Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process<br />Dou...
Today’s Topics<br />Why a process driven approach to information security is needed <br />Who should be responsible for in...
Information Security<br />The term “information security” means protecting information and information systems from unauth...
Process Driven Approach<br /><ul><li>Systematic Approach:
Risk Assessment and Treatment
Collaborative / 360° View
Continual Improvement
Documented
Audited</li></ul>4<br />
Sample Risk Analysis<br /><ul><li>Corporation:
In place data (low)
Collection and preservation (high)
Law firm:
Upcoming SlideShare
Loading in …5
×

Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process

627 views

Published on

Information security is a high priority concern for both corporations and law firms during the eDiscovery process. The challenge is translating this concern into everyday practice. Failing to properly implement security controls can expose your company or client’s most critical information to vulnerabilities and risks. At Daegis, we believe that a systematic approach based upon a formal management system is the best way to ensure the highest level of information security. In this webinar, Doug Stewart, Director of Technology at Daegis will detail:

-Why a process driven approach to information security is needed
-Who should be responsible for information security during the eDiscovery process
-What are the hallmarks of good information security controls
-How to evaluate information security practices in your eDiscovery partner or vendor

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process

  1. 1. Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process<br />Doug Stewart, Director of Technology<br />June 28, 2011<br />
  2. 2. Today’s Topics<br />Why a process driven approach to information security is needed <br />Who should be responsible for information security in the eDiscovery process <br />What are the hallmarks / best practices of good information security in the eDiscovery process<br />How to evaluate the information security practices of your eDiscovery partner or vendor <br />2<br />
  3. 3. Information Security<br />The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— <br />integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; <br />confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and <br />availability, which means ensuring timely and reliable access to and use of information. <br />44 U.S.C. § 3542(b)(1) <br />3<br />
  4. 4. Process Driven Approach<br /><ul><li>Systematic Approach:
  5. 5. Risk Assessment and Treatment
  6. 6. Collaborative / 360° View
  7. 7. Continual Improvement
  8. 8. Documented
  9. 9. Audited</li></ul>4<br />
  10. 10. Sample Risk Analysis<br /><ul><li>Corporation:
  11. 11. In place data (low)
  12. 12. Collection and preservation (high)
  13. 13. Law firm:
  14. 14. Stored data (high)
  15. 15. Internal eDiscovery systems (low)
  16. 16. Vendor:
  17. 17. Stored data (high)
  18. 18. Process and host data (low)
  19. 19. All:
  20. 20. People (very high)
  21. 21. Process (high)
  22. 22. Technology (medium)
  23. 23. Transportation of data (very high)
  24. 24. Production sets (high)
  25. 25. Extra copies (high)</li></ul>5<br />
  26. 26. The Dominant eDiscovery Risks<br /><ul><li>Mind the Gap
  27. 27. Hand-offs between parties
  28. 28. Changes / Cutting Corners / Rushes
  29. 29. Red flags
  30. 30. General Lack of Awareness
  31. 31. Treating information security as an IT issue
  32. 32. Uncontrolled Copies
  33. 33. Shared Accounts / Uncontrolled Access
  34. 34. Lack of audit trail / Chain of Custody</li></ul>6<br />
  35. 35. Who is Responsible?<br /><ul><li>Information security is not an IT problem
  36. 36. Cross-functional teams including IT, operations, PM’s, specialists, records and legal
  37. 37. A collaborative approach is needed
  38. 38. Corporation(s)
  39. 39. Law firm(s)
  40. 40. Vendor(s)
  41. 41. Including an information security section in the project plan is an excellent way to foster collaboration</li></ul>7<br />
  42. 42. Hallmarks & Best Practices<br />Controls:<br />Create a project plan that addresses information security issues<br />Encrypt all data when in transit<br />Encrypt all deliverables<br />Ensure all parties understand information security obligations<br />Restrict copies<br />Limit access to business need<br /><ul><li>Lock down access by IP
  43. 43. Implement DLP</li></ul>Check / Audit<br />8<br />
  44. 44. Continual Improvement<br />Quality & innovation cycle: TQM, Six Sigma, ISO 9000 & 27001<br />Source: Shewhart / Deming<br />
  45. 45. Evaluating Information Security <br />Ask Questions:<br /><ul><li>RFI / RFP process is a great place to ask questions
  46. 46. Ask people, process and technology questions</li></ul>Look for Certifications:<br /><ul><li>ISO 27001
  47. 47. Auditable international standard with 133 controls
  48. 48. SAS 70
  49. 49. Less defined than ISO27001 but widely used in the US
  50. 50. EU Safe Harbor and Similar
  51. 51. Certification needed to handle data from the EU and other jurisdictions</li></ul>10<br />
  52. 52. ISO 27001<br /><ul><li>Risk Assessment
  53. 53. ISMS
  54. 54. Policies and procedures to implement controls
  55. 55. Scope must be defined
  56. 56. Management sponsorship and review
  57. 57. Continual improvement through well-defined preventative / corrective action and change management systems
  58. 58. Scheduled internal and external audits
  59. 59. User Awareness / Understanding of Obligations</li></ul>11<br />
  60. 60. Questions?<br />12<br />
  61. 61. Thank You<br />Contact:<br /><ul><li>Doug Stewart, dstewart@daegis.com
  62. 62. info@daegis.com</li></ul>Upcoming Events:<br /><ul><li>Carmel Valley eDiscovery RetreatJuly 17-20, 2011 | Carmel, CAPanel discussion: “Who’s In Charge Anyway?” (July 19)
  63. 63. ILTA Annual Meeting, Booth #423August 21 – 25, 2011 | Nashville, TN
  64. 64. Association of Corporate Counsel Annual MeetingOctober 23-26, 2011 | Denver, CO</li></ul>13<br />

×