Information security is a high priority concern for both corporations and law firms during the eDiscovery process. The challenge is translating this concern into everyday practice. Failing to properly implement security controls can expose your company or client’s most critical information to vulnerabilities and risks. At Daegis, we believe that a systematic approach based upon a formal management system is the best way to ensure the highest level of information security. In this webinar, Doug Stewart, Director of Technology at Daegis will detail:
-Why a process driven approach to information security is needed
-Who should be responsible for information security during the eDiscovery process
-What are the hallmarks of good information security controls
-How to evaluate information security practices in your eDiscovery partner or vendor
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process
1. Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process Doug Stewart, Director of Technology June 28, 2011
2. Today’s Topics Why a process driven approach to information security is needed Who should be responsible for information security in the eDiscovery process What are the hallmarks / best practices of good information security in the eDiscovery process How to evaluate the information security practices of your eDiscovery partner or vendor 2
3. Information Security The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and availability, which means ensuring timely and reliable access to and use of information. 44 U.S.C. § 3542(b)(1) 3
Most think of Info Sec in terms of confidentialityConfidentiality – unauthorized access to dataIntegrity – Stubbing in email archive so attachments are missingAvailability – is data available when needed?*Forces me to take a broader viewer of Info Sec thus my controls will be more complete
Why a systematic approach? More complete / comprehensive.Addressed Ad Hoc some issues will be missed. Most organization have many good info sec practices but they are not tied together and managed as a complete system.Systematic leads you to a more complete solutionWhat is a systematic approach? Notice the overlap with good project management or quality management Add eat fruits & vegs and floss and you have nearly a complete list of the things humans know they should do but sometimes fail to do.Risk assessments are invaluable to the Info Sec process so let’s look at a sample one for an ediscovery project– not complete.
Sample not meant to be complete – flavor not actualNotice list of unique risks and shared risks.ID risk and assess impact / probability*What are the key info sec risks in eDiscovery?
*OK, now that we know what it is and how ot approach it, we need to ask who is responsible for Info Sec in the eDiscovery process
1. People are more likely to follow procedures they had a role in developing or at least had explained. When you don’t know why, it is easier to cut corners.*Once you have your team you need to focus on establishing best practices
!!Key best practice is continual improvement. Take one minute to cover the Plan>Do>Check>Act cycleShewhart or Deming cycleContinual improvementReally just the scientific method restated for business process*Now we know the what, how, who of Info Sec in eDiscovery, how to you put this into practice?
Many RFI/RFP’s do not ask about info sec. Those that do, most focus exclusively on technology.Certs:ISO 27001 – auditable standard with 133 info sec controls. It is an international info sec standard.SAS 70 – accounting standard that can be used to audit user identified controlsEU Safe Harbor et. al. – self certification that demonstrates an organization has process in place to conform to the data privacy regs / laws in various non-US jurisdictions.*Lastly I’d like to end by taking a deeper dive into ISO 27001– a topic near and dear to my heart
Cross functional approach is mandated by standardNo rock unturned approachInternational and gaining in the USCompanies / orgs certified include:Amazon Web ServicesBechtel CorpPriceWaterhouseCoopersUnited NationsSAPEven if not going for certification the framework can be applied to your eDiscovery practice.
Carmel Valley eDiscovery RetreatDate: July 17-20, 2011Location: Carmel, CADaegis’ National Director of Consulting, Ann Marie Gibbs, will be participating in a panel discussion entitled “Who’s In Charge Anyway?”July 19, 2011 from 2:45pm-3:45pm in the Oak RoomTrack 2: Who’s in Charge Anyway?Everyone seems to claim that the eDiscovery buck stops at their desk, but can the buck really stop at three different desks? This session will focus who really carries the risk and who actually calls the shots in the eDiscovery arena generally, as well as at different stages of the process.Moderator: George SochaSpeakers: Ann Marie Gibbs, Eric Sinrod, Jenny Hamilton, and Rebecca Arnold