Information access security compliance for the legal sector

Case/crime data

Legal professionals have access to client data

Access needed

Can only access the files they need to their job

Specific access

Have a specific level of user access which restricts their access to certain files and folders

Level of access

Believe that they have a level of access which is greater than necessary

Monitoring specific file access

Legal workers are aware of their organization monitoring or tracking access to specific files and folders

Monitoring specific actions

Are aware of their organization monitoring specific actions (copying, moving, deleting) when accessing specific files and folders

* Research in the legal sector in the US and UK (250 in each)

What are legal and law enforcement agencies doing to ensure employees have only the necessary access to sensitive data?

We have discussed the importance of integrity and reputation and the very reputation of legal practices and law enforcement agencies rests on their ability to protect personal, criminal and case data. It is so important that it no longer is just an IT problem but a whole-organisation problem and everyone has a part to play in protecting this information.

Having access to information

The ISO 27002 information security guidelines are intended to help organisations implement, maintain and improve information security management and one of the procedures states that an access control policy should be established, documented and reviewed. This means that access control should be specified to specific users and user groups. The research showed that 81% both in the US and UK have access to data that is necessary for their role.

ISO 27002 also recommends that organisations have a process that authenticates and authorises functions, such as access to information that employees need in order to do their jobs but not more than that. However, it was worrying to see that 25% of professionals both in the US and UK have access that is greater than necessary.

There is a responsibility to protect case and crime data from risk of loss through a breach, such as a cyberattack, and managing access to files and folders on a role-specific level, plays an important part. We can see that some legal organisations have awakened to this key issue as 44% (US) and 37% (UK) of professionals have a specific level of user access, meaning they can access some files and folders but not others. These numbers are fairly low indicating that the industry as a whole has a quite a long way to go.

Monitoring file access

Once legal firms and law enforcement agencies have implemented a process that makes users identifiable, the next step will be to monitor their actions. The research showed that only 36% (US) and 30% (UK) were aware that their organisation monitors or logs their access to specific files and folders. Some organisations may monitor access activities without the knowledge of the employees, mostly to identify unusual movement or deletion of files that may not necessarily be caused by the employee.

Navigation

Introduction
Legal Sector User Security Checklist
Part 1: Executive summary
Part 2: On-boarding new employees
Part 3: Security training, awareness and procedure
Part 4: Network access security
Part 5: Information access and necessity
Part 6: Moving jobs or roles

Check if you are compliant

A Guide to US and UK user security compliance for legal and law enforcement

Information access and necessity