Follow Government's Lead Dave Shackleford ("Shine Those Skills," November 2007) states CISOs need to be more concerned with risk management, and not so much with technical details. I agree; however, I would like to point out that risk management is at the heart of the certification and accreditation process used by the government to control which systems are allowed into operation. The process is described by the DoD's "Information Assurance Certification and Accreditation Process Interim Guidance," and by FIPS 200: "Minimum Security Requirements for Federal Information and Information Systems" and NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems," for other government agencies. In both cases, the processes include a number of steps to determine and mitigate the risks to the system, ending up with a determination that the risks have been adequately identified and can be mitigated (certification) and an acceptance of the residual risks by a responsibility party (accreditation). Although these processes are aimed specifically at U.S. government agencies, they use concepts that are useful in any arena. I recommend it to any organization wanting to establish a comprehensive C&A process. Thomas E. Gist, senior security engineer, Advanced Technology Systems Clearing Up e-Discovery I concur with the gist of Kelley Damore's column ("Discovering e-Discovery," November 2007): it is important for companies to implement a robust, audited data retention/ destruction policy and a "litigation hold" to prevent the loss of potentially relevant data in the face of a reasonably anticipated or actual lawsuit. However, I must correct a couple of factual errors. First, the changes to the FRCP have not, in a strict sense, changed when or even necessarily how parties produce data in a lawsuit. Rather, they have forced parties to talk about potential issues with the production of data much earlier in the process, including how they intend to produce the data. Second, as is readily apparent from case law in this area, parties have always been able to request electronically stored information. What has changed is that the rules have made this ability more explicit and have set out some guidelines for resolving disputes around production formats, recognizing burden and cost to a party for accessing certain types of data, and recognizing that computer systems sometimes destroy data as part of their routine operation. This in turn has created a great deal of interest among attorneys in electronic discovery as a tactic, as well as judicial scrutiny into how efficiently parties conduct discovery. Finally, it is not typically a judge who is requesting documents in litigation, but rather the opposing side. While the source of the authority that forces the transfer of documents is the court and the ultimate arbiter of any disputes is the judge, it is always the opposing party that you have to work with in the first instance. Aaron Gardner, discovery process manager, Paul, Weiss, Rifkind, Wharton & Garrison LLP (Editor's note: Mr. Gardner is not an attorney and asks that nothing in his note be construed as legal advice.)