🔒 Cybersecurity for lawyers

User Tools

Site Tools

Trace:
threat_modelling

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
threat_modelling [2019/08/09 06:53] – neilthreat_modelling [2019/08/09 11:29] – neil
Line 12: Line 12:
 ====Key points ==== ====Key points ====
   * [[threat_modelling#What are trying to protect?|What are trying to protect?]]   * [[threat_modelling#What are trying to protect?|What are trying to protect?]]
 +  * [[threat_modelling#Create an information asset register|Create an information asset register]]
   * [[threat_modelling#Who is your threat?|Who is your threat?]]   * [[threat_modelling#Who is your threat?|Who is your threat?]]
   * [[threat_modelling#How are you vulnerable?|How are you vulnerable?]]   * [[threat_modelling#How are you vulnerable?|How are you vulnerable?]]
Line 36: Line 37:
  
 Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, expert legal advice? Threats might be more casual — someone reading over your shoulder on a train, for example, or listening in on a phone call you are having in a public place. Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, expert legal advice? Threats might be more casual — someone reading over your shoulder on a train, for example, or listening in on a phone call you are having in a public place.
 +
 +====Create an information asset register ====
 +
 +In a spreadsheet, list every device and service you have which stores data — computers, phones, external hard drives, USB keys, servers, online services, and potentially even printers and scanners.
 +
 +Against each device and service:
 +  * identify what data might be stored on it
 +  * state who is permitted to access it
 +  * describe the risks that it might face (for example, that you might lose your computer, leading to someone else getting access to the data on it, and you being unable to work on client files because the only copy is on the computer)
 +  * describe the security measures currently in place to protect against those risks
 +  * if relevant, state who is responsible for keeping it updated and ensuring it is wiped or destroyed properly at the end of its life
 +
 +Keep this up to date, amending it as you add and remove devices from your firm.
 +
  
 ====Who is your threat?==== ====Who is your threat?====
Line 47: Line 62:
 Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable.  Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable. 
  
-Other pages discuss different areas in which a lawyer or a law firm might be open to attack, and give some examples of mitigations and defences. +You might find the European Union Agency for Cybersecurity's [[https://etl.enisa.europa.eu/#/|threat report]] to be useful in identifying key threats.
- +
-When you’ve got a list of risks and potential mitigations, you can then prioritise and start to implement.+
  
 ====Prioritise your response==== ====Prioritise your response====
threat_modelling.txt · Last modified: 2021/10/15 10:25 by neil