There are times when I feel sorry for IT professionals. They receive very little thanks yet always plenty of blame. IT is a cost; unnoticed when it is working well and making everyone’s life easier, but within seconds of a sudden shutdown or unexpected upgrade, it can be the most frustrating aspect of a person’s existence. The slow repeating turn of a digital egg-timer might inspire a busy barrister to throw a laptop across a room, or even out of a window. And when that ire arises, IT professionals bear the brunt.

That is not to suggest that IT professionals cannot, at times, themselves be infuriating. Helpdesk telephones unanswered; emails asking for help which receive an automated response; the inevitable ‘ticket’ logged which never seems to result in any action until the problem has gone away. And the first piece of advice from an IT professional which does cause one to consider if there is actual training required to form expertise in this area: ‘Have you tried turning it off and turning it back on again?’

But we must all work together. And this relationship is going to become closer with the Information Security Questionnaire for all centralised services provided by chambers. What is this Information Security Questionnaire, you may ask? And why does this mean that I now have to spend yet more time in discussions with IT?

The Questionnaire (for short) was devised by a joint Law Society/Bar Council working group representing the interests of barristers’ chambers and a number of larger law firms in 2021, and was subjected to wider review in various roundtable discussions earlier this year. On 23 March 2022 it was published on the Bar Council’s website and chambers began receiving requests for completion almost immediately upon publication. The Questionnaire has been designed, ‘with brevity and simplicity in mind’, to provide a standard set of questions to convey necessary information regarding chambers’ information security. Prior to the publication of the Questionnaire some chambers were receiving requests from law firms, particularly from the United States, comprising over a hundred questions seeking details of procedures and policies that would not exist in a collection of self-employed individuals. The requests were aimed at data controllers who were companies, supported by IT departments or teams, which could provide training and advice to employees. The requests were excessive, disproportionate and failed to recognise the unique aspects of the Bar. Instead, the Questionnaire comprises 26 questions which are intended to be relevant in almost every circumstance.

But if the Questionnaire is aimed at assisting chambers and the self-employed Bar to provide simple answers to essential questions, why do IT professionals need to get involved?

While the number of questions has been reduced to the minimum, technical ones remain, and will require the input of the individual or company managing the chambers network. Further, the introduction to the Questionnaire recommends that chambers work with their IT suppliers and maintain an up-to-date copy of the responses to the Questionnaire which can then be made available to instructing solicitors with the aim of revisiting them every six months.

Question 1, the ‘Scope of central chambers’ services’, sounds complicated but should be easily answered by most people in chambers: Does your chambers use email? (‘Yes’); What email does your chambers use? (‘Microsoft 365’); Who uses email? (‘Barristers and staff’); How is your email service provided? (‘Privately hosted by an IT supplier’). The 25 questions that follow are a little more tricky but are divided into ten areas. This article identifies the ten areas with a few tips on answering the Questionnaire.

1. Risk management

The Questionnaire references Cyber Essentials, and Cyber Essentials Plus, in three separate places (The Introduction; Question 2; and The Glossary) and this is an excellent place to start when considering chambers’ risk management. Cyber Essentials is a government-backed scheme designed to help organisations in implementing the required security controls to protect against cyberattacks and has been referenced repeatedly in previous articles (see Mitigating malware attacks, Counsel, September 2021).

If Cyber Essentials certification has been achieved then copies are requested. This is unique within the Questionnaire as all other questions simply require confirmation that the area has been considered without requiring any further detail of the actions taken. For example, Question 3 asks: ‘Has chambers identified its main operational risks…?’ The required answer is ‘Yes’ without providing any further detail of the method undertaken to determine these risks or identifying the nature of the risks. This unique aspect for ‘acknowledged security frameworks’ emphasises the usefulness, and potentially the importance, of working towards a certification in Cyber Essentials, or similar. Further, responsibility for risk management is placed at the highest level within chambers, with the management committee or head of chambers to review every six months.

2. Engagement and training

Written policies and procedures may be the start but implementation requires engagement and training. The Questionnaire requires, at Questions 5 and 6, confirmation that chambers provides ‘mandatory’ information security awareness training for staff, and that training is made available for barristers. Mandatory training is required to be refreshed annually.

The form of the training is not prescribed within the Questionnaire, and could potentially be delivered in a number of ways: in-house in-person training; webinar or online; through a third party provider. At the very least, staff and tenants should be directed to risk management policies, and the procedures for reporting information security incidents.

3. Asset management

The requirements for this section should have been covered when devising or updating the chambers privacy policy, following the introduction of GDPR. When determining the types of personal data held by chambers, and the location of this data, it is highly likely that the individual or team undertaking the assessment created an ‘asset register’ or ‘data map’. This may not have been the name applied to the document but it is highly likely that a spreadsheet or similar was used to identify the information processed and its location. This document should be regularly updated.

The privacy policy should then include details on the storage, retention and destruction arrangements for client information. The Questionnaire does not necessarily require further or additional work to be undertaken, rather to identify and confirm that policies are in place.

Whether client information is stored outside the UK or the EEA may not necessarily be obvious, and it may be that chambers needs to seek confirmation from their IT provider. Be particularly careful with cloud storage and data transfer applications, like DropBox, which may have servers based in the USA.

4. Architecture and configuration

This area will likely require specific assistance from IT Professionals as it may be unlikely that chambers has sufficient expertise, in-house, to test IT infrastructure such as firewalls.

However, this does not mean that this area can be entirely delegated. Members of chambers can still ensure anti-virus software is up-to-date; information is regularly backed up; and that any concerns or suspicious activity is reported in the appropriate way.

5. Vulnerability management

This is, again, an area which will require assistance from an IT professional. ‘Vulnerability scans’ can be fairly straightforward, and are often included as part of standard anti-virus software; however, to apply a vulnerability scan to an entire network will require administrative access which should be restricted to the minimum number of people. Further, penetration testing requires specific expertise to properly document the methodology of penetration testing applied, and to identify and rectify concerns within the system.

Again, this does not mean that barristers and staff do not have a part to play. Security patches are often included within updates. Members of chambers should regularly update software to ensure that their device is not the weak point within the chambers network.

6. Identity and access management

Counsel magazine has been highlighting the importance of ‘strong passwords’ and multi-factorial authentication (‘MFA’) for some time (see: Mitigating malware attacks). Three-random-words is now considered to be best practice for generating a password, and will usually meet the password specification requirements for most software and applications. MFA is standard within Microsoft 365 (formerly Office 365), which remains the most used product line in the UK.

It is worth noting that this area of security management is not limited to technical aspects. The Questionnaire requires confirmation that chambers employees are referenced and background checked before being allowed to access the chambers system. In most instances, this is likely to be standard. Chambers is not going to employ a new clerk without looking at their CV, and checking with their former employer. Be careful, however, with temporary staff. A part-time receptionist will likely have access to chambers email, and may have access to diaries and case management systems which contain sensitive personal data. Ensure that personnel screening is undertaken on all staff, and not simply permanent employees. When temporary staff complete their contract, and leave chambers, ensure that their profiles and log-in details are deleted. Otherwise these represent a point of weakness in the chambers network.

7. Data security

Barristers’ laptops should be encrypted. This may sound complicated but comes as standard on iMacs. Encryption software may be required on other laptops but check the product handbook which will be available online.

The Questionnaire also encourages the use of virtual private networks (‘VPNs’). A VPN is a private, and often encrypted, network connection that can be used to secure electronic communications over public internet. A user will be able to recognise the use of a VPN through the request to view or confirm a digital certificate which authenticates the VPN before access. Best practice is to use MFA, in addition to the digital certificate, to ensure that certificates have not been forged. A VPN for remote access will need to be established by an IT professional.

8. Logging and monitoring

Incident logs are a requirement under GDPR, and the expansion of these logs to include all security incident investigations is not an onerous task. What is slightly more complicated is ensuring that these logs are ‘protected against modification, deletion and unauthorised access’. A blockchain based logging system would be idea to achieve this goal.

9. Incident management

Incident management and logging and monitoring are clearly linked areas. The Questionnaire requires that all incidents, and ‘near misses’, are recorded. Any incidents which have resulted in a report to the ICO needs to be declared. Finally, chambers is required to have in place an incident management process which is regularly reviewed. For assistance on the form of an incident management process, see Hitting back at cyberattack, Counsel, December 2021.

10. Supplier security

It is predicted that supply chain cyberattacks are going to increase in 2022-2023 (see Cyber protect for 2022, Counsel, April 2022), so conducting due diligence on suppliers is essential. Ensure suppliers have appropriate and proportionate information security. Asking the question may often be enough to cause supplies to take the initiative and consider their own systems.

The Questionnaire is an opportunity for barristers and chambers to provide reassurance to law firms, and to assess whether cybersecurity measures are appropriate and proportionate to identifiable risks.