Information security is a high priority concern for both corporations and law firms during the eDiscovery process. The challenge is translating this concern into everyday practice. Failing to properly implement security controls can expose your company or client’s most critical information to vulnerabilities and risks. At Daegis, we believe that a systematic approach based upon a formal management system is the best way to ensure the highest level of information security. In this webinar, Doug Stewart, Director of Technology at Daegis will detail: -Why a process driven approach to information security is needed -Who should be responsible for information security during the eDiscovery process -What are the hallmarks of good information security controls -How to evaluate information security practices in your eDiscovery partner or vendor

1. Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process Doug Stewart, Director of Technology June 28, 2011

2. Today’s Topics Why a process driven approach to information security is needed Who should be responsible for information security in the eDiscovery process What are the hallmarks / best practices of good information security in the eDiscovery process How to evaluate the information security practices of your eDiscovery partner or vendor 2

3. Information Security The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information. 44 U.S.C. § 3542(b)(1) 3

5. Risk Assessment and Treatment

6. Collaborative / 360° View

7. Continual Improvement

8. Documented

9. Audited4

11. In place data (low)

12. Collection and preservation (high)

13. Law firm:

14. Stored data (high)

15. Internal eDiscovery systems (low)

16. Vendor:

17. Stored data (high)

18. Process and host data (low)

19. All:

20. People (very high)

21. Process (high)

22. Technology (medium)

23. Transportation of data (very high)

24. Production sets (high)

25. Extra copies (high)5

27. Hand-offs between parties

28. Changes / Cutting Corners / Rushes

29. Red flags

30. General Lack of Awareness

31. Treating information security as an IT issue

32. Uncontrolled Copies

33. Shared Accounts / Uncontrolled Access

34. Lack of audit trail / Chain of Custody6

36. Cross-functional teams including IT, operations, PM’s, specialists, records and legal

37. A collaborative approach is needed

38. Corporation(s)

39. Law firm(s)

40. Vendor(s)

41. Including an information security section in the project plan is an excellent way to foster collaboration7

43. Implement DLPCheck / Audit 8

44. Continual Improvement Quality & innovation cycle: TQM, Six Sigma, ISO 9000 & 27001 Source: Shewhart / Deming

47. Auditable international standard with 133 controls

48. SAS 70

49. Less defined than ISO27001 but widely used in the US

50. EU Safe Harbor and Similar

51. Certification needed to handle data from the EU and other jurisdictions10

53. ISMS

54. Policies and procedures to implement controls

55. Scope must be defined

56. Management sponsorship and review

57. Continual improvement through well-defined preventative / corrective action and change management systems

58. Scheduled internal and external audits

59. User Awareness / Understanding of Obligations11

60. Questions? 12

63. ILTA Annual Meeting, Booth #423August 21 – 25, 2011 | Nashville, TN

64. Association of Corporate Counsel Annual MeetingOctober 23-26, 2011 | Denver, CO13