What are legal and law enforcement agencies doing to ensure employees have only the necessary access to sensitive data?
We have discussed the importance of integrity and reputation and the very reputation of legal practices and law enforcement agencies rests on their ability to protect personal, criminal and case data. It is so important that it no longer is just an IT problem but a whole-organisation problem and everyone has a part to play in protecting this information.
Having access to information
The ISO 27002 information security guidelines are intended to help organisations implement, maintain and improve information security management and one of the procedures states that an access control policy should be established, documented and reviewed. This means that access control should be specified to specific users and user groups. The research showed that 81% both in the US and UK have access to data that is necessary for their role.
ISO 27002 also recommends that organisations have a process that authenticates and authorises functions, such as access to information that employees need in order to do their jobs but not more than that. However, it was worrying to see that 25% of professionals both in the US and UK have access that is greater than necessary.
There is a responsibility to protect case and crime data from risk of loss through a breach, such as a cyberattack, and managing access to files and folders on a role-specific level, plays an important part. We can see that some legal organisations have awakened to this key issue as 44% (US) and 37% (UK) of professionals have a specific level of user access, meaning they can access some files and folders but not others. These numbers are fairly low indicating that the industry as a whole has a quite a long way to go.
Monitoring file access
Once legal firms and law enforcement agencies have implemented a process that makes users identifiable, the next step will be to monitor their actions. The research showed that only 36% (US) and 30% (UK) were aware that their organisation monitors or logs their access to specific files and folders. Some organisations may monitor access activities without the knowledge of the employees, mostly to identify unusual movement or deletion of files that may not necessarily be caused by the employee.