A comprehensive security and compliance audit for your law firm — written in plain English so you can actually act on it. Five deliverables. No jargon. No ongoing obligation.
ABA Model Rule 1.6(c) requires attorneys to make reasonable efforts to protect client information. Cyber insurance carriers ask whether you have documented policies, MFA, and an incident response plan before they issue coverage. This audit gives you both: a clear picture of your security posture and the documentation to prove it.
We assess your firm against the specific obligations state bars derive from ABA Model Rules 1.1 and 1.6. You get a gap analysis with clear next steps.
Carriers ask whether you have MFA, EDR, incident response plans, and training. We check every requirement and tell you exactly where you stand.
You walk away with a WISP, Acceptable Use Policy, Incident Response Plan, BYOD Policy, and Password Policy — customized for your firm.
Every finding includes a plain-English explanation of what it means for your firm and your clients. Technical details are there for whoever does the work.
Each document is customized to your firm based on the audit findings. Together, they form a complete compliance foundation that satisfies ABA obligations, insurance requirements, and client due diligence.
The core deliverable. A detailed report covering every aspect of your firm’s security posture — M365 configuration, identity and access controls, email security, endpoint protection, backup readiness, and compliance alignment. Every finding includes a plain-English explanation of what it means and why it matters, alongside the technical details for your IT support. Risk-rated from Critical to Low with specific remediation recommendations.
The foundational policy document that describes how your firm protects client data. Covers roles and responsibilities, technical safeguards, access controls, incident response procedures, vendor management, and annual review requirements. Required by ABA 1.6(c) and expected by most state bars and insurance carriers.
Four policies every firm needs: Acceptable Use Policy, Incident Response Plan, BYOD Policy, and Password Policy. Each written in plain English with clear rules staff can actually follow. Includes signature pages for staff acknowledgment.
A pass/fail/partial checklist for every critical security setting in your Microsoft 365 environment — MFA, conditional access, email protection, device encryption, audit logging, and more. Each item includes what it means in plain English.
A phased action plan (30/60/90 days + 12 months) that prioritizes what to fix and when. Includes owners, urgency levels, and plain-English explanations of why each item matters. Designed so you can hand it to any IT provider and they can execute.
Every issue we find is documented with a plain-English explanation you can understand, the technical details for your IT team, and a specific recommendation for how to fix it.
DMARC is a setting that prevents criminals from sending fake emails that look like they come from your firm. Right now, this protection is turned off. That means someone could send an email to your clients that appears to come from your firm’s address — and your clients would have no way to tell the difference.
Your team is likely reusing passwords or storing them in browsers and sticky notes. If one password is compromised, attackers can use it to access multiple systems. A password manager creates and stores unique, strong passwords for every account — so you never have to remember them.
If your firm suffers a data breach tomorrow, there is no written plan for who to call, what to do, or how to notify affected clients. Insurance carriers and state bars both expect you to have one. Without it, a bad situation becomes worse because the response is improvised under pressure.
A flat fee for law firms with 6–25 people. You own every deliverable regardless of whether you engage Froskr for ongoing services.
No obligation beyond this engagement. No lock-in.
Managed security services available separately if you want ongoing protection.
The entire process is remote. You never need to install anything or schedule an on-site visit.
Schedule your audit and grant read-only access to your Microsoft 365 tenant via a secure, standard Microsoft consent flow. We never see your passwords.
Over 5–7 business days, we review your M365 configuration, endpoint security, email protections, access controls, backup posture, and compliance alignment.
Your assessment report, WISP, policy bundle, scorecard, and roadmap — all customized, all written in plain English, all yours to keep.
We walk through the findings, answer questions, and help you prioritize. If everything looks strong, we tell you that.
Five deliverables: a comprehensive assessment report with plain-English explanations, a Written Information Security Program (WISP), a security policy bundle (Acceptable Use, Incident Response, BYOD, Password), an M365 security scorecard, and a phased remediation roadmap. Plus a 30-minute findings walkthrough call.
5–7 business days from the time we receive M365 tenant access. The findings walkthrough call is typically scheduled for the following week.
No. Every finding includes a plain-English explanation written for attorneys and firm administrators. Technical details are included separately for whoever will be doing the remediation work.
The audit is designed to assess your firm against ABA 1.6(c) requirements and produce the documentation (WISP, policies, risk assessment) that supports your compliance narrative. Froskr does not provide legal advice; final interpretation of bar rules remains with you or your ethics counsel.
You own every deliverable regardless of whether you engage Froskr further. If you want help implementing the remediation roadmap, Froskr offers ongoing managed security services on a per-seat monthly basis. There is no obligation or lock-in.
We can discuss your situation. The $3,500 assessment is designed for firms with 6–25 people. Smaller firms may benefit from our free M365 security assessment at assess.froskr.com as a starting point.
Fill out the form and we’ll send you a brief intake questionnaire and a scheduling link. Most firms are surprised by what the audit uncovers — and relieved to have a clear plan for addressing it.