Legal Information Security


Diagnosis: Legal Information Security Risk Points

  • Demonstrating compliance with the HIPAA Omnibus Rule to ensure that a violation of the principle   of “least privilege” is addressed by internal risk assessment mechanisms to prevent it from  escalating to breach notification and/or triggering CMS fines.
  • Securing mobile devices (phones, tablets, laptops) and wireless networks necessary to support   mobility and BYOD requirements.
  • Demonstrating to increasingly vigilant clients that their sensitive data is being secured consistent   with their requirements (e.g., penetration tests, Shared Assessments, SOC 2 Type I/II/III, ISO 27001).
  • Protecting your Document Management System in a way that achieves the partners’ objectives.
  • Protecting your Document Management System in a way that achieves the partners’ objectives.

A Prescription for Law Firm CIO Pain

Addressing the unique challenges of legal information security requires a unique and flexible approach.

Compliance Simplified

Typical engagements include:

HIPAA (Omnibus) – Is the design of our environment consistent with the HIPAA Omnibus Rule? Are we segregating practices and supporting systems that contain PHI? Do our access control mechanisms prevent non-client personnel from accessing PHI?  HIPAA Gap Assessments are commonly done during a broader Gap Assessment to provide significantly greater value at moderately additional cost.

Shared Assessment/ISO 27002 Gap Assessment – Increasingly, law firms recognize that the best way to know they’re secure and prove they’re compliant with a myriad of regulations is to align their Information Security Management System (ISMS) with a Security Framework. Is the design of our environment consistent with prevailing guidance? Gap Assessments may be scoped to address different elements (e.g., Document Management Systems, eDiscovery, Litigation Support Systems).

Design/Compliance Assessment support via Vulnerability Assessments and Penetration Tests across the network/applications/people/facilities layers to ensure vulnerability and configuration management and Security Awareness practices are operating as intended.

Attestation (Proof) Simplified

Typical engagements include:

  • ISO 27001 Consulting Services to work collaboratively with the law firm to develop an Information Security Management System that is capable of being certified via the ISO 27001 standard.  ISO 27001 provides the strongest, most widely accepted/recognized form of third-party attestation.
  • Penetration Tests (Application/Network/Physical) to provide independent and objective proof of the net security posture. This is often an important form of “interim” attestation if the service provider is in the process of achieving a higher level of attestation (e.g., ISO 27001, SOC 2).

Why Partner with Pivot Point Security?

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.

  • Domain expertise means we know the ins and outs of the key regulations (e.g., HIPAA, PII) that a law  firm is subject to. It also means that we are experts in the Security Frameworks (ISO 27001, ISO  27002, OWASP, NIST, AICPA TSP (SOC2)) that should form the basis of the Information Security  Management System you architect as the basis of the attestation you provide to your customers.
  • Legal sector experience means that we understand the challenge of selling the partners on the need to implement more restrictive policies.
  • Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll appreciate.
Representative Legal Clients

View more representative Legal Industry clients of Pivot Point Security



Meet Henryk

He’s the CIO of an NLJ 250 firm… already worried about increasingly vigilant client security requirements / questionnaires.

Now the partner who runs Medical Device & Health Care Litigation wants to discuss the HIPAA Omnibus Rule and how Protected Health Information (PHI) needs to be segregated within the firm’s Document Management System.

He needed somewhere to turn.

Read More