#NCSAM Week 2: A Shared Responsibility for Security at Everlaw

Week 2: October 9-13

Theme: Cybersecurity in the Workplace is Everyone’s Business

This week’s theme—“Cybersecurity in the Workplace Is Everyone’s Business”—highlights the ways businesses of all types can protect themselves, their employees, and their customers against the most common security threats.

Creating a culture of cybersecurity from the breakroom to the boardroom is essential and is a shared responsibility amongst all employees. Every organization needs a plan for employee education, training, and awareness that emphasizes risk management, resistance, and resilience.

cyber security at Everlaw

The National Cyber Security Alliance (NCSA) leads a nationwide program called CyberSecure My Business, providing resources and workshops to help businesses increase their security. As part of this program, NCSA translated the NIST Cybersecurity Framework into user-friendly guidance to help businesses identify and prioritize their security actions and manage risk.

The Framework consists of the steps below, which are not intended to be static. These steps can be performed on a continuous basis to form both a culture of security and a team capable of addressing dynamic security risks. Read on for more information about how Everlaw follows this Framework:


Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Everlaw takes a holistic approach to our internal governance program and system of internal controls. Our Information Security Policy states that information security is a team effort requiring the participation of everyone who comes into contact with Everlaw information or information systems. To that end, our internal program includes regular meetings of the Risk Committee and Security Management Team, led by our Director of Security and Compliance, and including our CEO. With this approach, we ensure the organizational capability to uphold ethical business practices, as well as comply with existing customer commitments and applicable laws and regulations.


Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure, supporting the ability to limit or contain the impact of a potential cybersecurity event.

All new Everlaw employees receive targeted security and compliance training during their first week of employment in a meeting with the Director of Security and Compliance. Everyone on the team is also required to participate in an annual face-to-face information security training and complete additional training on relevant topics, such as the OWASP Top Ten. In addition to our operational security controls, we focus on team training and education to reinforce the shared responsibility for keeping Everlaw secure.


Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Everlaw conducts regular internal security policy monitoring in addition to the independent vulnerability scanning and penetration testing as part of our SOC 2 Type II certification. Our engineering team is responsible for reviewing system activity for indicators of a potential security incident in order to prevent, detect, and contain a security threat. If an alert rises to the level of a security threat or incident, we have a defined process in place to notify the Security Management Team and implement our procedure.


Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Everlaw’s Incident Reporting and Response Policy contains a procedure for incident management with a clear escalation path to both the Director of Security and Compliance and the CEO, with steps for breach notification. We also have a Business Continuity Policy and detailed BCP and Disaster Recovery Procedure that is tested on an annual basis (most recently in August 2017). We have personnel trained and certified in the Incident Command System, with experience responding to major incidents.


Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The Risk Committee and Security Management Team collaborate on Everlaw’s Business Continuity Plan and Disaster Recovery Procedure, so that any new security or recovery risks can be addressed in our procedure. As mentioned above, we also test this procedure every year.

Thanks for celebrating NCSAM with Everlaw! See our Week 1 NCSAM update here.

Come back next week for our Week 3 NCSAM update.