01 Nov Securing Your DMS for ISO 27001 Certification
Securing Your DMS for ISO 27001 Certification
Increasingly threatened with a loss of client business if they can’t show improved security, law firms today expend scarce resources to respond to exhaustive security audits. As a defense against having to perform these audits, which are both time-consuming and costly, a number of firms are moving to ISO 27001 certification.
Limiting access and strictly defining who can do what with a document is inherent in ISO 27001, which recognizes that one of the biggest challenges related to client security is bullet-proofing your document management system. When law firms can demonstrate that degree of security, it reassures the client and resolves a major pain point for the law firm.
This whitepaper discusses today’s security environment, provides an overview of ISO certification requirements, and examines Prosperoware’s unique approach to securing DMS content, which can help law firms and other professional services organizations on a number of security fronts, including ISO certification and defense against hackers.
The security threat
It’s a perfect storm. Law firms possess incredibly valuable and sensitive information, and the Internet provides a new methodology through which the information can be accessed and pilfered. The growing threat to law firms from hackers has been validated by a number of recent reports in the Wall Street Journal, Bloomberg, and other publications. How big is the threat? The Bloomberg article cites data released by security firm Mandiant, based in Alexandria, VA, which estimates that 80 major law firms were hacked in 2011 (1).
These reports shouldn’t come as a surprise: many law firms have knowledge of critical trade secrets and market-moving events. The right content allows a hacker to trade on inside information—and that’s a powerful motivator. Hacking, in point of fact, has gone from the blood sport of supernerds, who hacked systems just to prove they could, to economic espionage. The bigger the deal, the bigger the effort. Another type of hacker called “hacktivists” attempt to promote political issues through hacking. Both have proven that, once the firewall has been breached, a hacker meets few barriers to data access.
ISO 27001 is an information security management system standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Commonly known as ISO 27001, its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements. ISO 27001 formally mandates specific requirements for bringing information security under explicit management control. ISO 27001 requires that a firm’s management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis
Keeping your DMS secure
A critical component of ISO 27001 certification is securing the content in your document management system. However, a number of common practices have made that difficult. In the name of providing the best customer service for their professionals, most firms have created too many super-users (in other words, users who have access to all of the content in the document management system). Weekend warriors want to be able to review client and matter or engagement files and many of those files hold sensitive information. However, if just one super-user account gets broken into, hackers have access to most of the content in the firm. The problem has reached critical mass: limiting super-user access to DMS content is becoming a core requirement for keeping your document management system secure.
Another requirement is inherent in ISO 27001: the need to strictly limit the information available to classes of users like the help desk and IT support staff to what is required to perform their jobs. The “need to do” like the “need to know” is predicated on the simple principle that partial access suffices for much of the work revolving around managing documents, clients, matters, and engagements. For example, while IT and help desk users may need access to profile information in documents stored in the firm’s document management system, they don’t need access to the actual content of the documents. In parallel, firms need to limit the functions of this class of user, for example, by allowing them to view document security but not change document security.
To further strengthen security and defend against acts of malfeasance, firms also need to find a way to automatically enforce the firm’s ethical walls and information barriers. If a user is walledoff from a matter, or if the matter is confidential, a process should be established that surfaces any improprieties before the user is granted access to confidential documents.
Where Prosperoware fits in
Prosperoware provides two products whose fundamental elements go a long way towards satisfying ISO 27001 requirements for securing your document management system:
- Milan Help Desk enables you to limit the number of super-users in WorkSite (such as NRTadmins) and granularly distribute WorkSite administration capabilities by granting specific rights to different classes of users on a “need-to-do” basis (such as the help desk, office of general counsel, office staff, IT staff, business analysts, and staff in the records management department).
- Milan Matter Hub enables you to maintain confidentiality at the client, matter, and folder level. Our unique approach make it easy for matter owners to secure folders and to ensure that access to private information and other client confidences contained in the third-party content and email are limited to a “need to know” basis.
Both of these Prosperoware products are based on a security model that balances the user’s need for agility and ease of collaboration with the firm’s need for security. In the Prosperoware model, work-in-progress remains public in a clearly marked folder, such as “working drafts,” (except where confidentiality is truly needed). Email and all other documents, including supporting material from third parties and finished content that is signed and executed, are secured as confidential to the matter or project team. In this model, the ability for professionals to collaborate and to search for prior work product is not impeded.
Prosperoware’s model takes into account the sensitivity of third-party supporting material, including email, which many professionals—like the general population—consider to be personal in nature. If firms want to encourage staff to file their emails, they are more likely to be compliant if there is some level of privacy and security. The Prosperoware model relieves that tension.
More about Milan Help Desk
Milan Help Desk takes advantage of the ability of the Prosperoware Milan platform to granularly distribute administrative capabilities through web based services. Milan communicates with the document management server as an administrator and adds another security layer to grant specific rights to different classes of users. The ability to provide granular security control— granting user rights on a “need-to-do” basis—combined with Milan’s robust audit trail, provides critical control for firms seeking ISO27001 or similar certification.
Milan Help Desk makes it easy for WorkSite administrators and other staff to manage users, documents, workspaces, and groups without compromising security by giving them the latitude to perform a broad range of pragmatic functions, such as performing imports and exports. Firms control which functions they give to staff. Staff is unable to view content unless they have export rights.
- Locate and manage users and metadata
- Locate and manage documents and workspaces
- Remotely check in documents
- Import and export documents in bulk
- Re-file workspaces and files for security, metadata
- Respect ethical walls
- Track every action of every user
- Monitor the health of the environment
More about Milan Matter Hub
Milan Matter Hub introduces the concept of an owner for every engagement or matter and, without sacrificing firm governance, gives the owner responsibility for identifying team members, managing folder structures, and keeping sensitive information confidential. All of these processes are seamless: none require the support of an administrator.
- Owners have full control over their folder structures under firm standards
- Owners can control the security of folders and sub-folders as well as workspaces
- Owners add new team members with ease
- New team members are granted immediate, automatic access to the content they need
- Work-in-progress can be shared outside the team without risk
Each firm determines the flexibility it wants to give its professionals, ranging from complete flexibility to fixed requirements. Firms can establish information barriers and ethical walls in Matter Hub or integrate Matter Hub into other wall systems. In parallel, Matter Hub maintains data integrity to make sure that content filed in the workspace matches the metadata of the folder.
- Streamline folder management
- Let teams manage their own security
- Streamline change processes
- Establish policies for ethical walls
- Improve document and folder hygiene
- Manage My Matters and workspace subscriptions
- Stage deleted files in a recycle bin
(1) “How Law Firms Can Combat Hacktivism” Law Technology News, July 5, 2012
Want to learn more about Milan?
Read more about Milan from our product page.
Check our related articles
Many firms are struggling with structuring MS Teams with proper Teams and Channels. Access our whitepaper for Teams structures that you can use for different matter types & complexities....28 May, 2021 No comment