Discovering e-discovery services: How information security pros should prepare

Chances are that you've recently been hearing quite a lot of buzz about e-discovery services. That's because amendments to sections of the Federal Rules of Civil Procedure took effect as of Dec. 1, 2006. Sections of these amendments set forth rules governing how companies prepare for litigation in regard to the collection of electronic evidence/information.

The rule changes are intended to recognize that companies manage and maintain electronically stored information (ESI) in fundamentally different ways than physical do...

BROWSE BY TAG Risk Management Strategies,   Data Protection Security School,   Enterprise strategies for protecting data at rest,   Data Analysis and Classification,   Enterprise Data Protection,   Enterprise Data Governance,   VIEW ALL TAGS

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Risk Management Strategies Cloud computing in 2010: Be ready for risk management challenges How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues Enterprise strategies for protecting data at rest Kumbaya: How the storage and security teams can work together Quiz: Enterprise strategies for protecting data at rest Data Analysis and Classification Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Compliance in the cloud Database monitoring, encryption vital in tight economy, Forrester says Best practices for log data retention Data classification best practices: Techniques, methods and projects HIPAA changes force healthcare to improve data flow Data Analysis and Classification Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

cuments. The new e-discovery rules formally codify much of the preexisting case law related to e-discovery.

Fortunately, there's no need to panic as a result of the changes. Keep in mind that e-discovery is part of the litigation process, and should be driven by the corporation's legal team or outside council, not by IT. However, the e-discovery effort will involve several groups within the organization, such as legal, IT -- including security, storage and messaging -- and others as needed.

Preparing for e-discovery
Before there is ever a need to comply with an e-discovery request, there are several tasks that information security professionals should perform.

• Foster open dialog between security, legal, and other groups -- The only way to have a prepared response to an e-discovery services request is to be proactive. This, of course, requires laying some groundwork. Make sure that your senior-most security executives are aware of the civil procedure changes. Look to your company's legal team as the key stakeholder, but the security team should be prepared to perform e-discovery support functions. As a result, it will be seen as either an enabler or a barrier.

• Create clearly articulated data retention policies and procedures for retaining important information -- Companies are interpreting the e-discovery rules very differently. For instance, there are two lines of thought related to document retention. Some companies attempt to apply rigid policies related to document retention and destruction; they seek to limit the scope of their e-discovery search by limiting the volume of stored data. In addition, their hope is that some potentially damning ESI will be destroyed as the result of following normal business processes. The second line of thought is that companies should keep everything. This line of thought takes into account the fact that data is reproducible; there are always at least two copies of an email (sender and receiver), users tend to copy data to multiple locations, and so on. It will always be difficult for a company to reasonably state that certain data points are not available.

• Have an e-discovery action plan -- Realize that IT is a critical path for litigation. Regardless of your company's stance on ESI retention and destruction, it is important to have an established method for locating ESI that may be relevant to any current or pending litigation (including litigation which may be reasonably foreseeable). Often called a litigation hold policy, this process would include the ability to perform relevant keyword/key-phrase searches across the company's vast amounts of structured data (e.g. application data stores) and unstructured data (e.g. documents, email messages, spreadsheets, etc.). It is counterproductive for an organization to have to figure out how to accomplish this each time it is required to produce ESI, so be sure to have a product, process or combination of the two that will produce consistent results.

• Create and maintain templates for documenting an e-discovery log for each case -- Remember that the output of your ESI production process has legal implications. Be sure to keep track of the exact search words/phrases used to generate any records handed over. It is critical to have formalized, repeatable processes. The overall credibility of your company could be tarnished if the opposing party or the judge perceives your efforts as ad-hoc or haphazard.

• Maintain an accurate list of system/data types and their IT and business owners -- Pure and simple: the company will never be able to reasonably state that it has produced all the relevant data without knowing the location of all its data. Thus it is imperative to maintain a system inventory. Know the inputs and outputs, the data elements, and who owns the systems from both an IT perspective and a business perspective.

• Establish security and audit controls around the e-discovery services process -- Producing all of this data inherently increases risk to your organization. Chances are that there will be a great deal of sensitive information (both personally identifiable information and proprietary company information) in the data gathered. It is therefore imperative that security and audit teams have a hand in defining the processes involved.

Last thoughts
Compliance with the new e-discovery rules will require the participation and cooperation of multiple groups within a company. Information security and audit teams need to be involved in the creation of e-discovery processes and procedures. It could be argued that at no time are confidentiality, integrality and availability more important than during litigation.

For further study
The following materials were consulted during the creation of this essay.

• Discovery: http://en.wikipedia.org/wiki/Discovery_(law)
  
• Report Regarding Changes to Discovery Rules Regarding Electronic Discovery
  
• A Summary for Computer Forensic Professionals of the Electronically Stored Evidence (ESI) Amendments to the Federal Rules of Civil Procedure, Dec. 1, 2006
  
• SearchCIO.com webcast: Strategies for creating effective e-discovery policies
  
• SearchCIO.com podcast: The nine biggest mistakes for e-discovery and how to overcome them
  
• InfoWorld.com: New litigation rules put IT on the front lines of data access

About the author
Perry Carpenter has spent nearly a decade working in IT and information security. Currently serving as the information security manager for a large wireless carrier, he has expertise in identity management, application security and data encryption and privacy. Earlier in his career he specialized in application development and Active Directory implementations. He maintains a security resource Web site at SecurityRenaissance.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.