Information Security – A Systematic Approach to Protecting Your Organization’s Data During the eDiscovery Process

Doug Stewart, Director of Technology

June 28, 2011

2

Today’s Topics

1. Why a process driven approach to information security is needed

2. Who should be responsible for information security in the eDiscovery process

3. What are the hallmarks / best practices of good information security in the eDiscovery process

4. How to evaluate the information security practices of your eDiscovery partner or vendor

3

Information Security

1. The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide— a. integrity, which means guarding against improper information

modification or destruction, and includes ensuring information nonrepudiation and authenticity;

b. confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

c. availability, which means ensuring timely and reliable access to and use of information.

44 U.S.C. § 3542(b)(1)

4

Process Driven Approach

Systematic Approach:Risk Assessment and TreatmentCollaborative / 360° ViewContinual ImprovementDocumentedAudited

5

Sample Risk Analysis

Corporation: In place data (low) Collection and preservation (high)

Law firm: Stored data (high) Internal eDiscovery systems (low)

Vendor: Stored data (high) Process and host data (low)

All: People (very high) Process (high) Technology (medium) Transportation of data (very high) Production sets (high) Extra copies (high)

6

The Dominant eDiscovery Risks

Mind the Gap Hand-offs between parties

Changes / Cutting Corners / Rushes Red flags

General Lack of Awareness Treating information security as an IT issue

Uncontrolled Copies Shared Accounts / Uncontrolled Access

Lack of audit trail / Chain of Custody

7

Who is Responsible?

Information security is not an IT problem Cross-functional teams including IT, operations,

PM’s, specialists, records and legal A collaborative approach is needed

Corporation(s) Law firm(s) Vendor(s)

Including an information security section in the project plan is an excellent way to foster collaboration

8

Hallmarks & Best Practices

Controls:1. Create a project plan that addresses information security

issues2. Encrypt all data when in transit3. Encrypt all deliverables4. Ensure all parties understand information security

obligations5. Restrict copies6. Limit access to business need

Lock down access by IP Implement DLP

7. Check / Audit

Continual ImprovementQuality & innovation cycle: TQM, Six Sigma, ISO 9000 &

27001

Source: Shewhart / Deming

10

Evaluating Information Security

Ask Questions: RFI / RFP process is a great place to ask questions

Ask people, process and technology questions

Look for Certifications: ISO 27001

Auditable international standard with 133 controls SAS 70

Less defined than ISO27001 but widely used in the US EU Safe Harbor and Similar

Certification needed to handle data from the EU and other jurisdictions

11

ISO 27001

Risk Assessment ISMS

Policies and procedures to implement controls Scope must be defined

Management sponsorship and review Continual improvement through well-defined

preventative / corrective action and change management systems

Scheduled internal and external audits User Awareness / Understanding of Obligations

12

Questions?

13

Thank You

Contact:• Doug Stewart, dstewart@daegis.com• info@daegis.com

Upcoming Events:• Carmel Valley eDiscovery Retreat

July 17-20, 2011 | Carmel, CAPanel discussion: “Who’s In Charge Anyway?” (July 19)

• ILTA Annual Meeting, Booth #423August 21 – 25, 2011 | Nashville, TN

• Association of Corporate Counsel Annual MeetingOctober 23-26, 2011 | Denver, CO