It's all in the IT-security planning

When burst water mains took out all power to Norton Rose Group’s London head office, it was careful disaster-recovery planning that saved the day.

By Malcolm Todd

Norton Rose Group is an international legal practice, offering a full business law service from offices across Europe, the Middle East and Asia.

Knowing how our clients’ businesses work and understanding what drives their industries is fundamental to us. Our lawyers share industry knowledge and sector expertise across borders, enabling us to support our clients anywhere in the world. We are strong in corporate finance, financial institutions, energy and infrastructure, transport, and technology.

The Group comprises Norton Rose LLP and its affiliates. We have over 1,000 lawyers operating from offices in Amsterdam, Athens, Bahrain, Bangkok, Beijing, Brussels, Dubai, Frankfurt, Hong Kong, Jakarta*, London, Milan, Moscow, Munich, Paris, Piraeus, Prague, Riyadh*, Rome, Shanghai, Singapore and Warsaw (* associate office).

The head office in the More London estate overlooks the Thames on the south side of Tower Bridge in London. On Sunday 27 April 2008, it was subject to flooding from burst water mains. This had the adverse impact of taking out all power to the campus and making all copper-based telecommunication lines ineffective.

There has been a considerable focus, expenditure and priority on risk reduction to ensure the continuance of the business in all foreseeable circumstances. In this case, £6m had been invested in a remote production IT Data Centre (and associated world class technology) out by the M25 motorway.

This centre, which runs the IT for all of the UK and international offices is linked by high speed network ‘fibre’ cables to the head office via two completely separate routes for resilience and to the international office by resilience links into a BT network ‘cloud’. There are some local front-office systems (like e-mail and document management) in individual offices, but all the back-office applications such as finance, knowledge management, HR, contact management etc., are located centrally in this centre.

This set-up is augmented by a significant investment in remote working capabilities and dual telephony lines (fibre and copper) from the head office and the production data centre.

The result of this proactive investment is the assured security of client data and continuance of the Norton Rose Group IT services irrespective of any disruption to the head-office campus.

In this flood scenario of 27 April, the international Norton Rose community IT services continued unaffected and London based users, not having power in the building, could work either from home or from any available hot spot or internet café. The switchboard and HR emergency contact arrangement transferred seamlessly to the remote data centre and business returned to normal when the power stabilised on Wednesday 30 April. The business did not suffer from the experience and there was no loss of fee earning in the meanwhile.

Achieving this level of protection
Following a risk-assessment exercise years ago focused around the adoption of what was then called BS5750 (the then British Security standard), a project was executed to minimise/eliminate the perceived risks. When the top 60 per cent of these were cleared, a reassessment was done against the then ISO27001 International Security standard.

The above programme cleared a number of these risks but the review was more wide reaching and covered the financial, operational, reputation and external risks across the board. These covered such risk areas as:

Physical risks – power failure, system overload, misuse, corruption;
Software – unlicensed use and information leakage;
Electronic – unauthorised access/changes and hacking;
Paper – loss/damage/unauthorised disclosure;
Human – inadvertent/deliberate breach of policies by new employees;
Reputation – website/e-mail misuse and inappropriate internet usage.

These and others were scored against a criteria that multiplied a likelihood score against an impact score and defined ranges of major, medium and minor risks depending on the range of the totals.

The investment programme above, and parallel activities to further safeguard the remaining areas, led Norton Rose Group to a small residual set of medium and minor risks. All these risks had actions and ownership assigned and are part of the on-going ISO27001 certification process.

Within the ISO 27001 certification, the actual level of certification can be set within a band of compliance against the key controls. In Norton Rose’s case this band is set at a particularly high level as the minimum level was not deemed to be challenging enough (and already largely met three years ago).

One particular area that had considerable focus was on identifying risks posed by electronic communication, and the associated protection of client data, which the standard is quite definitive on:

E-mails (and other forms of messaging such as instant messaging) are an increasingly important and widespread communication tool, and the majority of messages are likely to be non-sensitive;
However, controls are required to ensure that any sensitive data transmitted via such systems are protected from unauthorised disclosure or amendment;
Messages sent by e-mail are particularly vulnerable as the sender has no control over what the recipient does with the message once received. For example, messages may easily be forwarded in their original or modified format to unauthorised persons.

Within Norton Rose Group we extend this to cover websites, video/voice recording, social networking sites, deal rooms, external USB memory sticks, removable media, remote workers working in internet cafes, hotels, etc. To address this:

Norton Rose Group has best-practice guides and induction processes to emphasise the correct procedure for using e-mail systems both for business mail and the limited use for personal correspondence;
Security in depth/layers and client encryption on demand;
Prevention of web mail and instant-messenger access;
We are monitoring use of social-networking sites and while not actively encouraging or restricting usage, are waiting to form a definitive policy on its use;
We have external e-mail virus scanning, internal content-management systems (and a final junk-mail option in outlook) – we do not have a large ‘spam’ issue;
The e-mail disaster-recovery system would fully recover the production system (which is housed remotely from our head office) within 15 minutes with no loss of data;
E-mail journaling, the compliant copying of every sent or received e-mail is positioned;
Web security is well developed and content/accesses monitored;
All peripherals on all our end-user devices are monitored;
An extensive suite of security tools is implemented that can both proactively detect any areas of potential exposure/unusual activity and fully analyse any unusual activity.

These tools also granularly limit staff ability to administer the environment to physically limit the risk of inadvertent exposure to sensitive data. The best practice guides emphasise that:

E-mails have the same legal status as written documents;
External e-mail messages should have the appropriate signature files and disclaimers;
Suspicious e-mail attachments or URL links from unknown senders must not be opened or forwarded to others;
Confidential or sensitive information should not be sent to a non-Norton Rose e-mail address, unless it is sent as a password attachment.

And the use of the internet is similarly caveated with policies:

Users must not attempt to access illicit websites – for example, containing inappropriate , racist or sexist material, violent images, terrorism or criminal activities;
Users must inform their IT support function straight away if they accidentally access an illicit website;
Home users with Norton Rose equipment must only connect to personal home internet links if authorised;
Users must not knowingly download software or programmes from the internet without the specific authorisation of their IT support.

The above is an illustration of how we deal with one particular aspect of this complex subject, but in general there is always a need to maintain usability while applying appropriate compliance and security controls. There are a number of ways in which this is achieved:

Security and compliance needs are embedded within our processes as transparently as possible;
We have an extensive monitoring and reporting regime, which includes an established HR process to deal with breaches in our acceptable use and security policy;
Where we have performance drivers to streamline access to systems, we cut down and segregate such access from other systems;
We have internal security controls within our applications and actively enforce compliance by filing e-mails in ‘matter centric’ document-management folders (the folder contains everything to do with a particular matter with access restricted to those approved to work on the matter), with appropriate access controls at the document and matter level.

With the use of e-mails in particular:

All centralised mailing lists must be owned and have procedures in place for their maintenance;
Special care is required when using mailing lists to ensure that mail is not sent to inappropriate persons;
Before introducing e-mail into business processes, the impact of change of communication media should be considered. Areas for consideration include the effect of increased speed of despatch;
The sender should be aware of legal considerations, such as the potential need for proof of origin, despatch, delivery and acceptance;
Remote user access to e-mail accounts must be adequately controlled;
A standard qualifier or disclaimer should be embodied in the text of all messages sent to external organisations;
Monitoring will consist of automated filtering – for example, to protect users from inappropriate incoming e-mails and files, and accidentally accessing inappropriate websites.

Where there is a business need to allow an organisation or individual access to Norton Rose information facilities, it must be controlled and secured, and third parties must complete a Corporate Confidentiality Agreement, read and understand the Acceptable Usage Policy and ensure information security is taken into account for all systems and services.

The underlying protection of the data and e-mails is assured by storage in at least two geographically diverse sites, with a minimum 12-year retention, and extensive search facilities and tools to enable speedy recovery.

As e-mails, knowledge and documents are the life blood of the company there are very high standards on the speed of recovery from any disaster-recovery incidents. There are also rigorous continuous test programmes to ensure it can be invoked not just for the UK campus and data centre, but also for International Offices front-office systems as well.

E-mail disaster recovery is a ten-minute process and document management 15 minutes. Both do not compromise data integrity.

ISO27001 certification is moving towards a mock compliance test later in the summer followed by formal certification early next year. This certification will be maintained by regular external audits where each member of staff will be randomly selected and interviewed to demonstrate that they know their security responsibilities.

Norton Rose Group is fully committed to its work in securing and safeguarding its client data in any circumstances and the recent recovery from the More London flood is testimony to the effectiveness of this strategy.

Malcolm Todd is head of systems delivery at Norton Rose LLP. He can be contacted at malcolm.todd@nortonrose.com