One of the National Institute of Standards and Technology’s (NIST) key strategic initiatives has been the development of clear guidelines to help organizations manage cybersecurity-related risk. A growing number of U.S. federal agencies have adopted this cybersecurity framework for purposes of securing their systems and their third-party contractors’ systems as well.
The NIST Cybersecurity Framework lays out a comprehensive structure for data security technologies, processes and controls. This framework provides an approach for managing data security today and a roadmap for improving data security in the future by identifying a number of core functions for organizations to address in their IT systems and processes. These areas include the identification of known cybersecurity risks, detecting the occurrence of a potential breach, responding to a cyber security incident and restoring any organizational capabilities that were impaired during a breach.
The NIST Cybersecurity Framework is already shaping the creation and implementation of data security protocols and access management controls for federal agencies. These agencies are also diligent in their efforts to protect their information maintained on third party-contracted systems, such as those maintained by outside service providers Legal IT professionals should consider a possible application of the framework to complement their data security strategy.
While use of the NIST framework is not required by law, the benefits of voluntary implementation of this approach to cybersecurity strategy are significant. In addition to the rising adoption by federal agencies, many corporations in heavily regulated industries are moving to the NIST framework as well.
For example, leading financial institutions such as Goldman Sachs and Bank of America have adopted the NIST framework to ensure information security controls are addressed. Moreover, these companies strongly suggest that their third-party service providers adopt the framework to help assist in protecting their confidential information. The lesson for legal IT pros is that your clients are looking for assurance that a robust information security framework is being adopted to secure your IT systems and assist with structured compliance requirements.
In our discussions with U.S. law firms, we urge them to consider the NIST Cybersecurity Framework as the optimal model to use in building out their IT security approach. It is a model that functions more like an ongoing feedback loop than a set of fixed system controls or certification standards. Those kinds of technical standards may provide important rules for guiding your firm’s IT workflow and instilling confidence in your IT systems, but they were never designed to guide an organization’s overall information security strategy. The NIST framework delivers this robust approach to planning as well as the granular controls for implementation.
In addition to the fact that federal government agencies and leading American corporations are moving to adoption, the NIST framework should capture the attention of legal IT professionals because it is a whole representation of a complete information security program. It covers everything on a law firm’s data security “worry” list, from physical security to business continuity to access controls. This broad roadmap ensures that potential areas for information security concern are at least considered, forcing you deep into the weeds to cover possible information risks and process issues.
In short, leveraging the controls within the NIST framework is both comprehensive and granular enough to help mature your data security program. We all know that law firms are viewed as attractive gateways to valuable client data, which makes them daily targets for cybercrime and targeted data breaches. In fact, the ABA reports that one in four law firms acknowledge being the victim of a data breach at some point.
The NIST Cybersecurity Framework is a management tool for legal IT professionals to guide the review, documentation, and assignment of responsibility for the major areas of IT information security. Major federal agencies and leading American corporations are moving to this approach for information security. For those law firms that have not yet taken note, it might be time to consider a new playbook for the protection of IT systems and processes.
Copyright © 2019 Legal IT Professionals. All Rights Reserved.