Information and Management Security
The Purpose of this Policy
Information Security Policies provide vital support to professionals as they strive to reduce the risk profile of their practice. This policy is intended to assess both internal and external threats so as to ensure the practice is not left open to unforeseen issues.
Whitestone Solicitors both shares and utilises a significant amount of very private information on a daily basis which is subject to privilege and client confidentiality. Whitestone Solicitors recognises the need to have in place therefore supporting information security policies to protect that data.
Risk management is the fundamental starting point when an organisation is looking to take action to protect the information they hold. Having assessed the risk the practice considers that whilst the impact of loss of confidential information would be of significant negative/damaging proportions, the likelihood of that loss is assessed as being a minor risk.
Main Categories of Information Assets We Hold:-
In relation to clients – clients’ individual paper files; data stored on the case management system;
In relation to the practice – employees’ individual personnel records; banking details of the practice; banking details of individual employees.
The procedures for the protection and security of the information assets are contained in the software the practice uses.
Whitestone Solicitors acknowledges the sensitive nature of the client information it holds. The disposal of this information is outsourced where all paperwork is shredded to maintain confidentiality.
The use of firewalls (devices designed to prevent unauthorised access to or from private networks) is outsourced to the IT services provider utilised by the practice. The firewall hardware utilised by the practice is a Draytek router. The practice implements hardware and software firewall solutions. The Draytek router is providing hardware firewall protection alongside the BitDefender end point security solutions software which was implemented March 2017.
Each individual employee who works from a computer screen has their own individual password to gain access to the computer itself and then another different password is required to be entered to access the practice’s computer management system. All individual email accounts of employees will have individual passwords for logging in.
Malicious software is defined as software that is used to disrupt computer operation, gather sensitive data or gain access to private computer systems. The practice has in place a procedure for detecting and removing malicious software. BitDefender endpoint security solutions software has been implemented to detect virus’s and cyber attacks. If there is an external virus or other malicious software, the computer will detect it and will immediately contain the threat and send an urgent message to the IT Consultant letting them know that external software is trying to access the computer and make changes. The IT Consultant can eradicate the threat and the software will continue to keep checking for malicious software at regular intervals.
The following software is used by the practice:-
- Windows 2012 Server R2 x2
- Office 365 Enterprise cloud edition with advanced security
- Exchange Server cloud
- Filos Cognito Software Ltd 2015 x86
- BitDefender endpoint security solutions software – cloud based 2017
The Office 365 Enterprise and Exchange Server cloud were implemented in November 2016. All existing pc’s were changed over from the old system to this new system and all the staff were provided with training to use these systems. The Office 365 Enterprise and Exchange Server cloud work alongside the case management system which was also updated in 2015.
The Office 365 Enterprise software is a cloud service and the emails are on the Exchange Server cloud. These are both maintained and updated by the IT Consultant who has tested the equipment and software before it was used by the firm.
Training for personnel on information security is given on induction and ongoing as IT changes.
Before each asset, whether computer or other, is used by the firm a test is carried out to ensure that the piece of equipment is fully functional and safe to use. A stand-alone ‘sand-box testing’ computer is used to test the equipment before it is passed to employees for use.
Where any equipment whether new or old is found to contain a virus or any form of threat, which is very rare as there are stringent firewalls to penetrate first, then initially steps will be taken to try and rid the equipment of the virus. In the event that is not possible then the equipment will no longer be fit for purpose and will not be used.
When any computer is met with a virus then automatically the computer will bring up a firewall to prevent any damage being caused to the computer. The system policy will suspend any more activity on the computer whether by the user or the virus attempting to gain access to the computer. A pop up will appear on the computer alerting the user to the threat and allowing the shutdown of that computer immediately.
In addition to this the IT Consultant responsible for the maintenance and repair of all computers and software will be able to gain remote access to that individuals computer, no matter where he is, and remove the virus with ease and minor disruption. The IT Consultant is available 24 hours a day via telephone, email and fax.
The firms new endpoint cloud based security software was implemented in March 2017. The name of the malware is BitDefender endpoint security solutions software which is an annual purchase (renewed every 12 months). Updates and detections are sent daily to support staff that review and monitor the software to ensure that it is effective and continuing to provide maximum protection to all users. The IT Consultant at that stage will advise Management of any changes which need to be made to further secure the firms equipment.
As well as this the firm has two laptops which are used on an adhoc basis. These two laptops do not have the case management system on them nor any office software and are therefore not equipped for remote access. This was done with a view to reducing the risk of threats and virus’s to the laptops as well as considering the risk of clients or staff’s personal and confidential data being breached. They are both up-to-date with McAfee anti-virus software which is purchased every year.
The firm also has separate drives for the staff and for management to allow sensitive and confidential information to stay with the Directors only. The staff are on a public drive which allows them to access each other’s template letters and to amend as necessary. The Directors have a separate management drive which can only be accessed by them which contains all management information and documentation including HR, meetings and disciplinaries and details of the firm’s management. These drives are maintained by the IT Consultant who will regularly change the drives to ensure that there is no threat of access by other members of staff.
The passwords to the individual computers are changed on a regular basis, namely every 45 days to 2 months and more frequently where different users are using more than one computer. The passwords are provided to each individual and are not accessible on any other computer. All staff are reminded that their individual passwords for their computers are to be kept hidden from others, Only management and the individual user will have access to the passwords for the respective computers. Staff are advised to write their password down somewhere where it is not visible to others. To date there has been no such problem with password protection and no computers have been wrongly accessed by other individuals.
Aside from the 3 Directors, the IT Consultant and the individuals themselves no one else has access to the passwords. It is worth mentioning that the passwords themselves are not words which bear any resemblance to the firm therefore they are not memorable. The passwords contain not only letters but also numbers and are case sensitive and various punctuation marks as well.
The passwords are attached to a particular computer profile and cannot be accessed by another user who is trying to gain access to that profile. Each member of staff has their own roaming profile which is used at their own work station or in the event of a problem with the pc, they are able to access their profile only at another computer.
Software and Information Assets Register:
There is a central register which is used to keep track of all software, computers and servers. This central register provides a unique reference for each asset and when it was purchased, when it has been checked and if necessary when disposed due to malfunction. Please see Appendix 1.
There have been no recent changes made recently to the assets register as equipment has been running safely and efficiently since the last assessment. The assets register contains details of all new equipment, software and additional hardware purchased by the firm as back up equipment.
Updating and Monitoring of Software:
Where new software or equipment has been purchased which is different to that already owned by the firm, then training is provided to all staff on how to use, maintain and check for any software issues. This is provided on an ad hoc basis as and when new software is purchased by the firm.
Where there are new members of staff joining the firm then they are trained on all software at the induction stage and this continues as and when any new software is purchased.
The Managing Director will consider, at least annually, whether the practice’s existing software is still ‘fit for purpose’ or whether the practice could benefit from an updating of the same. The COLP has provided all the staff with further literature regarding cybercrime and how this affects them on a daily basis. An additional policy has been created by the practice to raise awareness amongst the staff and to provide them with the necessary tools to deal with potential cybercrime.
In order to ensure that it remains fit for purpose, this policy will be formally reviewed annually by the senior management team. This review process will also serve as a means of continually improving the practice’s approach to managing its staff and supporting their interests.
Date: October 2018
Reviewed November 2019-the information asset register and software and information assets register are to reflect that Sadaf Tariq has left the firm and the Doncaster office is closed