information security – a systematic approach to protecting your organization’s data during the...
DESCRIPTION
Information security is a high priority concern for both corporations and law firms during the eDiscovery process. The challenge is translating this concern into everyday practice. Failing to properly implement security controls can expose your company or client’s most critical information to vulnerabilities and risks. At Daegis, we believe that a systematic approach based upon a formal management system is the best way to ensure the highest level of information security. In this webinar, Doug Stewart, Director of Technology at Daegis will detail: -Why a process driven approach to information security is needed -Who should be responsible for information security during the eDiscovery process -What are the hallmarks of good information security controls -How to evaluate information security practices in your eDiscovery partner or vendorTRANSCRIPT
Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process
Doug Stewart, Director of Technology
June 28, 2011
2
Today’s Topics
1. Why a process driven approach to information security is needed
2. Who should be responsible for information security in the eDiscovery process
3. What are the hallmarks / best practices of good information security in the eDiscovery process
4. How to evaluate the information security practices of your eDiscovery partner or vendor
3
Information Security
1. The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— a. integrity, which means guarding against improper information
modification or destruction, and includes ensuring information nonrepudiation and authenticity;
b. confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
c. availability, which means ensuring timely and reliable access to and use of information.
44 U.S.C. § 3542(b)(1)
4
Process Driven Approach
Systematic Approach:Risk Assessment and TreatmentCollaborative / 360° ViewContinual ImprovementDocumentedAudited
5
Sample Risk Analysis
Corporation: In place data (low) Collection and preservation (high)
Law firm: Stored data (high) Internal eDiscovery systems (low)
Vendor: Stored data (high) Process and host data (low)
All: People (very high) Process (high) Technology (medium) Transportation of data (very high) Production sets (high) Extra copies (high)
6
The Dominant eDiscovery Risks
Mind the Gap Hand-offs between parties
Changes / Cutting Corners / Rushes Red flags
General Lack of Awareness Treating information security as an IT issue
Uncontrolled Copies Shared Accounts / Uncontrolled Access
Lack of audit trail / Chain of Custody
7
Who is Responsible?
Information security is not an IT problem Cross-functional teams including IT, operations,
PM’s, specialists, records and legal A collaborative approach is needed
Corporation(s) Law firm(s) Vendor(s)
Including an information security section in the project plan is an excellent way to foster collaboration
8
Hallmarks & Best Practices
Controls:1. Create a project plan that addresses information security
issues2. Encrypt all data when in transit3. Encrypt all deliverables4. Ensure all parties understand information security
obligations5. Restrict copies6. Limit access to business need
Lock down access by IP Implement DLP
7. Check / Audit
Continual ImprovementQuality & innovation cycle: TQM, Six Sigma, ISO 9000 &
27001
Source: Shewhart / Deming
10
Evaluating Information Security
Ask Questions: RFI / RFP process is a great place to ask questions
Ask people, process and technology questions
Look for Certifications: ISO 27001
Auditable international standard with 133 controls SAS 70
Less defined than ISO27001 but widely used in the US EU Safe Harbor and Similar
Certification needed to handle data from the EU and other jurisdictions
11
ISO 27001
Risk Assessment ISMS
Policies and procedures to implement controls Scope must be defined
Management sponsorship and review Continual improvement through well-defined
preventative / corrective action and change management systems
Scheduled internal and external audits User Awareness / Understanding of Obligations
12
Questions?
13
Thank You
Contact:• Doug Stewart, [email protected]• [email protected]
Upcoming Events:• Carmel Valley eDiscovery Retreat
July 17-20, 2011 | Carmel, CAPanel discussion: “Who’s In Charge Anyway?” (July 19)
• ILTA Annual Meeting, Booth #423August 21 – 25, 2011 | Nashville, TN
• Association of Corporate Counsel Annual MeetingOctober 23-26, 2011 | Denver, CO