Surviving the Client Audit: Part I
Client audits have become a significant part of the legal world over the past few years. Over coffee the other day, a firm administrator was stressing over her lack of support from IT in completing one. Data classifications, inventory policies, password complexity, external access, encryption standards. IDS? IPS?!? The terms alone can make your head spin. Luckily we are here to help. This series will start from some general guidelines and go into specific pieces of documentation your firm should have on hand, including downloads of templates!
Our CIO services and managed IT plans include support for client audits. We will sit side by side with you to address the audit questions, provide applicable reports, and help you write any IT policies.
A few general pieces of advice for a client audit:
As much as possible, compile your answers and policies so that they can be reused for future audits. Things like a network use policy and data handling policies can often be used as part of your employee handbook.
Push back on requirements that are overly burdensome, do not apply, or the firm sees as unnecessary. For example if the firm works 100% in the cloud, an access controlled server room may not be necessary. For smaller firms, some of the more complex logging and security requirements can eliminate any profit from the engagement. We have seen a lot of success in pushing back on requirements with even large Fortune 100 companies.
The more specific your policies get, the harder they are to implement. A good example is mobile device encryption requirements. If a client requires any attorneys or staff associated with their matters to be encrypted, it is easier to implement and manage mobile device encryption for the entire firm instead. That minimizes the need to manage a list of associations and auditing the encryption policy effectiveness.