If your firm is lucky enough to provide services to a bank, you have either already been hit with an audit or your about to be. Even if you do not currently work with banking clients, your insurance company may come knocking sometime soon for the very same type of analysis. Either way, you’ve got a good amount of work ahead.
Bank IT audits are not exactly a lot of fun.
Most IT Risk or Security Audits will require hours of deciphering cryptic IT questions, budgeting for seemingly unreasonable requirements, and a general sense of “you’ve got to be kidding, right?”.
Even if you feel that your firm has done a solid job of staying current with technology, you’re likely to be caught off guard by the sheer magnitude and overall expectations of such an audit.
Which is all very understandable. First, you’re a law firm, not an Internet security firm. It would be very convenient if you could do both but let’s just agree that’s not likely. Second, even some of the best and brightest IT support companies out there with ample security ‘know-how’ can leave you short when it’s time for that audit.
Why? Because the biggest change to happen in IT security and risk analysis since the 2009 banking collapse can be summarized in 2 words: prove it. The vast majority of IT or Managed IT firms out there today are well staffed with technicians who can install and configure the right tools and tell the client that they are all set in case of an emergency. But can you prove it?
IT companies will look at your environment from their perspective. Banks want to look at your IT security from the bank’s perspective. An IT company can say your ready – but banks will require you prove your ready.
This results in what we like to call the ‘Reverse Priority Problem’.
The reverse priority problem goes like this: For the last 20 years, IT companies have prioritized IT security like this:
- Security (a little)
- Documentation (even less)
Banks and Insurance companies expect things in this order:
So as you look at your technology environment, what do you see as a priority?
Where should you focus your efforts so not to be caught off guard?
To start, your firm will need written plans and policies for:
- Disaster Recovery
- Business Continuity
- Physical Security Controls
- Asset Management and Risk Management
Once you have those in place, you’ll need to define and establish security standards and policies for:
- Password changes
- Firewall Utilization and Management
- Antivirus and Spyware Management
- Desktop Data Security
- Facilities Security
- Network level Encryption
- Secure Access
- Internal and External Penetration Testing
Ironically, the last thing you’ll need to get your arms around will be backups. But what you’ll need here too may surprise you.
Even having a backup system in place will not provide answers for things like:
- Who manages them?
- What’s your data retention policy?
- Proven restoration tests
- Offsite storage, access and security
Bottom line, these audits are real, necessary, and require a different approach than most firms are accustomed to. They require unanimous tops downs decisions and a thorough documentation deck (two things that aren’t always easy for most firms). In 2014, this is very much the ‘business of law’. Naturally, some firms will better equipped to deal with these types of requirements and others will struggle. Where you fall is up to you.
So plan to get in front of the challenge in 2014 and not wait for it to become an internal crisis. These audits take time and keeping them current will be an ongoing effort. Planning ahead can make all the difference.