Information Security Program Overview and Governance

ISO 27001:2013 and ISO 27701:2019 Certified

Systems and data are protected by a comprehensive ISO 27001:2013 and ISO 27701:2019 certified security program which supports NIST SP 800-171 for the Protection of Controlled Unclassified Information in Non-Federal Information Systems and Organizations, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the American Bar Association’s Formal Opinion 477R for Securing Communication of Protected Client Information. Dedicated security, privacy, information governance, and compliance professionals maintain the program with oversight provided by senior management through Cooley’s internal Information Security and Privacy Forum. The Information Security Forum conducts an annual risk assessment, reviews risks regularly and tracks risks using a process compliant with ISO 27005. The following policies govern the program:

Acceptable use policies

  • Access
  • Passwords
  • Mobile device/BYOD
  • Remote access
  • Electronic communication
  • Internet usage
  • Data and information
  • Media handling

Security policies

  • Asset & risk management
  • Human resource security
  • Awareness & education
  • Physical and environmental security
  • Operational security
  • Privileged account management
  • Vendor/supplier management/onboarding
  • Security incident

Audit

The firm is audited annually, both through an independent internal audit function and through a certifying body, under the ISO 27001:2013 and ISO 27701:2019 frameworks. Additionally, the firm regularly monitors and audits its security, privacy and information governance people, processes, and controls to ensure compliance with policies and applicable security and privacy standards. The firm conducts an independent external penetration test annually and regularly scans its external and internal network for vulnerabilities. The firm’s security program is regularly audited by its clients.

Architecture

The firm maintains its systems and data in hardened SOC 1 Type 2 certified datacenters. Data and systems are replicated and backed up to secondary datacenters. Systems are securely designed and all systems are reviewed by the security team before being put into production.

Perimeter security

The firm protects data, servers, and endpoints on the network using a variety of best-of-breed security controls, including next generation firewalls, web filtering gateways, email gateways, honeypots, and targeted attack protection. This allows the firm to block access to suspicious and malicious sites, IP’s, emails, and attachments. Targeted attack protection is used to find and mitigate zero-day attacks through email by using URL rewrites, attachment sandboxing, and email recalling.

Data controls

Client data is classified, protected according to its classification, encrypted at rest and in transit, logically separated and access granted to authorized users only. File integrity monitoring systems log and monitor access to data while data loss prevention systems control the movement of data inside and outside of the firm.

Access controls

Access and processing capabilities are limited to authorized users from authorized devices. A unique user ID with a complex password that rotates every 120 days is assigned to every authorized user and required to login. Remote access requires 2-factor authentication using tokens that randomly re-generate every 60 seconds. Privileged system credentials are stored, managed, and tracked in a privileged account management system.

Endpoint security

All workstations and mobile devices are encrypted with whole disk encryption and require a password, pin, or biometrics to access. Workstation inventories, software deployment, and security policies are controlled through Microsoft’s SCCM. Only authorized software can be installed through the firm’s software library. All mobile devices require registration with the firm’s mobile device management system. Workstations and servers are protected with advanced endpoint protection, which uses AI to assist in combating threats. Portable workstations left unattended in Cooley offices are physically secured.

Incident response

The firm’s Security Incident Response Plan dictates all security events be evaluated and escalated when appropriate. A security information and event management (SIEM) system maintains and analyzes all security logs. Logs are regularly reviewed for suspicious activity and unusual behavior by dedicated security personnel. Memberships with the Legal Services Information Sharing and Analysis Organization and FBI Infragard, along with close working relationships with law enforcement, provide additional threat intelligence and analysis. The firm has cyber insurance.
Business Continuity & Disaster Recovery
The firm has a business continuity & disaster recovery plan that is regularly tested. Firm and client information is protected by high availability systems, backup services, data replication, and redundant co-located datacenters.

Awareness and education

Employees are required to attend annual security awareness training. Monthly newsletters and, when warranted, security alerts reinforce awareness and education through the year.

Vendor management

The security team assesses all vendors against a series of criteria based on the ISO 27001:2013 and CIS 20 standards before granting a vendor system access or placing systems into operation. Each vendor undergoes a privacy impact assessment and all contracts and data processing agreements are reviewed by attorneys before execution. Vendors are only granted access to the information required to perform their duties under the agreed upon statement of work. A vendor access management system controls and logs all vendor access to firm systems.