User security is never simple, and in the legal sector where sensitive data can span almost literally anything, it is even more complex.
The research results revealed in this report show that legal firms and law enforcement agencies across the UK and the US have significant areas for improvement. We have seen that a significant proportion do not even meet the relatively minimal requirements of their requisite regulations, failing to meet compliance.
Hopefully the guidance offered here will help you reach beyond compliance to protect your client, crime or case data.
User security and compliance
With the breadth of often the most sensitive kinds of information, such as crime case data, at the disposal of those within the legal sector, it is imperative that organisations operate securely.
Unfortunately, the one area that is most often not secure is a complex area to address – human nature. The fact is that most risk stems not from technology, but from human error. All it takes is an absent-minded employee sharing a password or deciding to use the intel to which they shouldn’t have access to do something illegal.
The potential threats are dire, with sever penalties in place for non-compliance with regulations like FISMA or the DPA. But if you can prove your adherence to a standard, like with an ISO 27001 certification, you in a strong position to win clients and customers.
‘Need to know’ data restrictions
The foundation of user security regulations is all around data being restricted on a ‘need to know’ basis. This means that access requirements should be set according to role, giving employees clearance up to and not beyond what they require in order to do their job.
This approach limits the risk of human error by reducing the amount of data users have access to to a minimum, meaning the possibility of a breach is minimised. However it is not necessarily simple to implement, and is far from the only element of a stringent user security approach.
Unique user identification
Naturally in order to limit access to the user’s requirement, you need to be able to identify individual users, for which unique logins are an absolute must.
Not only does unique user identification allow you to restrict network and data access on a ‘need to know’ basis, it is also essential in tracking and monitoring. If a breach does occur, you cannot detect how it occurred without being able to identify individuals and their network access activity.
Going beyond compliance
This guide does go into detail on how to comply to the various regulations we’ve mentioned, however it is important to note that meeting a set standard does not mean ‘job done’. This is particularly the case with very broad and non-specific regulations like the Data Protection Act, which are deliberately open to interpretation.
But it is also true of the much more detailed ‘gold standard’ of ISO 27001. Although the standard offers a lot of good guidance, there is always more that can be achieved. Security is not black or white, it is a process of mitigating risk to the most achievable degree, and often compliance is the minimum requirement, not the end goal.