Department of Justice Guide on Security for Legal Agents

Annex C: Information Technology Security Requirements

Personnel Training and Awareness

Legal agents should put in place an annual onsite or computer-based security awareness training, supplemented by quarterly updates. The security awareness training should emphasize the current policies, procedures and controls the legal agent has in place in order to build employee confidence in the underlying IT infrastructure. It may address a number of pertinent security issues including malware, ransomware, phishing, removable media, passwords, remote access, etc.

Data Protection

The key to data protection is to ensure only appropriate people, with the appropriate screening and need-to-know, have access to data. All others are prevented from accessing this data through a combination of access controls and encryption. Regular backups ensure availability of the data even during unforeseen events (e.g., ransomware attacks).

Network Access and Configuration

A perimeter firewall is typically used to control information flow into an organization’s network. The firewall should be configured to deny all information flow by default and only allow information flows that have been specifically authorized. This firewall should be configured to fail closed. When using Virtual Private Networks (VPNs), two-factor authentication is recommended. In terms of wireless access, device authentication can be implemented to ensure that unauthorized devices, including personal devices, do not have access to the legal agent’s network.

External Service Providers

Some legal agents may outsource aspects of their IT to external service providers. The legal agent must properly vet each of the external service providers to ensure that sensitive data is adequately protected at all times.

Lost IT Equipment

In the event of a loss of a corporate systems/devices containing sensitive information legal agents should have a plan to address the incident effectively.

Cyber Assessments

The legal agent should regularly perform a company-wide risk assessment of all access points, networks, users, and other aspects, to identify potential vulnerabilities that can be exploited. This risk assessment should encompass higher risk aspects such as external service providers, remote access, and bring-your-own-device (BYOD).