2. Moderator:
Mitch Hungerpiller, Mitchell-Wayne Technologies
Panelists:
Mark Abendroth, Abendroth & Russell PC
Anna Alvarado, Couch, Conville & Blitt
Brenda Majewski, Kohn Law Firm S.C.
3. 1. Where does your firm compare with information
technology best practices?
2. What are those best practices that help you survive a
security audit and satisfy audit exceptions for compliance?
3. What does it cost for all this security and best practice
deployment and management?
1. Hear from our very experienced panel on successes and
war stories to be better prepared to face your IT issues and
audit within your budget!
4. IT Compliance from a
Vendor’s Perspective
By
Mitch Hungerpiller, Sr. CPA
President & Founder
5. IT Best Practices & Civil Procedure
• December 2006 Amendment of the Federal
Rules of Civil Procedure (FRCPA) 34(a) and
34(b) cite retention policies of electronically
stored information (“ESI”) used in the normal
course of business for discovery in litigation.
– This is driving the compliance audits
– Comply with e-discovery required practices or pay
the piper
– Deleted data NEVER goes away
6. IT Management Viewpoint
• Optimal Environment for Stable Systems are
to NOT CHANGE them!
– Compliance mandates that patches be applied
weekly for Microsoft OS’s
– Compliance mandates that firmware be updated
on firewall’s within a reasonable period of time
– Compliance mandates that policies be followed
whenever something changes
– Compliance mandates all antivirus, antimalware
and content filters be updated & maintained daily
7. IT Professionals Do NOT Make Policy
• IT professionals program, support and maintain
systems that automate tasks
• IT professionals translate business policies and
program systems to comply with those policies
• IT professionals carry numerous core
competences and skills similar to law, medicine,
accounting and engineering
• Business Polices of Collection Law Firms and
Agencies are created at the firm or agency level
9. IT Compliance Budget Busters
Network & Facility
• Security
– email appliances,
– network,
– data at rest encryption
– certificate maintenance
– PCI Scans
• Change Control
• File Integrity Monitoring
• Voice & Video Recordings
Business Continuity
• Image Based Backups vs. File
• DR Restores Off Premise
• Vaulting of Backups
• Internet Bandwidth via Fiber
(Full Duplex)
• Competent IT Professionals
10. Summary IT Compliance Best Practices
• Use Microsoft Group Policy to Manage Security
• Automate as Much as Possible
• Review Logs Daily
• Maintain Renewal Dates for Annual Subscriptions
• Use Managed Services when Possible
• Include IT Professionals in Management Meetings
• Budget for Technology Refreshes at HW Warranty
Expirations
• Allocate Sufficient Resources for IT
12. • Password security enforcement – Cost = 0.
• The 2014 most popular passwords remained
“password” and “123456” (specopssoft.com*)
Change often.
• Helpdesk “cost” to reset passwords $25/user.*
• Increase length and complexity, ie:
N@rc@2015! vs. Narca2015
13. Malware
Firewall
Virus protection
Employees - are they your weakest information technology link?
Clicking on links
Prohibit downloads
Permissible purpose documentation. Business resources.
14. Cellphones TCPA Scrubs Dialers
Next up wearable technology – policies and permissible
purposes
Get SMART
Specific – target a specific area for improvement.
Measurable – quantify or at least suggest an indicator of
progress.
Assignable – specify who will do it.
Realistic – state what results can realistically be achieved, given
available resources.
Time-related – specify when the result(s) can be achieved.
15. Issue: Employee desktop activity in the Firm's
Accounting Room is not viewable via their Surveillance
(CCTV) system. The camera view in this area is able to
identify employees at their desks, but does not
capture their payment posting activity.
16. PCI requirements – when two clients conflict
One client gives you one login
What does “/” mean - remove and disable or
remove or disable
17. Retain docs and SOPS that control the date of the action that
occurred –Don’t retain only the newest SOP –
Call Recording Retention 13 months
Calls: 3 months Call Auditing Forms: 12 months
18. • The American Bar Association’s Model Rules of
Professional Conduct, adopted in whole or in
part by all states except California, include Rule
1.6(c): “A lawyer shall make reasonable efforts
to prevent the inadvertent or unauthorized
disclosure of, or unauthorized access to,
information relating to the representation of a
client.” (California’s is even tougher.)
20. Chief Operating Officer IT Vendor
Department Manager
Database
Administrator
Database
Administrator
21. General Best Practices…
• 3rd party vendor should be coupled with internal IT staff
• IT professionals/vendors are your support system and
you should rely on them as subject matter experts
• We hire IT professionals for a reason…SUPPORT,
GUIDANCE but most importantly EXPERTISE
• Ask a lot of questions…most executives only have a
general/basic understanding of the IT world, it’s terms,
the equipment, etc.
• Manage expectations of vendor with continuous and
candid communication.
22. Best Practices
ommunication
• Monthly calls or at a minimum quarterly
• Review written expectations…who, what, when, why and
how?
• Ultimately IT Compliance is the firms responsibility
23. • Inspect server room, phone systems, internet,
emails and camera's are functioning properly
• Ensure confirmation for server back up are
received and logged daily
• Test locks on all secured doors
• Test alarms for front, rear and server rooms
• Make sure all logs are in place
• Test internet usage for social media and/or other
prohibited sites
Helpful Tips:
Daily/Weekly/Monthly Checklist
25. Law Firm Security Issues to Consider
Encryption
Full Disc Encryption of laptops and other
devices
BYOD Bring your own device
Whose phone is it?
Software for a remote “wipe”
Never access a free hotspot at Starbucks
26. Law Firm Security Issues to Consider
Vendor Management
A lawyer should be mindful of the obligation
to “act competently to safeguard information
relating to the representation of a client against
inadvertent or unauthorized disclosure…”
ABA Model Rule 1.6, comment 16
27. Law Firm Security Issues to Consider
• How are your venders managing data of your
clients?
• Written Contracts with Confidentiality
Agreements are crucial
• Your clients will want to see these contracts