A self assessment IT security checklist

The following check list incorporates guidance from the ICO and GCHQ on data protection, IT security, and cyber security.

In addition, we have included our own experience.

The checklist provides a very easy way to get a view on your level of IT security in place.

Ask the appropriate person, or people, to go through the list, and tick each item that is covered.

Then you can take a measured decision on the action to take on the items that are not covered.

Governance

  • Do you have a person responsible for managing risk within your firm, including cyber security risk? This role should capture the Data Privacy Office responsibilities as part of the upcoming General Data Protection Regulation (GDPR) (more in the Regulatory section).
  • Do you have a defined risk management approach, including for cyber security risk? This should include how risks are identified, how risk decisions are made, how responsibilities are assigned, and how actions are tracked.
  • What security assurance schemes has your firm adopted, or do you require in your IT providers? The most basic of schemes for a firm is Cyber Essentials, with comprehensive certifications such as ISO 27001 that are also relevant to IT providers.
  • Have you defined classifications of data sensitivity and data retention so that data can be appropriately protected? This should consider both the UK Data Protection Act (DPA) and GDPR.
  • Do you have appropriate cyber security insurance?

Policies and process

  • Do you have a policy covering IT outsourcing, including how to verify that the contractual commitments are delivered?
  • Do you have a policy identifying your cyber security controls and the process for monitoring and evaluating the appropriateness of the controls? This policy should be directly aligned with the cyber risks identified as part of your risk management process.
  • Do you have an acceptable use of IT policy for your employees? This should include: data protection responsibilities; use of email; use of social media; use of consumer services; use of Internet; password security; use of firm equipment; and, use of personal devices.
  • Do you have an induction process that includes training employees on their IT responsibilities? This should also include a process for when employees leave the firm.
  • Do you have a cyber security incident management policy and process? (more in the Logging and Monitoring section).

Regulatory

  • Can only authorised people access, alter, disclose or destroy personal data? (DPA Principle 7)
  • If personal data is accidentally lost, altered or destroyed, can it be recovered to prevent any damage or distress to the individuals concerned? (DPA Principle 7)
  • Can you show that you have designed your technical and organisational measures to protect personal data? (GDPR, Article 23)
  • If you transfer personal data outside of the European Economic Area do you have mechanisms in place to remain complaint with EU data privacy regulations? For example, many IT outsourced providers use data centres in the US. EU-US Privacy Shield Framework registration may be sufficient to remain compliant.
  • Have your outsourced IT providers given sufficient guarantees on how they protect your data? Make sure responsibilities for your data are clear, as in most cases your firm remains responsible.

Data and Asset classification

  • Do you have defined data and asset classifications? Example classifications include Confidential, Restricted, Internal and Public.
  • Do you have an approved list of assets (devices) for use within your firm? Can all types of data be stored or used with those devices?
  • Do you have a policy on the specific control mechanisms that apply to data and asset classifications? This refers to both technical and organisational measures.
  • Do you have clear responsibilities for controlling and processing data, as defined by the DPA and the GDPR? (see previous section)
  • Do you have clear policies in place for data archiving and disposal, as defined by the DPA and GDPR?

Empoyee training

  • Are your employees aware of the security risks faced by your firm? Your firm’s risk register should guide this.
  • Are your employees trained to recognise email attachments that might be viruses in disguise? Email filtering is the best protection, but it is not 100% accurate. Employees can often spot tell-tale signs of a malicious email that automated tools miss. For example, unusual use of words or unusual requests.
  • Are your employees trained to recognise scam emails – for example, fraudulent emails requesting funds transfers as part of a deal.
  • Are your employees trained on the applicable policies and procedures that apply to your firm? This should apply at initial induction, and then at defined appropriate intervals to refresh or reinforce the training (see Process and Policy section).
  • Are your employees aware of good password habits? If your employees have more than a few passwords, are they provided with a password vault?
  • Don’t forget that employees include senior ones too: partners, boards and external advisers.

Secure IT design

  • Is your firm’s IT design, including cyber security, design documented? The following questions assume it is.
  • Does your firm’s IT design show a clear mapping of design decisions against agreed business objectives, including treatment of the key business risks faced by the firm? This usually requires budgetary information so risk versus cost can be considered.
  • Does your firm’s IT design consider the effort and skills required to maintain it? Complex, or unusual designs, can introduce cyber security risks.
  • Does your firm’s IT design consider the trade-off between security and usability? Highly restrictive designs are more secure, but less user friendly. A balance between risk and reward should be taken.
  • Does your firm’s IT design clearly identify the vulnerabilities present? Every design has vulnerabilities, which in general are a balance between security, cost and usability.

Procurement

  • Are your procurement decisions directly linked to cyber security design? For example, your design may define a central platform for collecting and analysing security logs (more in the Loggin and Monitoring section). Thus, procurement of IT services should be compatible with sending logs to that platform.
  • Do you have the necessary skills and experience to make procurement decisions? Consider expert independent advice, if you are unsure.
  • Do you have a realistic cyber security budget to address the risks in your firm? A detailed, realistic budget will help prevent overspending.
  • Are your IT solution components, including outsourced IT providers, certified to the relevant security standards? Independent certifications are the best way to check that specific IT solution components are secure. The comprehensive validations that certifications provide is impossible for a law firm to replicate independently.
  • Do your outsourced IT providers conform with the DPA, and the upcoming GDPR? (see Regulatory section).
  • Are your IT solutions off-the-shelf, or bespoke? Bespoke IT solutions can introduce unintended security vulnerabilities, as often the driver for bespoke IT solutions is business functionality. This can mean that security is an afterthought.

Office physical security

  • Are your on-premise servers, firewall and networks switches/ routers in a locked equipment room or cabinet that includes controls over who has access?
  • Does the locked equipment room or cabinet have sufficient cooling, dust protection, humidity protection and power protection? Sudden failure of a server due to environment issues can result in data loss, even if there is a backup process in place.
  • Are the data centres used by outsourced IT providers compliant with ISO27001? ISO27001 provides a best practice framework for information security management.
  • Do you have physical protection in place for computing equipment in locations accessible by the public, for example reception areas?
  • Is employee and visitor access to the office recorded? For example, employee swipe card systems and visitor sign-in books.
  • Are employees and contractors (including maintenance staff) appropriately security cleared?

Security assessment and testing

  • Do you complete an annual penetration test of your IT environment (including outsourced components)? A penetration test is a controlled exercise to attempt to hack into your IT systems, and applies to both onsite infrastructure, and offsite services. This identifies vulnerabilities that can then be proactively resolved.
  • Do you complete regular vulnerability scans of your IT environment? A vulnerability scan alerts you to vulnerabilities in software and hardware without attempting exploitation.
  • Do you test the response of your employees to malicious emails?
  • Do you review a list of all people with access to your IT environment and validate that their access and permissions are valid?
  • Do your outsourced IT providers complete regular penetration tests of their IT environment and share the results?
  • Do you complete a security assessment before you procure new software, hardware or services?

Logging and Monitoring

  • Do you have a logging policy and has this been put in place? Align this directly to your firm’s risk management strategy. It should include what you monitor, how long logs are retained, and what events are considered important. For example, it is typical to monitor for unusual activity on firewalls, emails system and file servers.
  • Do you have a centralised logging and monitoring platform? Centralised log collection enables efficient review and effective cyber security (as advanced cyber-attacks will delete local log files).
  • Is monitoring configured to generate alerts for unusual events, and is someone assigned to receive and investigate the alerts? Monitoring without alerts, and without someone to act, is of little benefit other than to retrospectively review a cyber-attack.
  • When you select new IT services or equipment do you include log generation and export capability in your evaluation criteria? Selecting IT equipment or services for sensitive data processing that does not allow automated export of logs, often called “shipping”, will create a significant blind spot in your cyber security response capabilities.

Incident management

  • Do you have a process if data is lost or corrupted? Consider, laptops, applications, and databases. Consider your own servers and any outsourced IT services including cloud services.
  • Do you have a process if sensitive data is accidently exposed? For example, accidently emailed to the wrong recipient.
  • Do you know when to inform the ICO of a security incident? Under the GDPR you must report a breach within 72 hours, but it is not currently a legal obligation under the DPA.
  • Do you have a process if a computer gets a virus?
  • Do you have a process if your logging and monitoring solution identifies unusual behaviour? For example, large amounts of files being transferred away from your document management system.
  • Do you have a process if your firm becomes the target of a cyber-attack? For example, excessive amounts of traffic pointed at your website to prevent it from responding (called a denial of service attack).

Preventative actions

  • Do you have a process for knowing when software updates are available for your IT environment? This applies not just to operating systems and antivirus software, but also to software applications and network equipment software – sometimes called firmware (as used by firewalls, switches and routers).
  • Do you have a process for applying an update once it is available? Who applies the update, when is it released, and what checks are done to ensure it doesn’t break anything? (see Change section).
  • Do you scan your IT environment to identify vulnerabilities? These scans need to be tailored to your IT environment, for example, for the type of databases used (if applicable).
  • Do you have a process for action when a vulnerability has been identified in your IT environment? By identifying a vulnerability, alternative risk mitigation techniques can be used, for example, by reducing access to vulnerable systems.
  • Do you have controls in place to prevent unauthorised software from being installed on computers?
  • Do you have controls in place to prevent access to malicious websites?
  • Do your outsourced IT providers identify how they manage the above items for the infrastructure used to deliver your services?

Change management

  • Do you have a defined process for change management?
  • Do you have a defined baseline configuration of your IT systems so that unauthorised changes can be detected?
  • Do you have a record of your IT components that identify the interrelationship, and dependencies, of their configurations? For example, it may not be possible to upgrade a server operating system without first upgrading the application hosted on that server.
  • Do you have a system for keeping track of when and how changes have been applied? This assists in identifying the cause of IT problems.
  • Is the ability to apply changes restricted to authorised people?

Business continuity

  • Have you analysed the impact of the failure of each key IT component and the options and cost to recover from those failures? Consider network equipment (firewalls, routers, switches), key applications (email, matter management, case management, time keeping), phone systems and Internet connections.
  • Is your firm’s data backed up, and do you know how long the data would take to restore, and any potential data lost between successive backups? For a backup to be effective it needs to be independent of the primary system. Data synchronized between two locations is not a backup, as corruption in the primary system will propagate to the secondary system.
  • Do you store a backup copy that is offsite and encrypted? A local backup assists in recovery time, however, an offsite copy is essential to assisting in disaster recovery (see next section).
  • Are your backups tested regularly? A true test requires a complete restore.
  • If you had an outsourced IT provider fail do you have a business continuity plan? For example, if the firm went into administration?

Disaster recovery

  • Do you have a disaster recovery plan? This should include scenarios such as your primary office being unavailable and all IT systems are offline.
  • Is your disaster recovery environment completely independent of your primary IT environment?
  • Does your disaster recovery plan consider a disaster impacting the supplier of proprietary software systems? For example, if you use cloud software for matter or case management, how would you recover if the provider went into administration unexpectedly?
  • Do you annually test your disaster recovery plan?
  • Do your outsourced IT service providers have a disaster recovery plan?

Comments are closed.