One North Earns ISO 27001 Certification for Information Security Management System
CHICAGO – June 28, 2018 – One North announced today that it earned ISO/IEC 27001:2013 certification for its information security management system (ISMS). The Chicago-based agency – which builds digital brand experiences and provides managed hosting and consulting services for leading professional services organizations – is among the first such digital agencies to achieve ISO 27001 certification.
The One North ISMS is a framework for delivering a comprehensive approach to security across people, process, technology, controls and management related to the agency’s web hosting, remote access and onboarding/offboarding services, as well as all processes related to protecting client data.
Digital security remains top-of-mind for professional services organizations, as many are highly regulated and now require vendors to maintain strict data protection processes. One North holds deep expertise in security and has prioritized protecting its clients’ digital properties since its founding in 2012. Its certification further assures clients that One North is a trusted partner that not only meets regulatory requirements but is also focused on preserving the confidentiality, integrity and availability of their information assets.
“As an agency, One North is dedicated to continuously cultivating a ‘culture of security’ that holds all of our employees accountable for earning and maintaining the trust of our clients,” said Ethel Crosby, Director of Technology Operations and Offerings at One North. “Our ISO 27001 certification validates One North’s ongoing commitment to integrating security best practices throughout our business to protect and manage our clients’ assets, digital properties and reputations.”
During the certification process, One North partnered with Information Navigators, a security and compliance consulting company, to refine documentation of the agency’s current security procedures and navigate through the audit preparation process. The final audit confirmed One North complies with ISO’s leading security standards and was conducted in accordance with the ISO 19011 and ISO 17021 standards, which are accepted worldwide. To maintain ISO 27001 security standards and verify ongoing compliance, One North will continue to improve its ISMS framework, conduct annual third-party surveillance reviews and undergo recertification every three years.
“Even prior to attaining ISO certification, One North maintained impressive security standards,” said Information Navigators CEO Mike Kolb. “As its consultant through the ISO process, we worked with the agency to provide guidance throughout the audit phases. One North’s impressive security maturity instills confidence in its ability to protect clients’ data, digital properties and, ultimately, their brands.”
One North was audited by PECB (Professional Evaluation and Certification Board), a global provider of training, examination, audit and certification services. For more information on One North’s ISO 27001 certification, please visit onenorth.com/security.
About One North
One North is a digital agency that partners exclusively with professional services organizations to create interactive platforms that enhance the client experience, drive new business and attract top talent. The agency specializes in brand, digital strategy, experience design, technology and managed hosting, and has deep expertise within the legal, consulting, finance, accounting, engineering and construction industries. Nearly 100 curious and passionate professionals collaborate to produce award-winning digital solutions that inspire, perform and endure. For more information, visit www.onenorth.com or connect on LinkedIn, Facebook and Twitter.
Protecting Your Law Firm: Experts Discuss Website and Data Security
An excerpt from a Q&A interview that originally appeared in Peer to Peer ILTA
It is one thing to understand the importance of law firm cybersecurity but another entirely to thwart increasingly sophisticated cyberattacks. Such attacks can harm a law firm’s digital presence and integrity and result in issues ranging from blocked website traffic to exposed confidential client information. We recently sat down with Michael Kolb, chief information and security officer at Dickinson Wright, and Zachary Peer, technology director at digital agency One North, to discuss how to keep websites and data secure
How has digital security evolved with technology?
Michael Kolb: As more data becomes available online, so do the risks associated with hosting it. Law firms have a duty to keep data secure. Fortunately, they can use processes and technologies to keep their websites and client data safe.
What drives law firms’ motivation to keep their sites secure?
Michael: A website is often the first place an attacker begins looking for information to exploit, so it is important to keep it secure. When Dickinson Wright began to receive security questionnaire requests from clients, we decided to pursue ISO 27001 certification to assure our clients that we protect their data. Clients expect a certain level of security and if a law firm cannot deliver, it may lose trust, then business.
What digital security issues remain top-of-mind for law firms, and how do you address them?
Michael: Data protection is the most important aspect of security, but not all data are created equal. Data should be sorted into four tiers: confidential data, internal firm data, user data and public data. Information security management systems classify the data. Depending on the classification, law firms can apply different levels of security to the dataset. For example, everyone can access public data, but only a certain level of employees can access other data. Additionally, many threats originate from socially engineered phishing scams. While implementing technology is important, employee training is essential to block many cyberattacks. After the Equifax breach, for example, I sent a phishing email that requested employees enter their credentials to ensure they were unaffected. This test helped them understand the need to exhibit caution when they were asked for their information.
What advice do you provide your employees on digital security?
Michael: All law firms should train employees on how to keep data secure and never take any knowledge for granted. At Dickinson Wright, we provide seminars for new and veteran employees. As part of our ISO certification, we conduct annual security meetings and quarterly phishing tests.
How will law firms’ investment in digital security change?
Michael: Investment in digital security will keep increasing. As long as law firms hold important client data, bad guys will keep trying to steal it.
Fortunately, 95 percent of security can be achieved through basic, inexpensive initiatives such as password policies. This allows law firms to allocate their security budget to the remaining five percent to thwart the most malicious hacking schemes.
What are the biggest digital security threats that law firms face?
Michael: Social engineering attacks are also becoming more prevalent. Hackers learn or capture the identity and a few unique characteristics – like favorite sports teams – of a law firm’s legitimate client and start phishing. They can then create and send emails from an extremely similar address, making it nearly impossible for the recipient to catch the difference.
What does the future hold for digital security?
Michael: Dickinson Wright is implementing biometric authentication. We now use fingerprint scanners, which employees use to log into their computers. This relatively new concept comes with limitations; for example, some computers are not yet compatible with the scanners.
Law firm earns ISO/IEC IT certification
A law firm has earned an information technology certification aimed at keeping information assets secure.
Detroit-headquartered Dickinson Wright, which has an office in Grand Rapids, said last month it achieved ISO/IEC 27001:2013 certification, after several years of work by its IT department.
Dickinson Wright said it is the first firm in the state to receive the certification.
Michael Kolb, chief information and security officer at Dickinson Wright, said the certification is an “important step” in ensuring the firm’s IT services are “secure and efficient” for clients.
The certification covers a number of IT functions: document management service, email service, remote access service, client-share service and mobile device management.
Kolb said ISO/IEC certification allows the firm to “continually improve” its information security management system and process.
He added the certification allows the firm to streamline its efforts to provide additional security for clients when handling highly sensitive matters.
The ISO/IEC 27001:2013 standards provide requirements for establishing, implementing, maintaining and continually improving an information security management system.
Dickinson Wright said the information security management system is designed to “preserve the confidentiality, integrity and availability” of information, by applying a “risk-management process.” It also gives “confidence” to interested parties that risks are adequately managed.
Certification is maintained through periodic surveillance audits.
ISO/IEC 27001:2013 is an update to ISO/IEC 27001:2005.
There were 664 certificates issued in the U.S. during 2014 for ISO/IEC 27001:2013, according to the International Standards Organization, or ISO, which developed the standards.
Why Your Firm Should Demonstrate Information Security
With audits and inquiries on the rise, and clients increasingly demanding that law firms demonstrate a significant commitment to information security, it may be time for a systematic approach.
Consider ISO/IEC 27001:2013 certification, a set of standards to show there is an information security management system in place.
At Dickinson Wright, we have seen a substantial increase in information technology audits and requests from our clients over the past several years, particularly in the financial services industry. Although we have always been strong within the security space, the firm decided, as a result of these ongoing requests, to take a more formal approach by obtaining ISO/IEC 27001:2013 certification. This path put formal security and risk management controls in place to reassure clients that we are following industry best practices with regard to the security of their data. It has not been an easy process, as certification took several years of documentation and validation of all of the various security controls contained within the standard, but it’s a necessary step in today’s information security management environment.
The ISO/IEC 27001:2013 standards have been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. It is designed to preserve the confidentiality, integrity and availability of information by applying a risk management process while providing confidence to interested parties, particularly clients, that risks are being adequately managed.
1. Inter-Departmental Cooperation
Although many law firms believe that information security management is solely an IT function, it is in reality a firm-wide responsibility. Through the ISO 27001 certification process, we worked with various departments within the firm (Accounting, HR, etc.) to develop and implement firm-wide processes to keep the firm’s information and assets secure. Sometimes this meant refining processes that were already in place and combining them with new processes to make one streamlined set of policies and procedures. The result is that instead of each department having its own processes, we now have a unified and efficient approach to information security.
2. Educating Employees on the Importance of Information Security
Once a law firm receives ISO/IEC 27001:2013 certification, the process doesn’t simply stop. To maintain ISO certification a law firm must be annually audited to ensure that the processes developed as part of the ISO implementation are continually followed and updates to the process, where needed, have been applied. This also means that all employees must be trained and educated on the firm’s information security management tools. For example, we periodically test our employees with a phony phishing attack to make certain that they do not compromise the security of the firm by giving away their network credentials, and provide them re-training when necessary.
3. Developing a Proactive Approach to Information Security
As client interest in information security grows, including audits that are conducted by the clients themselves, ISO 27001certification is becoming an essential step in maintaining and acquiring new clients. ISO certification can be seen as proof that any security issues are being proactively addressed, reassuring existing, as well as new clients that the firm is taking information security management seriously. Additionally, employees and management alike can rest easy, knowing that the firm has plans in place for contingencies ranging from every-day tasks to significant catastrophes.
Although the process of obtaining ISO/IEC 27001:2013 certification was not easy, I have already seen the benefits take hold with increased inter-departmental cooperation as well as an increased awareness among our employees regarding the importance of information security management. Furthermore, the firm is significantly better prepared to respond to client inquires and better able to assure them that their data is secure.
The article originally appeared in Bloomberg LawSHARE: