Part -8- Why the CIO/CISO Should Care About eDiscovery (and Digital Evidence)
From the perspective of information security and within the context of the Information Life Cycle, the new risks created by the emergence of ESI as a key component of discovery represents another organizational risk category that must be added to the existing data life-cycle management risk-set. Litigation risk must be assessed a manner similar to other business business information risks, requiring unique cost benefit analyses. To be sure, these analyses will appear unique to the CSO/CISO, but believe me they are quite well known to non-IT risk and business management. Ultimately, however, the goal is wind up with a decision to implement a set of controls to mitigate the risks (in this case, info-sec risks that create or amplify litigation risks) to the desired level. That level in turn should be set in coordination with either in house or retained counsel who have sufficient technological understanding to asses risk from the business, legal and information governance perspective. In many cases, the controls necessary to mitigate these legal risks will be very similar, if not virtually identical to those already in place for mitigating other information risks. In addition, the methods currently used to ensure the overall reliability of information systems computing environment and ESI, and the procedures currently used to audit a set of IS controls for to demonstrate regulatory complaince requirements can help establish the reliability of that information system, together with its output, to a judge and jury. However, whereas traditional security controls center around valuable and sensitive information assets, some ESI collected may be comprised of otherwise "valueless" information, but that assessment can only be made using appropriate search, collection and identification tools. Keep in mind that under existing legal standards, the destruction (in some jurisdictions, merely negligent destruction) of even low-value ESI may trigger sanctions related to either not maintaining the appropriate level of integrity (therefore rendering valuable ESI potentially inadmissible), or the cost impact of sanctions related to the inability to produce the ESI in a timely manner. Therefore, while the controls utilized may be similar, they may not be suitable for the volume and value of ESI now needing to be managed under that control.
Next: Part -9- "Spoliation"