ekovacevich-it697-phase 5 ip
TRANSCRIPT
Kovac, Edwards and Bonar LLPIT697 Project
Edward KovacevichColorado Technical University
MGMT690Daniel Latort
February 9, 2015
Table of Contents
PROJECT OUTLINE 3
THE COMPANY 3PROBLEM STATEMENT 3PROBLEM IDENTIFICATION 3ASSETS 4FINAL TOPIC 7
PROBLEM IDENTIFICATION 8
RESEARCH METHODOLOGY 8HYPOTHESIS 8RESEARCH 8INFORMATION COLLECTION 9TIME LINE 10RESOURCES 10RISK ANALYSIS 10
PROJECT PLAN 15
RESEARCH EXECUTION 15AMERICAN BAR ASSOCIATION 15COLORADO BAR ASSOCIATION 16SANS INSTITUTE 17INDUSTRY RELATED MATERIAL 17CLOUD BASED V. PROPRIETARY SOFTWARE DEVELOPMENT 17RESEARCH RESULTS SUMMARY 19
PROJECT EXECUTION 22
PROPOSED SOLUTION 22PROBLEM STATEMENT 22PROBLEM IDENTIFICATION 22PROJECT PLAN 25COST BENEFIT ANALYSIS 27
CURRENT AND FUTURE TECHNOLOGY TRENDS 29
MATTER-CENTRICITY 29MOBILE ME 30SECURITY 31FINANCIAL IMPACT 31
REFERENCES 33
Project Outline
The Company
Kovac, Edwards & Bonar LLP is a medium sized law firm. This firm has 3
founding partners, ten associate attorneys, 10 paralegals, 10 case managers two legal
secretaries, four members of a medical records and litigation support team, one
receptionist, and IT manager, an office manager and a human resources manager. The
firm has multiple areas of focus including family law, criminal defense, personal injury,
employment law, and intellectual property law. Currently the firm has a cross platform
infrastructure and use both Apple computers as well as PCs. They are looking convert
their entire system to a single platform, become more mobile and add several attorneys
and other support staff (repurposed from CTU Online CS651, 2013).
Problem Statement
The three security principles in information security are availability,
confidentiality and integrity (Harris S. , Security Management Practice, 2013). The issue
that we face in meeting the needs of the firms staff in a highly mobile environment;
where people do not want to be chained to an office while assuring the confidentiality of
client information. The question is how to we maintain the security of information while
allowing people to access it from anywhere?
Problem Identification
For many years we have seen a huge shift in technology and the way that people
manage their communication and data. This is supported by recent reports from
companied liken Citrix who have saw “nearly 100 percent revenue growth in the first half
of 2014” from large scale governmental departments, hospitals and banking institutions
that have turned their mobile platform XenMobile (Citrix, 2014). As the popularity of
mobile devices such as the Apple iOS System (featuring iPhone and iPad hardware),
Android based devices and the multi-device functionality of Windows 8 and the hardware
that supports it, consumers have embraced this technology and have grow to expect the
ability to do more on the go. Because of this business managers have to find ways to
adapt to this new trend, which allows for greater productivity (Strategic Growth
Concepts, 2015). As a growing law firm we are finding that our Attorneys and support
staff are not able to spend countless hours in the office; nor do they want to.
In an effort to meet the needs of our business we must adopt the technology that is
available. In order to meet the needs of our clients and comply with the law and rules that
govern the practice of law we must do so in a way that assures the confidentiality if their
case information. Client confidentiality is at the heart of the attorney client privilege
(Michmerhuizen, 2007). Because of this we must look at mobility from the standpoint of
security. How can we allow our people to access client/case information from anywhere
and still assure that a breach does not occur? Or in the event of a breach what steps
should be taken to mitigate that potential damage.
Assets Reused from CTU CS651
In a law firm there are several assets that need to be protected. Assets include and are
not limited to, client information, case file information, work product, financial
information, various databases, employee records and internal company publications.
Client Information: Attorney/Client Privilege is the number one rule of law.
Barron’s Law Dictionary defines this as “the right to prevent disclosure of certain
information...especially when the information was originally communicated in a
professional or confidential relationship” (Barrons law Dictionary). The client
information to be protected includes everything associated with the clients of the
firm, including whom the firm represents and all personal information. Within the
firm the various attorneys my know who is working on what case and the names of
the parties involved but aside from that the client information must be protected from
unauthorized external and internal access.
Case file information: When a client retains a law firm they are usually dealing with
some sort of legal action, called a case. During the process of intake the support staff
with open up a case file. In this case file will be all the information related to the
parties of the case, the case information and research material. Additionally there will
be a secondary file associated with the case file that contains the actual court material
or filings. These files remain under the control of the firm but ultimately are the sole
property of the client.
Work Product: Work Product is associated with case files but is not necessarily part
of the actual material that will be filed with the court. This material consists of any
information the client has provided to the firm for any reason and any information
that has been gathered through the process of interviews and research. An additional
asset to be protected can come into play here and that is witness lists; expert or
layperson. As previously stated all material is the sole property of the client when it
comes to the work product in the client file save and “legal material” the firm may
use in preparation for the case, for example case briefs and internal memorandums.
Financial Information: Financial Information in a law firm can fall into two main
categories, client and law firm. Often time’s attorneys are made privy to client
financial information, including account and credit card numbers. This falls in to the
client information category. Additionally law firms are required set up many different
types of accounts. For example for Sue Client retains the firm she may be required to
pay a retainer of some specified amount. This retainer is a deposit for services to be
rendered. The firm must set up an escrow account for this client and deposit the
money in there. Once the services are rendered the firm can that with draw money
from that account a place it in a payable account where the money can be used for
firm business. These are just two examples of Financial Information.
Various Databases: Databases are the backbone of any business. They control
inventory, distribution and customer information. In a law firm this in no different.
There are client databases that are used to keep lists of current and former clients.
This database is use, in part to preform what is called a conflict of interest check
(ESuni, 2005). According to the Model Rules Of Professional Conduct Rule 1.7 an
attorney is required to remain free from any conflict of interest. Having the ability to
cross check your clients with potential new clients and parties to actions allows you to
remain conflict free (American Bar Association, 2013). Other databases may include
reference material. Cases are won or lost on legal interpretation based on how the
highest courts in the United States has ruled on any given topic. To find out what
these rulings are support staff will write up short summaries called “case briefs.”
These briefs are collected and stored for easy reference in databases.
Employee Records: Employee records are the records kept on all staff, both current
and former. Employee information is confidential and includes names, addresses,
contact information, date of birth, social security numbers, tax information and the
like.
Internal Company Publications: Internal Company Publications include but are not
limited to, Employee hand books, internal and external memorandums, case briefs,
legal filings, the firms website and any other information the firm puts together for
distribution by any means.
The research I will conduct for this project will be use to make recommendation
for mobile technology solutions as-well-as offer solutions to potential problems that will
most certainly arise.
Final Topic
I intend to use research, material and ideas that from previous courses, both at
CTU and through my under graduate program, as well as working knowledge I have
gained in the technology and legal industries. Some of the primary subject areas will
include but not be limited to cloud based solution, access controls, risk assessment and
management and mobile platform deployment (high view without discussion of
programing or development). The material I will use will allow for ease of understanding
and well formulated analysis and presentation.
Problem Identification
Research Methodology
Hypothesis
In the modern practice of law there is about to be a paradigm shift in the
way lawyers want to practice law. We are about to see the first generation of law
students and other legal professionals entering the work force who have been
raised in an era where iPhones, Androids, Windows phones and tablets as
powerful as computers have become the norm in popular culture (Warsi, 2014). If
law firms want to recruit and retain top talent it is important for law firms of any
size to adopt this technology and make part of the norm rather that the exceptions.
The biggest concern for most law firms is the protection of case and client
information and mobility and all of the possible risks involved with it make it
hard for some firms to jump on the ship of this mobile world. In todays legal
environment with so many tech savvy people coming into the work force it is
possible to establish a secure environment where legal professionals can use a
cloud computing and application development to meet the needs of people
working in a law firm while adequately protecting the confidentiality of
client/case information.
Research
Looking at what some law firms have done in recent history is a good
research starting line for this topic. This would include looking at various cloud-
based services that are well established. So of these would include the use of
Box.com, Citrix, IBM, Amazon and the like. Would it be more cost effective to
use one of these services and build a platform within this environment or to
establish the entire cloud bases system in house where it is completely maintained
within the confines of the law firm’s office space.
Additional research will need to be done to determine the application
selection process. There are several companies in the industry that offer client
management solutions for law firms. Some of these companies offer a virtual
environment that allows legal staff to access the firm’s entire network from
anywhere, including mobile applications that allow limited access to client/case
information. Other companies offer a built to suit model that is entirely
customizable and can be altered with little notice base on the demands of the
business. A look at the total solution of these companies would include down
time, customer support, multiple platform availability and cost. Would it be more
effective to hire an IT support team to develop and maintain applications that
would meet the needs of the firm or to use a third party vendor?
Information Collection
Research into this topic is more about finding a way to establish secure
mobility and less about establishing the infrastructure behind it. The topic of
hardware and the establishment of an internal managed network have been
discussed in previous papers. Therefore, no time will be devoted to this question.
Information on this topic of mobility is widely available on-line. People from
many industries are making similar decisions and have provided a lot of feedback
and data that can be tapped into. Looking at vendor websites and contacting their
customer support for additional information can help answer questions. Speaking
with companies that deal with security, LogRhythm for example, can help shed
light on options for development of software for a functional and security stance.
Time Line
Resources
Most of this information needed will be garnered through Internet research into
product and service availability. Additional information will be pulled together from past
personal experience and interviews with people in both application development,
software and security sales industries. Legal resources (law) will be needed that are in
place in the jurisdiction where the law firm is located; Colorado. Laws and regulations
are laid out in the Colorado Revised Statutes, The American Bar Association’s Model
Rules for Professional Conduct and the Colorado Bar Association Model Rules for
Profession Conduct.
Risk AnalysisReused Colorado Technical University CS654
There are several categories of risks that must be considered in any industry. For
the purposes of this document we will generalize these risks. Poole Collage of
Week 1 Project OVerview
Identify Industry/Co
mpany
Week 2Identify
problems faced
Create Hypothysis
Lay out research
plan
Create research timeline
generate risk analysis
Week 3
Conduct Research and
documentt results
Summerize research
Week 4Proposal and recommendt
aionProject Plan Cost Benefits
analysis
Week 5Current and
furute trends analysis
Prepare technical research
document
Finalize project for submission
Management lists the following risks and definitions on its library site (Poole Collage of
Management, 2014):
“Internal Risks
The internal risks category is the one area where a rules-based approach to risk
management may be sufficient to mitigate or eliminate risk. For example, in dealing with
the risk of employee misconduct, an employee code of conduct may steer employees
away from behavior deemed unacceptable by the organization. In this situation, a risk can
be effectively managed through compliance with established rules or policies.
Strategic Risks
In the category of strategic risks, the article discusses three risk management
structures that place a person or group of people in a position designed to challenge
decisions made about risk within an organization, and to facilitate the circulation of risk
information across the enterprise.
External Risks
External risks, unlike internal or strategic risks, are largely out of the control of an
organization. Despite the lack of control over external risks, this article points out that
organizations can still manage external risks by generating ideas about the type and
magnitude of external events that could happen, and by developing a plan for mitigating
the negative impact if such an event actually occurs in the future.”
Probability/Outcome/Duration (CTU)
When Dealing with probability we are talking about a likelihood that something
will happen. A good example of this meaning can be seen in the daily weather report
when we hear the chances of rain or snow. Although this is a very simple explanation it
is easy for anyone to understand. We will use the risk grid above to provide the
probability number.
The next step is to address the outcome of an even if it happens. What this means
is we will look at how bad it will be if (X) happens. For instance if the office in in a high
rise and a fire breaks out in an upper floor there may be smoke damage that could cause
some problem but nothing that would really halt daily operations. On the other hand if a
major power outage happened and the firm, were to not be able to operate for a couple of
days this could be catastrophic.
Which leads naturally into duration. Duration is the actual impact the incident
would have on the firm as a whole. Simply put is a incident has a probability of (X) and
an outcome of (Y) then the duration/impact will be the variable based on those two
numbers.
A break down of this, using the risk grid above would look something like this:
Physical: 2/3/1
Reduce this risk through preventative measures like locks, alarms. Smart keys and
other access controls.
People: 5/15/2
Avoid this risk through on going training of the staff including but not limited to
the effects and ways to avoid social engineering.
Network: 15/20/?
Transfer this risk through seeking to procure ne systems. One option would be to use a
cloud bases system but this option presents its own risks and may not be the most viable
option
Each of these risks needs to be managed in a different way. For example at work
I currently work in a VM with a cloud based environment. Just the other day I was in the
middle of putting a settlement together and my system froze then logged me out. As it
turned out the server I am one failed at the source and the vender could not tell us why or
how long we would be down. The problem is that our phones don’t stop ringing as
clients still want information and adjusters still want to settle cases. This is duration
unknown (?) but has a huge impact on our ability to work (16) and is something that is
assured to happen (15). The solution is to change the entire system but that’s not
something our partners are willing to entertain.
System Design Principles
One of the most vital parts of any security management plan is a stable security
policy. The security policy must address the needs of the firm in very specific terms
(SAN Institute, 2002). As part of this process it is important to come to an understanding
of the risks that the law firm faces in the course of its day-to-day operations. There are
several risks that present themselves in this environment. Before diving in you have to
understand that risks go beyond a breach of some sort. The risk cube is used across
several industries as a way of evaluating various risks that any business can/will face
(LaserLight Networks, 2013).
Evaluating risks can be accomplished buy using a risk cube or a grid similar to the
one shown below. This grid beaks risk assessment into categories bases on severity. The
left column represents the probability that something will happen the bottom row
represents the severity of the impact. As you are doing your analysis on the possible
event you will give each one 2 numbers, the number that for the probability and then the
number for the impact. This will give you the location on the table where that risks lies.
From here you will have to come up with a way to mitigate and lower the risk.
Project Plan
Research Execution
In laying out the research and progress a look at regulations that govern the
practice of law on a Federal and State lever is required. Additionally research into cloud-
based options will be addressed and weighed against the development of exclusive
proprietary software. The following will be laid out in a scholastic notation format where
in a very basic statement of findings will be listed nest to a citation or URL. The process
is as follows:
American Bar Association
Rules of professional Conduct
From the home page www.americanbar.org select the Resources for
Lawyers tab and the Model Rules for Professional Conduct link. From
there select Model Rules Table of Contents link kin the center of the
page.
Applicable Rules:
Rule 1.6: Confidentiality of Information
Rule 1.7: Conflict of Interest: Current Clients
Rule 1.8: Conflict of Interest: Current Clients
Rule 1.15: Safekeeping Property (to include finances)
Additional Findings
Google search using the term “cloud-based solutions for law
firms.
Article by Joshua Poji titled “The ABC’s of Cloud-Based
Practice tools.” This provides valid information to consider for
modern legal professionals.
Execution
This information will be used in the process of determining if a
possible solution will comply with regulatory standards.
Colorado Bar Association
Model Rules of Professional Conduct
From the Colorado Bar Association home page click on the
“ethics link” then on Colorado Rules of Professional Conduct.
Applicable Rules:
Rule 1.6 Confidentiality of Information
Rule 1.15B Account Requirements
Rule 1.15C Use of Trust Accounts
Rule 1.15D Required Records
Rule 1.16A Client File Retention
Additional Findings
There is an Article by Cindy Wolf titles “Getting Your Head
Around the Cloud: Does it Meet Ethical Standards of Client
Confidentiality?” This article articulates the advantaged and
concerns that law firms have with regard to cloud computing.
Execution
This information will be used in the process of determining if a
possible solution will comply with regulatory standards.
SANS Institute
SANS Institute is a leading organization dedicated to the training and
furtherance of information Security. In addition to the training that
SANS offers if provides resources for security professionals to tap into
and use for their own research.
Execution
The resource will be used to gather useful resources and
information that can help provide a well-rounded
recommendation.
Industry Related Material
CISSP: All-in-One Exam Guide
Net + Guide to Networks
Execution
These resources will be used to research and discuss issues
related to networking and security.
Cloud Based v. Proprietary Software Development
Below is a list of several options found through the research process.
Though comprehensive there are a larger list of options. This only
proves that there are companies currently catering to the needs of law
firms.
Google search using the term “cloud-based solutions for law firms.
Retrieved a paper written by Andrew Z. Adkins III titles Law
Firm Management in the Cloud: Leveling the Playing Field for
Law Firms. This paper provides insight into the benefits of
cloud-base solutions.
Trial Works is a VPN cloud-base that offers CRM, outlook,
customizable case file management tool limited access through
a mobile application.
“Advologix PM includes group calendaring, docket and
activity management, client management and marketing,
project and matter management, time and billing, document
management, account management, mobile access workflow,
customization and integration features. It costs $90 per month
per user, and $75 per month for each additional user up to 5
users (Kimbo & Mighill, 2011).
“Clio offers a dashboard where you can see your upcoming
tasks and schedule at a glance. Users can monitor billing
targets, link tasks to specific matters, bill time directly from
tasks, and run billing, productivity and client reports. It
includes a “client connect” feature for sharing documents with
clients online as well as online invoicing and bill payment.
There is a 30-day free trial and attorney users pay $49 per
month after the trial period” (Kimbo & Mighill, 2011).
Amazon Web Service this would allow the firm to develop an
entire system of needed tools and deploy it within this virtual
environment.
Cisco, Citrix (Connectria Hosting) and IBM all have HIPAA
compliant cloud-based file management options with technical
support. These services very in capability but do offer local
computer as-well-as mobile application support.
Box and Drop Box offer cloud-based file syncing and
management. Both have mobile app support and both have
similar drawbacks.
Log Rhythm is a company based in Boulder Colorado. This
company can aid in the development of application, security
and other needs of the law office.
Execution
This Information will be used to make an over all
recommendation as to the directions that the firm should go
with its test environments and then with the final
recommendations
Research Results Summary
This research showed that there are a lot of options that are available for cloud-
based solutions for law firms. The biggest concern with using a cloud-based solution is
that you cannot be 100% sure id the SaaS is a Managed environment or if the company is
self-sustaining. This difference is that a Managed options is one that will develop their
entire environment using an environment like Amazon Web Services to build their
software and service into and a self-sustaining company will have the hardware and
software completely managed and owned. There are por’s and con’s to both. The
downside is security of information and ownership with either option. The upside is that a
lot of these companies will offer multi-platform accessibility and pre-developed
application for mobile use. Just like every SaaS company there is significant start up cost
and the time to recoup your investment is longer with a subscription model; so cost
becomes a major factor.
Companies that have sensitive data lean much more towards on-premise software.
It is a long educational process to convince a whole industry that they should take
advantage of secure data centers and services (Totally would start with Amazon Web
Services) and that they ultimately will have better security by in essence outsourcing
security to Amazon.
Good and bad that it is a very targeted market. There are a dozen decent sized
firms in every market and 3-4 of them are National like Sherman and Howard, Holland
and Hart, etc. That means it is actually pretty easy to get in front of your target audience.
The downsize is that your market cap isn't going to be that big... will need to look
towards architects, accounting and professional services firms like Accenture to be big
enough to sustain a business.
The culture of law firms is set up in such a way that it actually inhibits innovation.
The big firms (the target market) actually like their younger lawyers tied to the office.
The partners actually could give a shit about anything that increases efficiency because it
would just reduce billable hours in most cases. The more time it takes them to get stuff
done, the more billable hours they have. Lastly, they hate to spend money on anything
that they can't bill back to the client. It is totally crazy, but as an industry they spend less
on marketing and IT than any other industry as a percentage of revenue.
The research done for this project is measurable in term of what has been done
and how toe process was completed. Time was not kept for the purposes of knowing what
could be considered billable hours so there is nothing tangible related to time that can be
tracked. Overall however, the research furthered the end goal of the project.
Project Execution
Proposed Solution
At this point all the research has been conducted and possible solutions are ready
to be offered. Before we get to these possible solutions a look at the actual issue being
addressed is appropriate.
Problem Statement
The three security principles in information security are availability,
confidentiality and integrity (Harris S. , Security Management Practice, 2013).
The issue that we face in meeting the needs of the firms staff in a highly
mobile environment; where people do not want to be chained to an office
while assuring the confidentiality of client information. The question is how to
we maintain the security of information while allowing people to access it
from anywhere?
Problem Identification
For many years we have seen a huge shift in technology and the way that
people manage their communication and data. This is supported by recent
reports from companied liken Citrix who have saw “nearly 100 percent
revenue growth in the first half of 2014” from large scale governmental
departments, hospitals and banking institutions that have turned their mobile
platform XenMobile (Citrix, 2014). As the popularity of mobile devices such
as the Apple iOS System (featuring iPhone and iPad hardware), Android
based devices and the multi-device functionality of Windows 8 and the
hardware that supports it, consumers have embraced this technology and have
grow to expect the ability to do more on the go. Because of this business
managers have to find ways to adapt to this new trend, which allows for
greater productivity (Strategic Growth Concepts, 2015). As a growing law
firm we are finding that our Attorneys and support staff are not able to spend
countless hours in the office; nor do they want to.
In an effort to meet the needs of our business we must adopt the technology
that is available. In order to meet the needs of our clients and comply with the
law and rules that govern the practice of law we must do so in a way that
assures the confidentiality if their case information. Client confidentiality is at
the heart of the attorney client privilege (Michmerhuizen, 2007). Because of
this we must look at mobility from the standpoint of security. How can we
allow our people to access client/case information from anywhere and still
assure that a breach does not occur? Or in the event of a breach what steps
should be taken to mitigate that potential damage.
Over the entire discussion the has been going on with the partners of Kovac,
Edward’s & Bonar we have looked at creating a self contained network that will
allow for the firm to maintain control of its data while allowing for the adaptation
of mobile technology. In recent discussions we have talked about and looked into
remote services as well as cloud-based options wherein we can develop a platform
that meet the need of the business. The proposed solution may be a combination
of maintaining a foundation of the network in house, procuring or developing
tools for client, file, data management, time keeping as-well-as using a cloud
based service to act VPN that will allow staff access to needed resources from
anywhere. This would rule out the use of a service that would essentially leave the
ability of the firm to function in the hands of a third party (i.e. TrialWorks®).
Solution Strategy (repurposed from CTU Online CS661)
This far, we have dealt with several aspects of the firm’s information assurance
needs. In this section we will deal with the implementation strategy and the high level
recommendations of this implementation. To recap the needs of the firm:
The majority of the firms IT needs are outsourced and a great deal of time is lost due
to denial of access.
The firm would benefit from bringing the majority of it information technology in-
house.
The infrastructure needs to be put in place to meet the current needs as-well-as meet
the demand of future growth.
Separation of resources, employee and client information as well as documents so as
not to allow for unauthorized access.
Separation of servers based on content, firewalls to deny access, sniffers to monitor
traffic, IPS/IDS to send alerts in the even of some sort of intrusion.
Strong password policy with time specific expiration.
Regular log reviews and time frames for the updating of software to ensure that anti-
virus/anti-malware software remains current.
Review software that is being used to decrease the likelihood of risk through
undetected vulnerabilities.
Set in place policies that comply with State and Federal Regulations (HIPAA and
DPNA)
Participate in PCI DSS to ensure the best possible compliance with a well establish
standard of payment card security.
Project Plan
Recommended Priorities (Repurposed from CTU Online CS661)
Recommendations are to begin with getting all of the hardware in place based on the
PCI DSS standards. Setting up the foundation has to be the first priority because it is
from this foundational level that everything else is established. After all of that hardware
is in place I recommend that we deploy the monitoring system on all necessary systems
and individual clients, that we deploy all IPD/IPS mechanisms, that all firewalls are
established as well as the network DMZ. Once the hardware and security mechanisms
have been put in place the next priority is to establish servers to maintain various data and
resources. This will allow for easy transition from what is being replaced to this new
system as part of this entire set up my recommendation is to establish the system wide
server that will manage users with a single sign on (SSO). The SSO will make it easy to
see who is accessing what and to trace back to a source if an incident happens. Once all
systems are in place it should be tested to assure that it complies with HIPAA law. This
can be done by looking at the guidelines within the law and systematically testing the
network for compliance gaps. After this has been done the next thing is to install and
configure all necessary software, which has been tested. Once everything is in place and
configured it becomes time to populate all servers, databases and software and then soft
test the system by putting it through its paces on a small number of clients systems. I will
also test the network to see where things need to be hardened up. After it has been
established that the network, its security and the flow of information is working correctly
the firm will go completely live with the system.
Implementation Recommendation (repurposed from CTU Online CS661)
The recommended implementation was briefly covered supra. This has to be done in
phases. You never want to just launch something before it is fully tested in a work
environment. Deployment of a system is no different than assuring the smallest patch is
going to work. Testing the system as it is built and then when it is completely functional
is vital to the success of the firm (Harris S. , A Layered Approach, 2010). The basic
premise would be to set everything up and run it parallel to the system that is already in
place. My recommendation is to establish a single team out of the entire firm that is
performing their duties entirely off of the in house system. This team will work arm in
arm with the network and security admins to report problems and to find the necessary
fixes. This team will go through training on any new systems, processes and software that
may be used. This soft launch of the system will allow the firm to see the new network in
action. This initial phase would ideally last 90 days and then would be launched to the
remainder of the team. Education is the first stem in the second phase of the process.
Once it is established that the network functions as it should it would be fully
integrated into the firm for full use. My recommendation is to have a dedicated training
session that would allow the remainder of the team to learn how the new systems work.
The experienced team would then take on a support role to handle any other questions
that may arise as the other staff starts to use the new systems and software. An additional
part of the training will include security policy and other related issues. The system and
security admins will be responsible for maintaining these systems as well as assuring that
training has been delegated and completed. It is at this point that the network monitoring
to reduce risks and maintenance really starts. Some of the tools addressed above will
allow the admins to see what is going on in the network from a performance stand point
and will allow then to shift resources where needed. They will also have the ability to
read network logs and view traffic from with in and attempted connection from outside
the network. The next section will address this from a high level view.
Cost Benefit Analysis
Recommended Budget (repurposed from CTU Online CS661)
A plan such as this will require resources to be delegate for the initial establishment
of the infrastructure. This includes all hardware, software and services that surround the
needs of the firm. Once everything is in place there will be an initial cost in man-hours
for training the staff and then for continued education on things like security policy and
system use. There will also be the cost of security and network administrators to manage,
maintain and monitor the network. The following list reflects a recommended budget in
no particular priority order.
Wall-mount Server Rack House individual servers $525.00
XSERVE 2X G5 2300 1U Server interface device $1,300.00
ZyXel Firewall 2 are recommended $3,000.00
EdgeMax (Ubiquity) Wi-Fi access control (x4) $1,500.00
Rack Server with HD Behind the firewall $15,000.00
Rack Server with HD DMZ and Web Server $5,000.00
Raid System Back up and fail safe $900.00
Server Software This reflect all needs $2,000.00
IDS/IPS Switch & Router System $1,100.00
Snort monitoring Network Monitoring No Cost
Cisco Remote access Mobile access control $1,000.00
Initial Training Entire Staff 2 hours each Undefined
On going Training As needed Undefined
Security/Network Admin May be a single person $80k-$120k annual
Cloud Access Can be established in house
Initial software deployment Developed or ad hoc $5k-$20k
Software assurance Falls in the scope of admin Factored into salary
Current and Future Technology Trends
Matter-Centricity
In August of 2014 the International Legal Technology Association held its annual
conference. In one of its seminars they provided some very good statistics about what law
firms are doing in regards to technology. Some of the good things include an increase in
the number of firms that are using a matter-centric environment (Gerlach, 2014). “Matter-
centricity is an approach in which information in multiple repositories is either unified
within centralized data stores or linked together with a common identifier such as the
unique matter billing number” (LiVecchi, 2008). Matter-Centricity is exactly what this
project is about. In essence we are trying to find a way for the firms staff to be more
efficient and productive in order for the firm to grow. With that said we are trying to
make the changes needed without compromising th3e information that needs to be
securely protected. All of the options that have been considered have been with the
protection of client information as the number one concern.
Matter-Centricity is a trend that has been around for a long time. As stated supra, the
issue before us is the ability to manage the matter the staff needs access to in an
environment that is continually becoming mobile. As has also been stated, there are a lot
of companies that are offering services that will help centralize the data and make
accessible. The recommendation that has been made is not all cloud or all in-house
control, but is a combination of both. With in matter-centricity you will find other trends
like file tagging email communication. This is where an attorney or support staff can link
an email or email thread to a specific clients file. Additionally from within the specific
application an email can be generated from the clients file. Further rules can be set up
that will send all email from specific users or that contain specific subjects to the clients
file. This makes the need to actually open a mail client unnecessary unless it is to send
inner office memos. Along these same lines you have something called file tagging. Just
like tagging email and linking it to a specific file you can move documents form one
location on a hard drive to the clients file. Software’s such as TrialWorks already have
something similar to this in place within the platform they offer.
In an era where less and less information about a case is coming into the office in
paper from it has become increasingly important to find ways to secure and manage the
information in a digital format (LiVecchi, 2008). For this reason and this reason alone
Matter-Centricity will be a trend that will have long lasting effects on the legal industry.
Mobile Me
Mobility is not a new trend but it will be one that will be around going forward. To
speak of mobility as if it is a new idea would be an insult the intelligence of anyone with
a functioning eyeball. A person can turn on the television on any given channel and will
be faced with computer companies like Apple and Microsoft touting their latest mobile
devices (Surface Pro, iPad, iPhone, Galaxy). What this says is that people what to be able
to get things done on the go. They what the functionality of their desktop computers in a
device that they can fit in a pocket or in the least a back pack. The biggest trend that a
company has to face with this is weather it will provide devices for the staff or if they
will employ a BYOD model. “The BYOD model is what is recommended for the firm in
that is will not generate any additional costs that have to be considered. To put the BYOD
movement into perspective, consider that a recent industry study found that 44 percent of
firms had a BYOD policy in place in early 2012, and that number increased to 94 percent
in 2013. There are several reasons for this rapid embracement of BYOD” (Blaho, 2013).
With in this model there are several ways to implement this. The firm would not prohibit
staff from using their own devices so long as they agree that the firm is not responsible
for any damage or loss of data associated with the individual using their own devices.
Security
“Law firms are surprisingly weak on security, and a full 25 percent of firms have
no security policy at all. Encryption is greatly underutilized. Even at large firms with
resources, less than 50 percent use encryption of files.
Many firms allow a “bring your own device” system where employees’ personal
technology is used for work. “It’s unsettled what kind of security fallout will come from
using personal devices,” Unger said, adding that individuals will have to take on personal
responsibility for security with their devices.
Panelists cited existing concerns that law firms could be a weak link when it
comes to protecting information. “The FBI has already expressed concern about law
firms being a vector into a client’s most-personal information,” said Dennis Kennedy,
MasterCard vice president and senior counsel” (American Bar Association, 2015).
The biggest consideration for training is to stay up on what the latest attacks are
and how to detect them. Additionally the need to keep updated on the latest security
methods, software and training is highly important. There are several programs that a
person can get this training including SANS Institute, Cisco, Oracle and the like.
Financial Impact
From an impact standpoint, depending on how the firm structures its contracts (it
would be advisable to pay for on going training of its IT staff) the brunt of future costs
will go into keeping security up-to-date. For instance CCNA training costs can vary
widely depending on where a person goes. The exams, in the other hand are consistent at
$250.00. SANS Institute has a wide range of programs for security professionals. These
trainings are generally in the $2000-$2500 range but the trade off is that SANS will
usually provide the tools for free or as part of the training session.
In terms of the ability for staff to bring their own mobile devices and use them for
work purposes. There is no future cost impact to this for the firm. The individual staff
will incur the cost based on their own timeframe of purchase and the cost driven by the
current consumer market.
Finally, because the firm is already in a matter-centricity model the cost here
would be dependent on the final decision. If the recommendation is followed then the
firm would incur the man-hour cost to staff an IT group that will address the needs of the
firm’s technology. If the firm decides to go with a fully cloud-based option it will have a
presumable lower overhead but may run into other issues that will cost the firm in terms
of efficiency and productivity. In all the lesser of the two evils would be to employ a
group and factor in an annual budget for this team of $500,000.00.
References104th Congress. (1996). HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. Public Law , 104-191.American Bar Association. (2015). ABA News Archives. Retrieved February 6, 2015, from American Bar Association: http://www.americanbar.org/news/abanews/aba-news-archives/2014/05/10_technology_trends.htmlAmerican Bar Association. (2013). Ethics. (C. University, Producer) Retrieved October 6, 2013, from Legal Information Institute: http://www.law.cornell.edu/ethics/aba/American Bar Association. (2014). Model Rules of Professional COnduct. Retrieved January 26, 2014, from American Bar Association: http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents.htmlApple Inc. (2013). OS X: About FileVault 2. Retrieved November 4, 2013, from Apple Support: http://support.apple.com/kb/HT4790Arora, M. (2012, July 7). How secure is AES against brute force attacks? Retrieved November 3, 2013, from EE TImes: http://www.eetimes.com/document.asp?doc_id=1279619Authentication World. (2006). Single Sign On. Retrieved November 3, 2013, from Authentication World: http://www.authenticationworld.com/Single-Sign-On-Authentication/Barrons law Dictionary. Law Diction Ary (3 ed.). (G. H. Steven , Ed.)Blaho, J. (2013, November 13). Three BYOD Models You Need To Know. Retrieved February 5, 2015, from Forbes : http://www.forbes.com/sites/sungardas/2013/11/13/three-byod-models-you-need-to-know/Chinman, M., Imm, P., & Wandersman, A. (2004). Getting to outcomes. Rand Health . anta Monica , Ca, USA: Rand.Citrix. (2014, August). Announcements, August 2014. Retrieved January 11, 2015, from Citrix: http://www.citrix.com/news/announcements/aug-2014/citrix-cites-strong-customer-demand-for-comprehensive-enterprise.htmlCTU. Course Materials. CS654. Davis, M. A. (2012, April 6). Attorney at Law. (E. Kovacevich, Interviewer) Lakewood , Colorado, USA.Dean, T. (2010). Gateways and other multifunction devices. In T. Dean, Network+ Guide to Networks (p. 276). Boston, MA: Cewngage Learning.Dean, T. (2101). Intrusion detection and prevention. In T. Dean, Network+ Guide to Networking (p. 588). Boston , MA: Cengage Learning.Dictionary.com. (2014). Accountibility. Retrieved February 8, 2014, from dictionary.com: http://dictionary.reference.com/browse/accountabilityDowd, M. S. (2007). The Art of software Security Assessment: Identifying and Preventing Software Vulnerabilities. Boston, MA: Pearson Custom Publishing.
Dowd, M., McDonald, J., & Schuh, J. (2007). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Moston, MA: Pearson Education, Inc.ESuni, E. Y. (2005). Conflict of Interest. Retrieved October 21, 2013, from American Bar Association: http://www.americanbar.org/newsletter/publications/gp_solo_magazine_home/gp_solo_magazine_index/conflictsofinterest.htmlGerlach, M. (2014, August 22). Good, band & ugly technology trends. Retrieved February 5, 2015, from Law Technology News: http://www.lawtechnologynews.com/id=1202667781194/Good-Bad-and-Ugly-Legal-Technology-Trends-?slreturn=20150105130637Harris, S. (2010). A Layered Approach. In S. Harris, CISSP All-in-One Exam Guide, Fifth Edition (5th ed., p. 39). McGraw Hill.Harris, S. A. (2012). Access Controls Overview. In S. A. Harris, CISSP All-In-One Exam Guide (5th ed., p. 154). New York, NY: McGraw Hill.Harris, S. A. (2010). Application and Circut-Level Proxies. In S. A. Harris, CISSP Exam Guide (5th ed., p. 559). New Tork, NY, USA: MCGraw Hill.Harris, S. A. (2010). Identification and Authentication. In S. A. Harris, CISSP All-In-One Exam Guide (5th ed., p. 159). New York, Ny: McGraw Hill.Harris, S. A. (2010). Need to Know. In S. A. Harris, CISSP All-In-One Exam Guide (5th ed., p. 196). New York , NY: McGraw Hill.Harris, S. A. (2010). Single Sign On. In S. A. Harris, CISSP All-In-One Exam Guide (5th ed., p. 198). New York , NY: McGraw Hill.Harris, S. (2013). Security Management Practice. In S. Harris, CISSP: All-In-One Exam Guide (6th ed., pp. 1-73). New York, NY: McGraw Hill.Heary, J. (2009, November 9). Articles. Retrieved October 22, 2013, from PCWorld: http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.htmlInformation Management. (2013). News, the difference between web and non-web based applications. Retrieved January 21, 2014, from http://www.information-management.com/news/2026-1.html?zkPrintable=1&nopagination=1Iron Mountain. (2013). Law Firms Face Diverse Challenges When It Comes to Records Management and Storage - See more at: http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/L/Law-Firms-Face-Diverse-Challenges-When-It-Comes-to-Records-Management-and-Storage.aspx#sthash.h5NQ9XGd.dpuf. Retrieved October 6, 2013, from Iron Mountain: http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/L/Law-Firms-Face-Diverse-Challenges-When-It-Comes-to-Records-Management-and-Storage.aspxKimbo, S. L., & Mighill, T. (2011). Popular Cloud Computing Services for Lawyers: Practice Management Online. Law Practoce Magazine , 37 (5).LaserLight Networks. (2013). Documents. Retrieved September 3, 2014, from LaserLight Networks: http://www.laserlightnetworks.com/Documents/RISK%20CUBE%20METHOD%20to%20DERIVE%20COST%20RISK.pdfLiVecchi, L. (2008, March 28). legal Software. Retrieved February 5, 2015, from FindLaw: http://technology.findlaw.com/legal-software/explaining-the-technology-
behind-matter-centricity.htmlMichmerhuizen, S. (2007, May). Administrative. Retrieved January 15, 2015, from American Bar Association: http://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/confidentiality_or_attorney.authcheckdam.pdfMicrosoft. (2013). Analyzing Network Data with Network Monitor. Retrieved November 6, 2013, from TechNet.Microsoft: http://technet.microsoft.com/en-us/library/cc723623.aspxMicroSoft. (2014). Developer Network. Retrieved February 6, 2014, from MicroSoft: http://msdn.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic1MicroSoft. (2013). Library. Retrieved October 22, 2013, from MicroSoft: http://msdn.microsoft.com/en-us/library/hb7xxkfx.aspxMitchell, B. (2013). DMZ - Demilitarized Zone. Retrieved November 6, 2013, from About.com: http://compnetworking.about.com/cs/networksecurity/g/bldef_dmz.htmPCI Security Standard Counsel. (2010, October). Documents. Retrieved January 27, 2014, from PCIsecuritystandardcounsel.org: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdfPoole Collage of Management. (2014). Library. Retrieved September 8, 2014, from ERM.NCSU: http://erm.ncsu.edu/library/article/category-effective-risk-management#.VA5k_MIyyccRed Hat. (2013). Support. Retrieved November 4, 2013, from Red Hat: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Security_Guide-Encryption-Data_in_Motion.htmlSAN Institute. (2002). Readin Room. Retrieved September 8, 2014, from sans.org: http://www.sans.org/reading-room/whitepapers/policyissues/defining-policies-meta-rules-505Scarfone, K., & Mell, P. (2007, February). Intrusion Detection and Prevention Principles. GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS . Gaitherburg, MD, USA: National Inststitute od Standard and Technology.Search Storage . (2013). Definitions Data at Rest. Retrieved Novemebr 3, 2013, from What Is?: http://searchstorage.techtarget.com/definition/data-at-restSecPoint. (2013). Top 10 Social Engineering Tactics. Retrieved October 22, 2013, from SecPoint: http://www.secpoint.com/Top-10-Social-Engineering-Tactics.htmlSimek , J. M., & Nelson, S. D. (2013). Preventing Law Firm Data Breaches. Retrieved October 6, 2013, from American Bar Association: http://www.americanbar.org/publications/law_practice_magazine/2012/january_february/hot-buttons.htmlSmith, Gambler and Russel LLP. (2013). Resources. Retrieved October 6, 2013, from sgrlaw.com: http://www.sgrlaw.com/resources/trust_the_leaders/leaders_issues/ttl5/916/social-engineering.org. (2013). Home. Retrieved October 22, 2013, from social-engineering.org: http://www.social-engineer.orgStrategic Growth Concepts. (2015). Mobile technology for increased productivity & profirability. Retrieved January 11, 2015, from Strategic Growth Concepts: http://www.strategicgrowthconcepts.com/growth/increase-productivity--profitability.htmlSundaresan, B. (2011, June 13). Security without compliance: The legal industry needs to step up security. Retrieved January 26, 2014, from AT&T.com:
http://networkingexchangeblog.att.com/enterprise-business/security-without-compliance-the-legal-industry-needs-to-step-up-security/Tyson, J., & Crawford, S. (2013). How VPNs Work. Retrieved October 27, 2013, from How Stuff Works: http://www.howstuffworks.com/vpn.htmUnited States Congress. (2010, September 15). Library of Congress Summeries. Retrieved January 26, 2014, from Govetrack.us: https://www.govtrack.us/congress/bills/111/s139#summaryUnited States Supreme Court . (2014). Legal Information Institute. Retrieved February 2, 2014, from Cornell University: http://www.law.cornell.edu/rules/frcp/Univarsity, B. (2013). Physical Security. Retrieved January 13, 2013, from Bayylor University InformationTechnology Services: http://www.baylor.edu/its/index.php?id=49630Warsi, S. (2014, November 24). Business 2014. Retrieved January 19, 2015, from The Boston Globe: http://www.bostonglobe.com/business/2014/11/24/young-lawyers-seek-shake-legal-profession-with-mobile-apps/bnNLhfoceZumFg9CrVA3gI/story.htmlWebopedia. (2013). sniffer . Retrieved November 6, 2013, from Webopedia: http://www.webopedia.com/TERM/S/sniffer.html