Minimise risks and ensure compliance with the Oyez Legal Information Security Management System
The SRA have issued a new Code of Conduct governing law firms, making the compliance with regulations and minimising risks of greater importance than ever before.
The Oyez Legal Information Security System is a customisable toolkit specially designed to assist Law Firms comply with their Information Security Management Requirements.
Choose from our range of four subscription packages
Information Security is a vital issue for Law Firms
Every UK legal practice handles privileged information. Ensuring that this data is managed securely has become increasingly complex with the growth of electronic communications. In addition to printed information, confidential data is now held on laptops, USB sticks, emails, websites, databases and network servers.
In order to protect the confidentiality of information The Data Protection Act 1998 requires every organisation that handles personal data to conduct a Staff Assessment and to have appropriate information security controls and policies in place.
Further to this, from March 2012, the SRA requires all legal firms to have elected a Compliance Officer who will be responsible for ensuring a rigorous and compliant data security process that meets all regulatory obligations.
Failure to comply with the DPA (1998) is not an option and ignorance of its requirements is never accepted as an excuse. Any breach, however minor, is taken very seriously by The Information Commissioner's Office who has the authority to levy monetary penalty notices of up to £500,000.
Fines levied by the Office of the Information Commissioner for non-compliance include:
Which package is right for me?
A4e Limited
22 Nov 2010 / Penalty £60,000
A4e operates the Legal Advice Centres in Hull and Leicester for the Legal Services Commission. In June 2010 an employee was burgled at home with the loss of a company laptop computer. The computer contained personal and sensitive data relating to 24,000 clients and was not encrypted.
ACS Law
9 May 2011 / Penalty £200,000*
In Sept 2010 the web server of ACS Law was the target of a DDOS attack. As a result, files containing sensitive data on 6000 individuals was published on the internet. The Commissioner
intended a penalty of £200,000 but ACS was then forced to cease trading and this was reduced to £1000.*
Surrey County Council
6 June 2011 / Penalty £120,000
Within 1 year a spreadsheet relating to adult social care users was erroneously sent to 361 transport companies. The minutes of a Strategy Discussion were sent to a newsletter distribution group and a locum Family Support Worker sent sensitive personal data to an email contact group within County Hall in error.
4 Introductory Guides
The Data Protection Act 1998:
Data Protection and Privacy
Data Protection Act
Scope and Security Principles
What Does the Act Say?
Having Regard to the State of Technological Development
Appropriate Technical and Organisational Measures
ICO Powers
Protecting Your Data:
Introduction to Data Protection
Data Classification
Practical Issues
Data Backup
Traditional Backup Methods
Cloud Solutions
Encryption
Information Security:
Information Security Management for Lawyers in Practice
What is Information Security Management?
What Information Should I Protect?
Why is Information Security Important To A Legal Practice?
What is the Best Approach to Provide Security?
Information Security Management Starting Point
What Security Roles and Responsibilities Should I Consider?
What Risks Does a Practice Face and What Security Does it Need?
Staff Assessments
How Do I Develop My Information Security Strategy?
How Do I Provide Security Solutions?
Best Practice In Information Security:
Passwords
Virus, Worms, Trojans and Spyware
Spam
Firewalls
Patches
Information and Identity Theft
Wireless Networks
Third Parties
Cloud Service Providers
Full Disk Encryption
Email Encryption
Creating Staff Awareness
Evaluating Staff Understanding
4 Policy Documents to cover Security Roles & Responsibilities
The documents in this policy package include:
Security Roles and Responsibilities
Security Awareness and Training (General)
Data Security Classifications
Security Policies and Regulations
4 Policy Documents to cover Physical Security Plans & Procedures
The documents in this policy package include:
Physical Security Plans and Procedures
System and Network Management (Backups)
Password Policy
Encryption
5 Introductory Guides
The Data Protection Act 1998:
Data Protection and Privacy
Data Protection Act
Scope and Security Principles
What Does the Act Say?
Having Regard to the State of Technological Development
Appropriate Technical and Organisational Measures
ICO Powers
Protecting Your Data:
Introduction to Data Protection
Data Classification
Practical Issues
Data Backup
Traditional Backup Methods
Cloud Solutions
Encryption
Information Security:
Information Security Management for Lawyers in Practice
What is Information Security Management?
What Information Should I Protect?
Why is Information Security Important To A Legal Practice?
What is the Best Approach to Provide Security?
Information Security Management Starting Point
What Security Roles and Responsibilities Should I Consider?
What Risks Does a Practice Face and What Security Does it Need?
Staff Assessments
How Do I Develop My Information Security Strategy?
How Do I Provide Security Solutions?
Best Practice In Information Security:
Passwords
Virus, Worms, Trojans and Spyware
Spam
Firewalls
Patches
Information and Identity Theft
Wireless Networks
Third Parties
Cloud Service Providers
Full Disk Encryption
Email Encryption
Creating Staff Awareness
Evaluating Staff Understanding
ISMS: An Introduction for Lawyers in Practice
Introduction
The objectives of an Information Security Management System
Information Assets
Understanding the 4 Key Risk Categories
Risk Profiling A Firm
ISMS Risk Assessment
Benefits
8 Policy Documents to cover Security Roles & Responsibilities
The documents in this policy package include:
Security Roles and Responsibilities
Security Awareness and Training (General)
Security Awareness and Training (IT Staff)
Data Security Classifications
Security Policies and Regulations (Current Policies)
Security and Regulations Management
Security Policies and Regulations (Evaluation)
Security Policies and Regulations (Compliance)
11 Policy Documents to cover Security Roles & Responsibilities
The documents in this policy package include:
Security Roles and Responsibilities
Security Awareness and Training (General)
Security Awareness and Training (IT Staff)
Data Security Classifications
Security Policies and Regulations (Current Policies)
Security and Regulations Management
Security Policies and Regulations (Evaluation)
Security Policies and Regulations (Compliance)
Security Rights, Groups and Individuals
Collaborative Security Management
Security Management: External Personnel
4 Policy Documents to cover Physical Security Plans & Procedures
The documents in this policy package include:
Physical Security Plans and Procedures
System and Network Management (Backups)
Password Policy
Encryption
11 Policy Documents to cover Physical Security Plans & Procedures
The documents in this policy package include:
Physical Security Plans and Procedures
System and Network Management (Backups)
Authentication and Authorisation
Password Policy
Removable Media
Workstation Security
Vulnerability Management
Encryption
Acceptable Usage Policy
Staff Security
Acceptable Email Usage Policy
12 Policy Documents to cover Physical Security Plans & Procedures
The documents in this policy package include:
Physical Security Plans and Procedures
System and Network Management (Backups)
Authentication and Authorisation
Password Policy
Removable Media
Workstation Security
Vulnerability Management
Encryption
Remote Working / Access
Acceptable Usage Policy
Staff Security
Acceptable Email Usage Policy
Bronze package suitablilty
Sole practitioners, working independently.
Take this option if you do not employ any staff.
Silver package suitablilty
Small practices, employing less than 10 staff, without a LAN or dedicated server.
Take this option if your IT is a basic network, perhaps administered externally.
Gold package suitablilty
Practices with a LAN and single server.
Take this option if your IT is a basic network at a single office, perhaps administered externally.
Platinum package suitablilty
Practices with a complex LANs, and multiple servers and offices.
Take this option if your organisation has advanced IT and data ordering requirements, with dedicated IT staff.
