers store and use your data. Consider how you can test that they are holding it securely, such as invoking the contractual right to site visits (if you have it). Alternatively, request that they produce recent assurance reports, such as internal audit reports or service auditor reports like ISAE 3402, or demonstrate ISO 27002 compliance. In the longer term, the importance of ensuring your contracts grant you the right of audit should not be overlooked.

  • Check your remote working arrangements. You should confirm that only current staff have remote access rights, that this access is controlled and managed adequately, and that suitable audit logs are available for examination should they be required. Quite often, it’s simple controls like starter/leaver processes that introduce security weaknesses and threats to an organisation.

Data storage

When addressing data security, you will need to consider ?in what form data exists and how it might be taken out of your firm’s control. Data security covers more than just computerised records on central systems. Controls over the production and destruction of paper are potentially as important.

The growth in mobile computing has also provided many new opportunities for data to be taken, stolen or lost. Some organisations have not yet addressed this area and are extremely vulnerable to data security breaches through this route.

For example, East Lothian Council lost the personal data of over 1,000 pupils earlier this year because one employee downloaded the information onto a memory stick and subsequently lost it.

Another consideration is security monitoring. ?You will need to think about what sort of information you actually want to check and then record it. Firms have been known to religiously record events that do not relate to the risks that they are concerned about and to neglect those areas that they should pay more attention to.

What is recorded and checked needs to align with what you are actually concerned about. Also, recording all breaches and incidents allows you ?to build up a pattern of events that can help ?with defining what you test and how often you perform your tests.

Checking your data storage is secure

  • Perform internal tests of your key network controls – for example, check that the DMZ (perimeter network) is properly configured, vital software patches are up to date and the anti-virus software is up to date.

  • Perform spot checks of physical access to your main servers and storage devices. Console access is potentially a high-risk point of entry to your data.

  • Check the security of the mobile devices used by your staff. Whether they are supplied by the company or are private devices, they should have a minimum level of security if they attach to your network or can otherwise access corporate emails. Controls should include encryption, the ability to remote wipe ?in the event of loss and the use of passwords and PINs.

  • Check the that the firm you have engaged to do your confidential waste disposal (including paper, redundant ?devices and disks) is still suitable for the job and has ?the right accreditation.

  • Perform spot checks on ordinary bins to see what sorts of papers and files are being thrown out in unsecured waste.

The people element

The potential role of people in undermining your information security controls cannot be stressed enough. Staff are often the weakest link in a risk control culture, either through a lack of training and education or through a desire to cut through what they see as overcomplicated processes that get in the way of their day jobs.

Unfortunately, a minority of staff may also have malicious intentions. There have been recent reports of criminal gangs trying to get people into positions of trust where they can obtain data such as credit card information. Some staff may also have chaotic personal lives that can only be funded by fraud or deceit.

Testing in this area is about making sure that your staff know and follow the rules. The aim is to check the extent to which your staff understand the control environment that has been established. On a wider level, it is also about ensuring that your organisation is following the procedures that it has developed to ensure only suitably-vetted members of staff are employed in the first place.

Another area to consider that is growing rapidly in popularity is social networking. What are people (including staff) saying online about your organisation? What company information are they revealing?

Checking your staff follow data protection rules

  • Talk to your HR department before doing any testing of staff – they will advise you what you can and can’t do in respect of staff privacy and what policies staff have ?signed up to.

  • Check that, if you have a clear desk policy, it is enforced – perform regular unannounced inspections of desks and circulate the results.

  • Enforce the same controls for senior staff that you do for junior staff. The tone at the top is very important in establishing a strong environment and culture of control. Senior staff must be seen to set a good example.

  • Check that the background financial and educational ? checks that are supposed to take place during recruitment? do actually take place, especially for staff in high-risk areas. Vetting is often performed haphazardly, if at all, but it can ?usefully identify potential problem areas before it is too ?late to address them.

  • Check that staff training and education records in respect of information security are up to date.

  • Review the access rights of contractors and temporary staff. The accounts that they leave behind when they depart are often used to gain unauthorised access to systems and underlying data. Check that there is a procedure to remove their rights when they leave and that it works.

  • Consider performing regular access reviews for all staff at least annually. Do they still require the levels of access they currently have? It is a good idea to ask their managers rather than individual members of staff.

  • Don’t overlook the possibility of data being leaked through social networking sites. Check that this is covered in your IT security policy and talk to HR about what monitoring is permissible or desirable.

Investing in testing

It is unrealistic to expect that you will be able to gain full assurance through testing alone. But, testing will provide ?valuable input into any assessment of how effective your control environment is and, in particular, whether the message about the importance of information security has reached your staff ?and partners.

The testing programme should be seen for what it is – a supplement to the control environment and not a replacement for a properly thought-out strategy and set of controls.

There is also the value issue to consider – being able to demonstrate that your firm is on top of information security ?could help you to retain clients or add to your credentials ?when tendering for new work. Establishing a good testing ?regime now may give you a head start on future client demands and expectations.

Finally, make sure that you allow adequate resources to do the testing properly – half-hearted or haphazard testing can give false assurance and may just waste time and money. A successful testing strategy is not a rubber-stamping academic exercise. Done properly, it can help to protect your firm’s data and reputation.

 

Ensuring you firm is successfully testing for data security risks

  • Test your information security on a repeated basis – a one-off exercise is useful, but the changing nature of threats and risks will render it less useful over time.

  • Consider the use of checklists to drive your future testing regime. These can help you to plan and record weekly, monthly and annual tests, as required.

  • Tailor the testing to suit your firm’s requirements – one size does not fit all. What you do depends upon your organisation’s structure and culture, your clients and the complexity of your information security requirements.

  • Remember to promptly deal with the specific issues the testing reveals so that no holes are left uncovered.

  • Consider sharing your testing strategy with clients who have been asking for information about your control environment and using their feedback to further improve it.

 

Sheila Pancholi is a partner and David Morris a senior manager in the information systems assurance team at UK accountancy firm RSM Tenon (www.rsmtenon.com).