Contrary to what you might think, a legal office could well be compared to a care institution. Both types of organisations deal with many changes to their staff composition. Care institutions in particular employ temporary staff, while legal practices have students and interns who are constantly taking up and completing their employment there. This has consequences for access and user management, of course.
“Legal practices have to cope with excessive numbers of movements,” said Loet van Eeten, ICT consultant with the legal practice NautaDutilh in the Netherlands. “We have law students with us who arrive as interns then return to their education then come back to us for their dissertations then go back to their courses again, and finally end up actually working for us. Sometimes they also gain experience in a foreign office. For a thousand employees we would be processing 40 to 50 movements a month.”
Because, in addition to these staff movements, law firms must deal with documentation files, where documents have to remain available for years, it’s also vital that user IDs are only used for one identity. So, once a log in name has already been used for a person, the same log in name cannot be used for someone else (if, for example, the initial and surname of the individuals are identical). The many movements and documentation files mean that user accounts have to be handled very carefully indeed.
“We have to prevent user IDs being used again by another person, while ensuring that when people return to work they can access their files and archived e-mails,” van Eeten said.
HR AS SOURCE
One way to improve the staff inflow, throughflow and outflow processes is to automate it. “We did this by first drawing up a full inventory of the various processes involved in managing user accounts,” van Eeten said. “Because this involves many different staff departments here, it’s important to listen well to the stakeholders and interested parties.” One way of automating user account management is to achieve direct synchronisation between the HR system (the source) and the network. When an employee is initially entered into the HR system, a user account (including e-mail and access to the file system) is created. “We use (access management) software for this,” said van Eeten. “This software also keeps track historically of which user IDs are in use or have been used.”
A major advantage of using this HR connection is that user account management occurs accurately and with fewer errors. Smaller legal offices also benefit significantly from automating user account management, in efficiency terms.
Sebastiaan Hogenboom, IT coordinator for the legal practice Kennedy Van der Laan in Amsterdam, said, “For our office it is also important that IT is aware of the arrival of new employees. This prevents staff not being able to get to work immediately.
“Even more important is that people terminating their service no longer have access to the network, so that information security remains guaranteed. To organise this we use identity and access management software. We’ve now got all this running like clockwork with the identity and access management software. When employees leave the company, the user account is disabled automatically. User accounts are not deleted because there is a possibility that staff may rejoin the company at a later date. Should this be the case, the old account is reactivated, possibly with other authorisations.”
“Using this software has let us put aside our dependence on people to manage user accounts,” added van Eeten. “Previously, changes to user accounts were not implemented if the person responsible was on holiday or off sick, for instance. And if that person also acted as a conduit to other people in the process, then the process would grind to a halt entirely. That produced a whole heap of frustrations.”
Another reason for arranging the access to information well is because of the so-called “Chinese walls”, which legal offices use. Chinese walls are invisible “walls” between business units within the same practice, to prevent any conflicts of interest between staff of two or more business units serving the same client. Many legal offices have both a notarial and a civil law section, and have a legal obligation to separate these two disciplines.
“The civil lawyer is not allowed to have access to the notarial files,” said Hogenboom said. “And so it’s essential not to make any mistakes in granting access to network shares, for instance.”
“That’s why we are now focusing on role-based access control (RBAC),” added van Eeten. “Once we have set up RBAC properly then we can be 100 percent certain that employees only have access to the information they need for their jobs, no more and no less.”