Cyber Checklist: Security Questions to Ask Your Law Firm

What questions should you ask your law firm regarding its security posture? Let's start with industry standard, ISO 27001 certification security principles.

14 April 2016


Law firms are not regulated and only have a contractual and professional obligation to safeguard client information. But they handle the most sensitive, non-public market moving information on the planet. As I shared in my last post, law firms are not immune to hackers.

Given this current conundrum and little if any change in sight due to law firm lobbying influence, what questions should you ask your law firm regarding its security posture?

Let’s start with ISO certification. Based on ISO 27001 industry norms, you should ask your law firm if they adhere to the following ISO security principles:

# Security Principle Smart Questions to Ask
1 Information Security Policies
  • How well do policies address procedure documents for execution?
  • Can a report on violations be provided from quarterly audits?
    How well do policies address procedure documents for execution?
2 Organization of Information Security
  • How is the cybersecurity and information security program funded from an organizational structure? Is it by line of business or from the CISO or information security team?
  • Are CAPEX, OPEX and third party assessment cost analysis conducted?
  • Is an information steering committee created for all departments?
3 Human Resources Security
  • How robust is security training? What reports can be provided from past tests?
  • Are rigorous background checks on employees and contractors conducted? Can these results be reviewed?
4 Asset Management
  • How many assets have been lost or sent for repair in the last year?
  • Is data on mobile assets encrypted and protected; and therefore protected from unauthorized access?
  • How are documents from clients protected?
5 Access Control
  • What technologies are used for encryption, authentication and authorization?
  • Can an organization control documents shared with third parties? If yes, how are these controlled?
  • Is two factor authentication used?
6 Cryptography
  • Is data encrypted at rest, in transit and in use?
  • Please describe Public Key Infrastructure (PKI) used.
7 Physical and Environment Security
  • How secure are law firm physical premises?
  • Where is data stored and safeguarded?
8 Operations Security
  • Can audit logs for system administrators be explained?
  • How are operations and security teams engaged in technical elements? How do these two groups work together?
  • Can you list operation procedures that safeguard data privacy?
9 Communications Security
  • Are employees trained on the latest trends, best practices, procedures and policies in security?
  • How would a security incident be communicated to the public and your trusted parties? Are crisis public relations/communication teams prepared in advance?
10 System Acquisition, Development and Maintenance
  • How thorough are applications tested from a single pentest assessment and secure code review?
  • What are the procedures for code upgrades?
  • How are various integrations of software tested for vulnerabilities?
11 Supplier Relationships
  • What are the security posture verifications for your suppliers?
  • For third party providers, what is the patch management process?
12 Information Security Incident Management
  • How would you detect an incident?
  • Do you have reports on current attack vectors attempts?
  • When was the last time you tested incident response plans?
13 Information Security Aspects of Business Continuity Management
  • If your main office location was suddenly unavailable, how soon could you resume operations?
  • How is your backup protected?
  • Who has access to backup procedures and keys?
14 Compliance
  • What are all compliance frameworks that are utilized in your law firm?
  • What is the achieved level of compliance?


I hope you find these questions helpful. In our next blog, we will arm you with other smart questions you can ask your law firms for Statement on Standards for Attestation Engagements (SSAE) No. 16 or SSAE 16 for short.

Ondrej Krehel

Ondrej Krehel

Ondrej Krehel, CISSP, CEH, is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cybersecurity department at Stroz Friedberg and the Loews Corporation.

Stay IN the know

Sign up for our newsletter for must-read market analysis and thought leadership, delivered right to your inbox.