Primerus Security Standards - Clarifications:
The initiative to align overall security standards of Primerus affiliates to manage risk is commendable. In order to provide additional clarity to the recommended standards / controls, we are providing the following feedback. These details will not only establish clarity, they support our recommendations for technology configurations required to achieve these requirements.
Assumed controls in place – the following controls and technology are assumed for each law practice affiliate:
- Enterprise level Anti-virus / anti-malware solution
- Email security solution (e.g., SpamTitan, Mimecast, Cisco, Barracuda, Proofpoint)
- Workstations (desktops & laptops) procured are running legitimate licensed software (Windows, MS Office, etc.)
Phase 1 Cybersecurity Standards:
Multi-Factor Authentication (MFA)
- Objective - To add another factor in authentication process, reducing the likelihood of stolen & reused credentials.
- Why is this important? - This is the single most effective security change that can be made for securing access to important resources
- Technical Clarity - Solutions can include Company controlled MFA, or per application MFA. Many 3rd party providers including Software as a Service (SaaS) providers like Microsoft & Clio provide their own built-in MFA solution that you can configure for free. For some firms it may be ideal to leverage built-in MFA wherever feasible for free without using your own paid for solution. OTP or one time password MFA is best, SMS based (text based) is not ideal, but can be acceptable.
Privileged Access Management and Identification Policy
- Objective - To establish access granting & access revocation policies, & ensure systems are logging access authentication attempts to company resources.
- Why is this important? - Utilizing a checklist for new hires & terminations ensures that access to resources is enabled / disabled when appropriate. Restricting administrative access is key here. People should not have access to resources without business need, & they should not have excessive admin privileges.
- Technical Clarity - This control is achieved using a combination of policy, procedures, & systems logging. Systems logging, collection, & retention is needed so access reviews can be performed.
Data Security Policy with Security Patch Management (aka, Data Protection & Vulnerability Management)
- Objective - To ensure Company data is protected from unauthorized access, & systems are regularly patched against known vulnerabilities.
- Why is this important? - Exploiting known vulnerabilities is one of the most common tactics that hackers use to infiltrate systems. Systems backup solutions are your primary recovery mechanism in the event of data corruption or loss.
- Technical Clarity - This control is achieved using a combination of backup solution & vulnerability management solution. Backup solutions should include 3 copies of data. (including original data, backup copy on alternate media, & another copy stored or replicated offsite.) Vulnerability management includes a solution to scan & identify vulnerabilities, plus a lifecycle system that can patch or remediate those vulnerabilities on a continuous basis.
Incident Response Plan & Breach Notification Policy and Processes
- Objective - To establish policy & procedures for security response in the event of a significant security incident.
- Why is this important? - In the event of a breach, a timely, coordinated response is key in mitigating risks & impacts of that incident
- Technical Clarity - A well-established security policy template collection can be used to assist your Company.
- The policies will need to be drafted to reflect your specific systems in place.
Internal Risk Assessment and Security Monitoring Policy (aka, Risk Management Policy)
- Objective - To establish policy & procedures for managing risk through assessment, change management, & asset monitoring controls
- Why is this important? - You cannot manage risk without having visibility of your assets and controlling significant change. The scope of Risk management must include your primary vendors in phase 2.
- Technical Clarity - This control is achieved for security monitoring using a combination of managed anti-malware, or managed detection, & systems logging solutions.
Disaster Recovery and Business Continuity Plan (aka, DR / BCP)
- Objective - To establish a DR / BCP to detail what your staff needs to do in the event of a disaster, what communication methods are required, and the timeframe in which critical IT services need to be available.
- Why is this important? - Understanding what risks your company is protected against is key. In the event of a disaster, major outage, or data loss this plan will guide recovery of services & provide for communications directives with Employees & Customers
- Technical Clarity - Determining Critical business systems, Recovery Point Objective (RPO) & Recovery Time Objective (RTO) will be the drivers around the potential solution & policy elements to be included in the DR / BCP
Phase 2 Cybersecurity Standards:
Offer of encryption of client and sensitive information in motion (email and text) and at rest (storage and backup) - (aka, Data & Communications Security controls)
- Objective - To protect sensitive data workflows using email or collaboration tools, as well as protecting data at rest on workstations and servers.
- Why is this important? - Encrypting data can prevent unauthorized access to sensitive information even when someone has physical access to the data device or storage medium. It’s especially important to protect Laptops with drive encryption.
- Technical Clarity - This control is achieved using a combination of operating systems enforced encryption (Windows uses BitLocker, Macs use FileVault), storage based encryption for servers & backups, and file or email encryption for Business to Consumer sensitive data flows.
- Objective: To manage risk through controlling significant change using a process. That includes assessing risk, planning out implementation, testing, & backout steps for each significant change to critical IT systems.
- Why is this important? - Establishing change control will minimize the likelihood & impact of unintended consequences from changes. Many organizations have service disruptions as a result of not managing significant changes.
- Technical Clarity: This control is achieved through implementing a change management procedure tied to your Risk Management policy, training on the control, & enforcing practice of the control.
Third‐party risk assessment and engagement procedures (i.e., vendors and consultants).
- Objective - To manage risks associated with 3rd party relationships along the supply chain. 3rd parties include; vendors, service providers, software providers, & contractors.
- Why is this important? - Any 3rd party providing critical services or having access to sensitive information poses potential threats to your business. Many organizations have had security breaches or services disruptions due to Vendor negligence or Vendor sourced security incidents.
- Technical Clarity - This control is achieved through implementing a Vendor management procedure tied to your Risk Management policy, training on the control, & enforcing practice of the control. This control should include vendor screening, risk assessment, monitoring, onboarding & offboarding.
Data retention and deletion policy and processes
- Objective - To establish policy and procedures detailing compliance with federal and state laws and regulations, to eliminate accidental or innocent destruction of records, and define standards to safeguard retention / destruction of data.
- Why is this important? - Many different regulations control the retention / deletion of specific types of data. Lack of compliance controls can increase the risk of exposure to fines, & or damaged business reputation.
- Technical Clarity - This control is achieved through implementing a Data Retention and Destruction policy, training on the control, & enforcing practice of the control. This control should include data type classification, disposal procedure, and data retention schedule for each of the data types.
Workforce cybersecurity training
- Objective - To ensure all staff members are trained to recognize tactics & tools bad actors use to infiltrate companies using social engineering methods.
- Why is this important? - Your Team members must be trained to make smarter decisions on security related risk issues. This training program will improve your organization’s security culture & reduce human risk.
- Technical Clarity - This control is achieved through implementing a security awareness training program that includes regular training on tactics & tools actively in use, simulated phishing tests to test your Teams ability to detect social engineering threats, & extensive reporting / tracking metrics. KnowBe4.com is a preferred training vendor.
Chief Information Security Officer
main | 574.256.6777
direct | 574.347.8049