You've seen it in all kinds of action movies: the protagonist is about to enter his final throwdown. He's about to face down his nemesis in one last dramatic scene. But before he can leave his hideout, he's got to make sure he's prepared. He's got to check how many rounds of ammunition he has left, the status of all of his cool gadgets, and he's got to phone his allies. This is a moment where he discards what he no longer needs based on previous encounters with the villain of his story, and he evaluates whether or not he's really prepared to move on to the next steps.
Similarly, before you actually embark on creating your cybersecurity policies for your firm, you should take stock of what information is considered actually confidential and needs to be protected. Once you've established what information is stored on firm devices, you should also take the time to assess whether or not it's necessary to even store that information for your business purposes – the more information you store, the more risk you take on of that information being leaked, so it's important to ensure that you're going into that risk with your eyes open.
These checklists are intended to help you make that assessment in easy steps. For each piece of personally identifying information (PII), list out what that information is (for example, client Social Security numbers) and where it's stored (in the cloud-based case management system). Then, for each item, evaluate:
☐ Can the objectives of the firm, such as representing clients to the fullest ability, be met without this data?
☐ Can the objectives of the firm be met without the data being output onto physical documents?
☐ Can the objectives of the firm be met without the data being shared with the firm's internal systems and staff members?
☐ Is it necessary for third-parties to have access to this data to achieve these business objectives?
☐ If the answer to any of the above questions is yes, does the storage or transmission method for the data need to be changed?
Now that you've evaluated whether or not you should even be storing or transmitting each "piece" of PII, for every necessary piece of information, evaluate:
☐ Are the systems where you store, use, or transmit the PII password-protected?
☐ If this password protection exists, has it been changed from the default password?
☐ Is there a policy in place to set standards for the password used on the systems? For example, length and special character requirements, or a requirement mandating changing the password after a certain period of time?
☐ Do you install and regularly update malware or anti-virus software for these systems?
☐ Do you use other protections like firewalls to protect information?
☐ Do you have a schedule of regular backups of the critical data to protect it in case the system is inoperable?
☐ What is the risk to the firm if the system becomes inoperable, on a scale from low to high?
☐ Is there an alert system for if the system becomes inoperable, or if someone attempts to attack the system?
☐ When the data is transmitted internally, is it encrypted?
☐ When the data is backed up for archival purposes, is it encrypted?
Using the answers from both of these checklists, you can then start to build your plan for changes to the systems or changes to practices – for example, reviewing your password protection policies to mandate rotating passwords, or setting regularly-scheduled times for updates for your anti-virus system software.