Cyber Security Auditing for Law Firms
A PDA Legal cyber security audit will analyse key controls that support the protection of your information and data, from the harm of breaches and other threats.
Cyber Security Audits Benefit Your Organisation’s Information Security and Data Protection Integrity.
PDA’s audits provide an in-depth, plain language report, setting out; aspects requiring improvement, feedback on policies and procedures, and practical guidance. Many of our clients request a cyber security audit ahead of a formal ISO or Cyber Essentials assessment.
Our Cyber Security Audits Cover Your Documented Controls For:
-
Risk Management Reviews: Assessment of your organisation’s current information security and data protection risks and processes. This includes ensuring that your organisation has an adequate risk register that takes into account information security and data protection risk, with regular reviews taking place.
-
Training: Identifying where regular training has taken place within your organisation, that training is appropriate to the roles and is evaluated, and identifing any areas where additional cyber-security training could is required or could be advantageous.
-
Firewalls and boundary controls: Checking if all devices on your network are protected by a suitable firewall or equivalent network control. This must include blocking inbound connections where appropriate.
-
Secure network configuration: Checking of security activity of the organisation’s computer systems and devices, and that it has suitable processes, policies and safeguards in place in relation to removable media.
-
Safeguarding against malware: Ensuring your organisation is up-to-date with malware protection on all devices that use its network.
-
Managing software patches: Reviewing your process with regards to ensuring all software patches are reviewed regularly and applied in a timely manner to minimise any vulnerabilities.
-
Map of personal data: Reviewing your systems and controls in relation to managing personal data, including ensuring that you have a clear understanding of what data you hold, for what basis, who has access to it, where it is stored and for how long it is retained.
-
File sharing: Your organisation must have working controls for the application of encryption, document vaults or other systems for the secure transfer of files and information. This includes controls for use on your network of removable media such as USB devices, flash drives, and DVDs
-
Control of user access: The controls and procedures you have in place for adding, changing or removing user accounts and any associated information.
-
Use of internet, email and messaging services: Your policies with regards to acceptable use of email, internet and messaging services. We also review your policies with regards to spam/junk handling, and email related rules with regards to thread length and data retention timeframes.
-
Home working and remote working: All remote and home workers must have up-to-date security training, with controls in place to use their devices safely at home.
-
Business continuity: Maintaining a continuity plan that recognises the different kinds of threat where information/data security is affected.
-
Threat management: Implementing a documented mechanism or system for reporting on threats and attacks for pre and post attack.
-
Breaches and breach registers: Recording information on security breaches and near misses in your organisation.
Our Cyber Security Audit Process:
Typically, our cyber security audits take place in two stages, both of which are conducted on a transparent, scheduled, fixed fee basis which provides you with peace of mind that you know how much you need to budget for and what to expect from us at each step.
Step 1 - Desktop Review & Gap Analysis Report
Our clients have told us time and again that our audit reports are the most detailed, but easy to digest, that they have ever received.
We start by reviewing your documented controls and records that support cyber security controls and provide you with a written Gap Analysis Report.
We don’t simply peruse your cyber security policy; we examine a host of supporting documents and records as well, including;
-
Any cyber security risk assessments you might have previously conducted
-
The policy for staff training on cyber security
-
Staff training records
-
Reporting and monitoring procedures
-
Senior management and DPO reports on cyber controls
-
Software and permitted apps registers
-
Registers of personal data
Step 2 - Onsite Visit and Audit
After the desktop review has been completed, we usually follow up with a visit to your offices to examine the controls in action.
We then add our findings to the Gap Analysis Report to provide you with a written narrative as to where your practice stands with its cyber security controls and next steps to resolve the gaps. The list of aspects that we examine is long and thorough, and includes;
-
Conducting file reviews to examine the conduct of cyber security controls in the ‘real world’
-
Taking stock of the office premises, to consider physical factors that impact upon information/data security
-
Examination of the training records and training programme that supports cyber security controls
-
Examination of the risk register
-
Examination of the register of breaches, near misses and the regular reviews of risk data
-
Reviewing historical cyber security findings/trends
-
Meeting with staff to understand their perspective and to test their application and experience of controls
-
Meeting with supervisors, Heads of Department, and others in responsible roles
Pricing
We strive to provide you with unparalleled value through services that are bespoke to your practice.
Our pricing is competitive and transparent. And, it’s tailored according to the scope of the work that that we do for you.
Wherever possible, we conduct work on a fixed fee basis.
Members of our free-to-join Best Practice Group receive a substantial discount on all of our services.
Once the audit has been completed, we can also support you with resolving any issues through our cyber security consultancy services, and training.
Additional Auditing Support
Learn More | ||
Learn More | ||
Learn More | ||
Learn More |
Why Work With PDA Legal?
The PDA Legal Team:
-
Is proud to have over 25 years experience in the legal sector
-
Has supported over 500 legal organisations
-
Conducts all discussions with you in strict confidence
-
Operates, wherever possible, on a fixed price model and project scheduling
-
Offers a free, no obligation initial consultation