Controlling access to law firms’ physical and information assets is the cornerstone of information technology security (aka cybersecurity). The primary reason for implementing an access control program is to ensure the availability, integrity and confidentiality of the data on law firms’ systems.
An effective access control strategy defines who can access a firm’s system, what resources they can access on that system and what operations they can perform with those resources. It also creates an audit trail to provide accountability.
The default stance I’ve observed at many law firms is called allow-by-default. This strategy allows access to all systems and data unless there is a need to restrict access. This approach enhances the availability of data at the expense of confidentiality and integrity. A more secure approach is deny-by-default, which restricts access to all data unless there is a specific need to grant access. While this increases the integrity and confidentiality of the data, there is a cost for availability, as management and administration requirements increase.
When defining assets, users and the type of access required by each user, the principle of least privilege should be used to ensure that only users with legitimate business needs are given access to data, and that the access granted is the minimum required to accomplish their tasks. Classifying the firms’ data will ensure the appropriate levels of protection are applied to data based on risk of compromise instead of applying the same level of protection to all data.
Access control is an important part of a firm’s layered security approach that may also include firewalls, passwords, encryption and intrusion protection systems. Developing a layered, or defense-in-depth, approach to security increases the likelihood that a single system’s failure will not compromise the availability, integrity or confidentiality of a law firm’s data. It also allows the other security systems to work more effectively as access to resources has already been restricted to pre-authorized groups.
Information security and integrity is of utmost importance to law firms. Implementing an access control program as part of a defense-in-depth cybersecurity strategy is highly recommended to keep law firms’ systems safe from unauthorized use and abuse.