• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

Third-party risk assessments in Legal: SIG, SOC-2, ISO 27001 and other stories

Published by Sabrina Pagnotta on May 7, 2020
Categories
  • Blog
Tags
  • TPRM Best Practices
tprm-in-legal

CISOs learn about new data breaches and ransomware every day. So, they put more pressure than ever on their third-parties to provide evidence that they have a strong cybersecurity program. With all the different types of assessments and certifications out there, what’s the definite proof that a third-party can be trusted?

“The more we can assess and test security, the more able we are to calculate the risk of choosing a certain third-party”, says Jon Washburn, CISO at Stoel Rives LLP, and member of the LS-ISAO.

Due to the nature of the services a legal organization needs to secure, it only makes sense that law firms request in-depth certifications and assessments from their vendors that access, process, store and/or transport data… whether those services are provided using technology installed on premise, or in the cloud. Clients put the same pressure on their outside counsel, increasingly requiring a similar level of certification and attestation from their law firms that their security programs are well-developed and that their controls are strong.

Some clients even get deep into insurance requirements, or management of fourth-party risk (including subcontractors and their sub-subcontractors). “Everybody wants to manage that risk somehow, but I don’t think everyone has quite figured out exactly how”, acknowledges Mr. Washburn.

third-party-risk-legal

As an experienced executive in the information security field who leads the Stoel Rives LLP information governance and ISO 27001-certified security program, Mr. Washburn thinks that “learning how the vendor is like on the inside using questionnaires or self-assessments” might not be enough.

“I want assurance from a third-party that someone has looked at their organization and verified that they are not just good at identifying strong cyber security controls, but at implementing them”, he states.

Below is a recap of the conversation we had with Jon around ways to assess third-party risk within the legal services industry.

Mr. Washburn, how can a company make sure a third-party meets the necessary security requirements?

One of the things we see a lot when we ask for documentation, especially from smaller organizations, is that they’ll send us their data center provider’s SOC report or certifications. My response to that is, ‘I’m glad you chose a reliable data center provider, but that doesn’t tell me anything about your controls’. That’s the moment when they usually realize they don’t have a mature program in place to be able to demonstrate to us that we can trust them.

Any good security program relies on a qualified external party to regularly perform audits. I regularly pay other people to come and check us to make sure we’re doing the right thing, because I want to have a strong cybersecurity program. I expect our vendors and third-parties to do the same, and at least annually use an external, neutral, qualified auditor to assess them and confirm that they have implemented strong controls – most often either by certifying to an international standard such as ISO 27001, or by being assessed against the Trust Services Criteria used in a SOC audit (or both).

Depending on the level of risk, there are times when we might accept a self-assessment/response to a questionnaire while onboarding a vendor, provided they are also able to include the executive summary from their two most recent third-party penetration and vulnerability test assessments.  

What’s the value of having an external auditor check cybersecurity?

Having an unbiased qualified assessor come in and objectively audit a program against an established standard can help us determine how well an organization’s cyber security program has been designed and implemented. 

It doesn’t make sense for our organization to assume the expense of annually performing our own audit of every third party. Instead, we expect our third-parties to pay a certified qualified auditor to assess them every year and then share that result with all their customers as required. It cuts down the time it takes for them to respond to audits by their customers because they have one audit that they can share with everyone, and it eliminates the need for each of their customers to individually expend resources on third-party auditors.

What certifications are needed to assess a third-party within the legal services industry?

It depends on the services, and the degree to which you intend to warrant strong information security and governance.

In our case, the third-parties we depend on the most to store, transport, and process our information need to at least annually provide SOC-2, Type 2 attestations. Depending on the type of information accessed, additional certifications such as ISO 27001, ISO 22301 and HITRUST CSF may be required. Cloud services where we store backups, host data and collaborate on files also have to comply with data privacy regulations such as  HIPAA, GDPR and CCPA. 

What about organizations that don’t have certifications? Where do they start?

As a member of the LS-ISAO, I’ve been hearing a lot of conversations around the Standardized Information Gathering (“SIG”) questionnaire from Shared Assessments. It’s a great starting point for an organization to benchmark its cybersecurity program, and it can be combined with  the executive summary from their last two penetration/vulnerability assessments to provide a foundation for establishing trust in their program with their customers.

I think every organization that has confidential information, and wants to show that they are taking cybersecurity seriously, should be engaging a qualified auditor to audit their cyber security program at least once a year. 




To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now:


Trial Account Sign-Up
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT