Your premier source for legal solutions, including Thomson Reuters Westlaw and law books.
Practice Innovations — Managing in a changing legal environment
Gray Rule
January 2015 | VOLUME 16, NUMBER 1
Gray Rule
Client Data Security Audits—A Preemptive Checklist
»For easy printing – view as PDF


»Deconstructing the Myth of Low Technology Adoption in Law Firms
»Safe Travels in the Age of Digital Espionage: Protecting Your Assets on the Road
»Legal Pricing Technologies
»Client Data Security Audits—A Preemptive Checklist
»Smartphones as the New "Swiss Army Knife"
»Portable to Wearable to Embedded—How Technology is Literally Becoming Part of Us
»Back to Contents

» About Practice Innovations
» Editorial Board
» Past Issues
» Reader Feedback

Client Data Security Audits—A Preemptive ChecklistBy William P. Scarbrough, Chief Operating Officer, Bodman PLC, Detroit, MI
Law firms are receiving and responding to a growing number of data security audits from clients, particularly those in heavily regulated industries such as banking. This checklist provides some common areas of focus.

One of Bodman's core areas of practice is transactional banking work. The firm represents a number of regional banks, national banks, and local banks. Particularly the larger national and regional banks are dedicating increasing time and resources to data security, their own as well as that of key vendors such as law firms. At Bodman we have responded to a number of client questionnaires, audits, and surveys relating to information and data security. We have found the process to be a useful way to verify and continue to improve our data security infrastructure and procedures. The following checklist is based on questions we have received from a number of clients, and serves as a roadmap for all firms in reviewing and improving their data security.

  • Access control
    • Security policies control creation of all accounts
    • Physical access to servers, applications, network infrastructure, and communications systems limited to designated staff
  • Administration
    • Management approval required for all administrator accounts
    • All administrator activity logged
    • All user accounts assigned to individuals and never shared
    • Re-authentication required after period of inactivity (e.g., 30 minutes)
    • All accounts disabled after certain number of access attempts (e.g., 10)
    • User identity verified for password reset requests
    • Strong and uniformly enforced password standards (e.g., 8 characters, 1 letter, 1 number, 1 special character)
    • Required password change every 90 days with no or restricted reuse (e.g., after 5 changes)
    • Password encryption and no visual display
    • Hardware token or smartcard required for remote access
    • For passwords assigned to contract personnel, disable accounts every 90 days
    • Wireless users required to acknowledge acceptable use before connecting
    • All cloud-based data encrypted
  • Employee control
    • E-mail encryption, including blocking of outbound protected personal information
    • Restricted use of CD, DVD, and flash drives
    • Outbound Internet monitoring
  • Hardware and software control
    • Use of firm-approved devices only meeting firm security standards
    • No ability to save data from multifunctional devices to removable media
    • Inventory of all hardware and software assets
    • Prohibition against installing unauthorized hardware or software
  • Disaster and recovery planning
    • All primary systems and services included
    • Key third party vendors included
    • Documentation reviewed by management regularly
    • Business impact analysis part of plan
    • Specific recovery time and point objectives set
    • Notification, escalation and communication plans/contact numbers current
    • Plan accessible by all staff involved in recovery
    • Roles and responsibilities of recovery team clear and documented
    • Voice and data networks designed to avoid single points of failure
    • Data backup and redundancy
    • Special attention to facilities in disaster-prone areas
    • Plan and systems tested regularly
    • Information security responsibility assigned to individual
  • Compliance
    • Acceptable use policy in place for all software and hardware
    • Information security/privacy policy in place and enforced
  • Operations
    • Network diagrams and data flowcharts up to date and restricted to authorized staff
    • Antivirus and firewall systems restricted to authorized staff
    • Change management process in place and followed
    • Alternate data center for full system redundancy
    • Paper files and removable media stored in secure location
    • Laptops and mobile devices encrypted
    • Security event logs monitored regularly
    • Unneeded user accounts disabled promptly
    • New systems deployed only with latest security patches
    • Anti-virus and anti-malware installed and current on all servers and clients
    • Robust Internet firewall implementation
    • Network equipment and server rooms secured
    • Two-factor authentication for remote access
    • Concurrent connections to second network prohibited
    • Wireless network access only with strong encryption
    • Network intruder detection system for all external network connections
    • Regular network penetration tests conducted
    • Separate development/test and production environments
    • Incident response procedures in place
    • Adequate fire suppression systems for computer room(s)
    • Laptop usage and security monitored closely
  • Physical security
    • Building access restricted and controlled
    • Guests escorted at all times
    • Process for collecting access badges from former employees and guests
    • Access to client files restricted to authorized personnel on "need to know" basis
    • Information security policies defined, documented and circulated
    • Security awareness training for new employees and annually
    • Confidentiality agreements with vendors
    • External social media use only when approved by risk manager
  • Vendor management
    • Information security review of key vendors
    • Due diligence (e.g., background checks) on key vendors

Back to Contents