Security Statement

Law In Order understand that the security and privacy of our clients’ data is critical to delivering successful outcomes in every client engagement. Therefore, we have put in place physical, technical, and administrative controls based on ISO27001 standards to ensure that security is integrated into the products and services we deliver to provide a best-in-class experience to our clients.

As a testament of our commitment to security, we have implemented policies, processes, and controls and established a dedicated security team to manage our information security program, led by our Information Security Officer.

Security and Compliance

Law In Order maintains an industry-leading security program that is based on a layered security approach. Security measures are incorporated at every level of our organisation to compound their effectiveness.

We actively maintain ISO/IEC 27001 certification, an internationally recognised standard for information security management systems.

Law In Order has also aligned with the ASD Essential Eight mitigation strategies, implementing the recommendations and best practices, and regularly assessing and improving upon our maturity level which is currently at Level 3.

A series of policies and procedure documents are maintained and reviewed at least bi-annually or as and when significant changes occur, or risks are identified.

Physical Security

Our world class data centres are protected by multi-layered, physical access security controls including access controls for general and restricted areas such as server rooms, data centres, operations floors, etc. Access levels to personnel are provided following the least-privilege principle and restricted to only those necessary for the delivery of services.

All our data centres are certified in ISO 27001 and critical data centres hold IRAP, SOC1 Type II, and SOC 2 Type II certifications.

Data and Systems Security

At Law In Order, we treat all client data as confidential and implement our systems and processes with the highest level of security possible. Data transfers are facilitated using best-practice encryption and data transfer methods. Access to data and systems is provided using unique user accounts, strong passwords, and MFA (multi-factor authentication). Access and permission levels is provided in a “least-privilege” approach and limited to only those approved personnel deemed necessary to deliver requested services. Access logs are reviewed regularly, and permission levels are modified as required and recorded in our IT service desk system.

Data is retained in accordance with our Data Classification and Retention policies that vary according to services requested or as specifically requested by our clients. Data is securely deleted using best-practice methods and destruction certificates are available upon request. We have dedicated staff managing all aspects of data management and governance to ensure we maintain our high security standards.

Personnel Security

Personnel undergo employment screening at Law In Order which includes having their identity and working rights status verified; at minimum have two professional references checked and cleared; and have completed and cleared an Australian Criminal History Check before being offered employment.

Employment at Law In Order is subject to ongoing conditions of engagement including and not limited to, eligible working rights, understanding and abiding by company policies including Privacy and Confidentiality and Code of Conduct and that training is routinely completed.

Privacy

Law In Order understand that privacy and how we collect, use, disclose, and protect information is important to our clients. We are committed to ensuring the privacy of our clients’ information and to complying with the Australian Privacy Principles (APPs), which are contained in the Privacy Act 1988 (Privacy Act).

Law In Order has a dedicated Customer Data & Privacy Officer responsible for privacy and compliance with privacy legislations and obligations.

Asset Management

Law In Order maintain asset registers for hardware, software, and information assets and are managed in accordance with relevant policies. Asset registers are used to document and manage ownership, accountability, and lifecycle management. Reviews are conducted annually or as and when required in response to significant changes.

Access Control

Law In Order maintain an Access Control Policy that sets out how Law In Order provide access to information, information processing facilities and business processes to approved employees.

Access to data is provided using least-privilege approach for all user and privileged accounts and restricted to only those required to deliver the commissioned services.

Security Operations and Incident Management

An industry-leading managed security service provider ensures timely identification and response to security incidents within our environment. Our partner takes on the 24/7/365 monitoring of our environment, analysis, escalation and reporting of potential threats and incidents that are remediated by internal SMEs and/or external partners. A comprehensive Incident Response Plan including identification, containment, remediation, and reporting processes is maintained and reviewed on a regular basis.

Software Development

Law In Order follow the Agile Software Development Life Cycle (SDLC) methodology which is a combination of both iterative and incremental process model. A commercial code quality and code security solution is also used at various stages of development and prior to release to identify issues. Our development activities are aligned with OWASP best practices and addressed in our SDLC and code reviews.

Network Segmentation

Law In Order environment is subdivided into four key network segments. Zones include user endpoints, servers, management, voice, wireless, and DMZs where applicable. Controls are in place to restrict access as required.

Secure Environment

At Law In Order, we use best-in-class security solutions to keep our environment and data safe. Endpoints are protected from cyberattacks and sophisticated threats by an advanced AI-based endpoint protection solution. Regular vulnerability scans, penetration tests, and external security posture monitoring ensure our environment is protected against ever-evolving threats.

Training and Awareness

Law In Order staff undergo mandatory security awareness training at induction and to existing staff on regular intervals. Course material and assessments are delivered using an online LMS (Learning Management System) which includes progress tracking and escalations to management.

Business Continuity Planning

Law In Order maintain a Business Continuity Plan in the event of significant interruptions such as power outages, software/hardware failures, building damage, health/pandemic issues, and others.

It includes a plan of action to facilitate an orderly recovery of key business and support functions, provision for remote working for all employees, and enabling of a cold recovery site if necessary.