The CISO-advisor secondment at Browne Jacobson starts properly tomorrow morning. I have been in conversations with the firm since June and through-and-around the formal arrangements since August; the engagement letter went in on the seventh and the first proper week is next week. I will write about the engagement here with the usual confidentiality, which at a UK law firm is rather firmer than my usual confidentiality, but I want to record what makes the legal sector specifically interesting because the public material on information security at law firms is thin and the structural problems are not the same as the public-sector or commercial cases I have spent the past ten years on.
The headline observation is that a UK law firm of any size carries a regulatory load that is substantially heavier than most equivalent-sized commercial organisations. SRA scrutiny — the Solicitors Regulation Authority's principles and code of conduct — sits over every aspect of how the firm handles client material, and the SRA's view of "proper administration of client confidentiality" is not exactly the same as ISO 27001's view of access control or PCI DSS's view of cardholder data, even where the technical controls are similar. The firm also runs, because of public-sector work, parts of the LEXCEL practice-management standard, parts of the ISO 27001 controls regime, parts of the PCI DSS scope where there is card-payment infrastructure, and parts of the NHS Information Governance Toolkit where there is health-related public-sector work in scope. Most of those frameworks have something to say about access to client data, and they do not all say the same thing. Reconciling them coherently into a single set of operational controls is the actual job of a CISO-advisor in this kind of organisation, and it is more interesting than any single-framework engagement I have worked on.
The technical question that has been preoccupying me as I draft the first month's brief is e-discovery and litigation hold. Law firms hold client material for years — sometimes decades — and the structural question of "how do you make this material available to the case team that needs it without exposing it to anyone else" is a question that the firm has answered well in some places and less well in others. The historical answer was paper and Chinese walls; the present answer involves significantly more SaaS infrastructure than I am completely comfortable with, and the question of whether the SaaS providers' security postures are adequate to the SRA's expectations is one I will be working through over the next several months.
There is a related question about source protection, which is the same question I have been looking at on the News International engagement but in a different shape. Lawyers do not have sources in the journalistic sense, but they have privileged-and-confidential client communications which sit under an analogous protection regime, and the technical implementations of "this material is privileged" tend to be either non-existent or implemented as a tag-and-pray model in document-management systems. There is a piece of structural work to be done on what privileged-document handling actually means at the file-system and application layer, and I am hoping to get clearance to write about it in general terms over the coming year.
The third thing — and this connects to the broader privacy and encryption focus I committed to in January — is encrypted communications between the firm and clients. The SRA's recent guidance is that secure-by-default communications between solicitor and client should be considered standard practice. In practice, what most firms have is "solicitor's email account on Outlook, client's email account on whatever, no encryption beyond TLS-in-transit which the client cannot see and may not have anyway". The honest assessment is that this is not adequate to the SRA's stated expectation, even before considering what Comodo and DigiNotar have done to the trust assumptions behind TLS-in-transit. Browne Jacobson is asking the right question about this, which is a useful starting position; the answer is going to take some quarters to work through.
The shape of the secondment portfolio is now Towry Law (financial advisory, since August 2010), Northcott Global Solutions (austere-environments security, since April 2010), News International (since late July), and now Browne Jacobson. Plus the Hedgehog client base, which has been roughly constant at six to eight active engagements through 2011. The portfolio is at the upper edge of what I can deliver as a single practitioner; the conversations about scaling Hedgehog properly have moved on through the autumn and I expect a decision in the new year. There is more to say about that when there is something concrete to say.
The next post will probably be Duqu, which is starting to look operationally substantial, or whatever the next CA-trust-model story is, depending which moves first.