The Law Society has recently issued some fresh – and arguably confusing – guidance on Cloud security. What are some of the key issues should law firms & legal services providers consider when looking at cloud options as an alternative to in-house IT solutions?
Firstly the cloud is certainly not new, a superb tool if your firm wants a service based approach to computing. In a nutshell It should offer stability, flexibility and scalability of all your business requirements. The answer arguably, is you have to trust your data with the Cloud provider. The question, therefore, is do you? Confusing? It’s quite simply, we need to understand what risks the cloud provider carries to your business, how do you assess this? Ask some very simple questions:
a) Are they certified to an international recognised standard, such as IS027001?
b) Do they actually understand information security, risk and risk management?
Of course plenty more questions can be raised, but let’s consider why this a good place to start for firms: it enables firms to understand the objectives of key principles such as:
- Preserving confidentiality of information
- Integrity of information and security
- Availability of information and services
- Regulatory and legislative requirements.
ISO27001 means security is a core component to the business structure that security risks are identified. However firms must check what the overall ISO27001 scope covers; i.e. does it protect the assets used for provisioning cloud services or is it restricted to unrelated assets? Ask the Cloud provider for the ISO27001 certificate which will outline the scope.
ISO27001 means the cloud provider should have reviewed all their assets, which would highlight any business risk. Some risks will be controlled by internal processes but some may be within the accepted risk level; either way all risks will be documented and defined as to what level is accepted.
Security risks can happen to any asset, no matter what preventive measures are in place. Therefore, it’s about a proactive approach to identifying risks in a timely manner. They will need to monitor and measure each risk continually. Documentation must be updated, reviewed and plans for new policies and objectives must be created to ensure continual improvement. Firms can request to see the company’s information security policy, which will outline the management commitment to information security. When firms hand over their data there needs to be trust and a relationship is key.