Get legal help

Stay Informed With LSC

3.1 Baseline for Security – Policies and Procedures

Needed capacities or functions - Security Policies and Procedures

  1. Organizations should develop policies for both in-office and remote access to their networks, while considering appropriate access privileges to each data system, to ensure secure remote practices against internal and external threats or intrusions. Ultimately, each organization should determine how to develop, update, or expand upon its policies.
  2. Policies may be standalone or in a comprehensive manual but should include the following security elements (see additional information in LSNTAP's Security Toolkit: Security Policies):
    1. Acceptable Use Policy;
    2. Remote Access Policy;
    3. Data Classification;
    4. Data Retention;
    5. Physical Security;
    6. Strong Password Requirements;
    7. Disaster Recovery Plan (see Disaster Recovery Plan section);
    8. Security breach and incident response (see Incident Response Plan); and
    9. Policies on organization-owned equipment and Bring Your Own Device ("BYOD"), if applicable (see Mobile for Staff Use section).
  3. Work should be done on organization-owned or managed devices or applications to best secure systems and data.
  4. Organizations should inventory the devices on their network and conduct routine manual and automated device discoveries to determine if any unauthorized devices are connected to the IT environment.
  5. At least once a year, periodic reviews should be performed to ensure policies remain applicable as new technologies and security practices are adopted and deployed.
  6. Regularly install updated patches or implement patch management throughout all systems (e.g., operating systems, antivirus software, and other third-party applications). Computer hardware, firmware updates, and networking devices should have the most current patches and definition updates and remain patched regularly to decrease vulnerability to cyberattacks.
  7. Routinely maintain backup and recovery systems according to grant assurances, including off-site backups.
  8. IT equipment should be kept in a secure environment with appropriate ventilation and cooling; avoid areas prone to other environmental risks.
  9. IT should enable logging/auditing, for at least 90 days, of all IT equipment and services in use to be able to monitor changes made in the environment and by whom.
  10. Security policies and procedures should include measures to address threats and intrusions from users and strive to apply permissions based on the principle of least privilege ("PoLP"). Access to systems and networks that contain client, donor, payroll, and employee data should be restricted to only necessary personnel and access should be discontinued once the user separates from the organization.

Important Considerations and Best Practices

A legal aid organization has a significant amount of confidential information, both about its clients and its operations. A lot of client and operational data is stored electronically, and the risk of outside intrusion into the program's network increases as does the potential damage of such an intrusion.

There are a variety of potential risks:

  • Direct hacking into the program's network.
  • Potential loss or improper access to portable technology, such as laptops, tablets, mobile phones, and flash drives.
  • Inappropriate use of the web by staff who may access high-risk websites, exposing the firm to malicious software.
  • Social engineering frauds and phishing schemes can be perpetrated using information obtained an organization's own website. Limiting employees' contact information on the website can decrease an organization's security risk. As such, information for employees who work in finance or accounting should not be shared on the organization’s website.

A program should have policies, procedures, and systems in place to help avoid the loss of confidential and sensitive information. Additionally, an organization can decrease its vulnerability to cyberattacks by keeping its policies, procedures, and systems up to date. As best practice, separate acceptable use policies for user and network administrator computing resources should be developed due to the scope of data access, and the employee and network administrator should sign off as to understanding and future compliance. An organization may want to consider developing a comprehensive technology security policy and procedures manual that enumerates all the organization's policies on technology use, data repositories, data-loss prevention, disaster recovery procedures, etc.

While every organization may vary in its technology security standards and practices depending on organizational size, structure, infrastructure, and resources, it is essential that every organization identifies some standards and practices by which it will measure its security readiness. The best practice for a well-governed organization is to formally adopt a well-known, industry-recognized security and compliance standard framework such as the NIST CSF, Center for Internet Security (CIS) Critical Security Controls, or the HIPAA-compliant Health Industry Cybersecurity Practices (HICP) standards. Ultimately, each organization is responsible for properly evaluating and weighing options with various security and compliance standard frameworks, as well as ensuring an appropriate vendor and level of service.

There are several existing resources available to help quickly and inexpensively develop a set of customized policies that are a good fit for the organization. An organization may want to leverage an internal technology committee or its board members as additional resources since policy development can be a significant undertaking.

In the event of a disaster or significant systems outage, organizations should keep a printed version of its policies somewhere accessible to key staff.

It is possible to outsource some responsibility for assuring the security level of a provider's information technology and communication system is adequate. Programs should consider having an outside firm conduct a security audit every year and/or work with outside experts on an ongoing basis to ensure an acceptable security posture.

With the emergence of generative artificial intelligence (AI) systems like ChatGPT, legal aid organizations should ensure that technology policies and practices are up to date on the acceptable use of such technologies in the delivery of legal services. At a minimum, organizations should ensure that they have policies that address the use of AI to generate or review attorney work product and using AI to conduct legal research. Furthermore, online AI systems collect, analyze, and store user input; special care must be taken to ensure that attorney-client privilege is not violated by using this technology. Many commonly used software applications, such as Microsoft Teams have incorporated, or have plans to incorporate, AI into their products. Organizations should be aware of how AI in these systems collect, store, and use data to ensure that client privacy is protected.

Stay abreast of the latest protocols and practices designed to protect an organization from potential internal threats. Examples include:

  • Develop user onboarding/offboarding procedures.
  • Ensure that IT administrators have two separate accounts: one administrator account and one user account.
  • Disable local administrator rights on end-user workstations.
  • Implement compliance checks to ensure devices are running up-to-date Operating Systems, endpoint protection, and/or MDM enrollment before accessing organizational data. Options may vary depending on the technology or service being used.
  • Segregate networks.
  • Review your firewall rules every 3-6 months.
  • Perform updates regularly to stay current with the latest security patches and bug fixes.
  • Register for vendor and security notifications.
  • Many organizations provide their clients with wireless access in their waiting rooms, offices, and mobile units. Public wireless networks should be isolated to only internet access, restricted to safe/approved websites, and should be throttled to limit bandwidth usage.

Useful websites, resources, and other tools