Last week, we introduced a new series of posts tied to the importance of data security audits at law firms and some of the key things that firms need to understand about their responsibilities. In that kick-off post, we shared some of the overarching trends in data security audits, including the fundamental reality that law firms are seeing a sharp rise in the number and intensity of audits required by clients.
This week, we explore the art of interpreting data security audits.
“There are often competing requirements that law firms need to balance with an auditor who is coming in to assess data security,” said Jeff Norris, CISSP, senior director of data security for LexisNexis Managed Technology Services. “Each auditor has their own view of things so it’s important for law firms to be prepared to interpret the auditor’s questions in a way that most clearly illustrates your data controls.”
LexisNexis recently partnered with Lewis Brisbois to host a CLE panel event in Los Angeles: “How to Interpret and Meaningfully Comply with Audits?” The panelists included: Gordon Calhoun, chair of electronic discovery, information management and compliance, Lewis Brisbois Bisgaard & Smith LLP; David L. Hansen, director of compliance, NetDocuments; Aaron Laderman, regional underwriting manager, AIG; and Norris.
Some highlights of the panelists’ comments included:
- Treat audits as organic
From the perspective of regulators, there is an intense focus on compliance and data security, but there has been an evolution in the approach to data security audits. Data security “is not a destination, but an ongoing process that is continually revisited,” according to Calhoun. As a result, audits are not static but rather organic, consisting of a baseline audit, an annual audit and an audit that typically accompanies a breach or incident response. Insurers, for example, tend to look favorably on firms that have had data security audits conducted, but view them less as a landmark than an assessment at a point in time, according to Laderman.
- Educate the auditor
Auditors are busy professionals, frequently traveling from one site to the next, and aren’t always fully informed about where the technology and the data security standards have moved from one day to the next. As technology evolves, noted Hansen, law firms are forced to balance those innovations with data security requirements. It’s occasionally incumbent upon the firms to educate auditors about how the new technology they’ve adopted is in compliance with latest standards.
- Focus on your controls
At the end of the day, a law firm data security audit is all about identifying the controls that a firm has in place to protect data integrity and to comply with the regulatory frameworks that govern how the firm handles sensitive information. The experts advised that firms should view the audit through the lens of how you can best showcase the controls you have in place and how you are prepared to respond to a breach. Different auditors may bring different perspectives into their assessments, but the bottom line consideration for all of them is to look at the firm’s controls.
To view a video clip including the panelists’ discussion about the art of interpreting data security audits, please click here. Next week, we’ll share more highlights from the data security audits panel in Los Angeles.