200 likes | 338 Views
Electronic Discovery (eDiscovery). Chad Meyer & John Vyhlidal ConAgra Foods. Overview. Background Risks and Security Concerns Effective eDiscovery program Assurance Considerations Wrap up. Background. Discovery
E N D
Electronic Discovery (eDiscovery) Chad Meyer & John Vyhlidal ConAgra Foods
Overview • Background • Risks and Security Concerns • Effective eDiscovery program • Assurance Considerations • Wrap up
Background • Discovery • The process of identifying, locating, securing and producing information and materials for the purpose of obtaining evidence for utilization in the legal process • Additionally the process of reviewing all materials that may be potentially relevant to the issues at hand and/or that may need to be disclosed to other parties, and of evaluating evidence to prove or disprove facts, theories or allegations • What is eDiscovery: • The process of collecting, preparing, reviewing, and producing electronically stored information (ESI) in the context of legal discovery
Background • 2006 updates to Federal Rules of Civil Procedure (FRCP) by US Supreme Court • Applies to all US enterprises, public or private • Set strict expectations that an enterprise must be able to produce electronically stored information as evidence within a practical time frame Litigation and eDiscovery are key drivers for enterprise records retention
Risks and Security Concerns • Un/Intentional removal of records • Un/Intentional alteration of records • Privacy considerations • Inability to recover/identify records • Providing unnecessary/wrong records • Losing litigation cases (macro level risk) • Fines for non-compliance (macro level risk)
Goals for an effective program • Ability to provide any discovery-requested ESI • Regardless content type and storage location • Responding to requests for discovery efficiently, effectively and completely • Well documented process • Policies and procedures prior to discovery • Search methods in response to discovery • Refraining from providing information not requested
Identify key risks • Risks vary based on size, industry or other unique factors • Top down risk assessment • Involve key stakeholders • Legal • Records management • IT Security • System/Data owners • Understand all potential sources/locations
Consider existing control environment • Existing controls may aid in mitigating risks associated with eDiscovery • SOX, HIPAA, PCI • Review existing control libraries for applicable controls • Conduct interviews with key members of legal, risk management, and IT
Evaluate existing controls related to eDiscovery • Consider purpose and scope of existing controls • Many controls may aid an eDiscovery program, but not fully • Records retention policies • Backups • Logical Security
Identify gaps • Classify gaps by ERDM process and responsible function • Information Management, Identification, Collection, Preservation, etc. • Link gaps to existing controls (where applicable)
Identify Gaps Source: An EDRM White Paper – part of the EDRM White Paper Series September, 2010 – Adam Hurwitz, BIA CIO, Business Intelligence Associates, Inc.
Cost/Benefit of risk treatment • Typical risk treatment plans include options • Avoid • Reduce/Mitigate • Transfer • Accept • Consider probability and magnitude • Factor ROI against noncompliance and/or alternative methods (typically manual)
Select and implement solutions • Entity level controls • IT general controls • Other controls • Prepackaged solutions
Select and implement solutions (cont.) • Gartner classifies eDiscovery solutions into the following categories for analysis: • Information governance and archiving tools • Identification, collection, preservation and processing • Analysis tools
Monitor • Maintained records retention and legal hold policies and procedures • Clear ownership of each portion of the EDRM process • Legal hold tracking process • Include selected solutions in enterprise risk assessments and audits
Recap • Background • Risks and Security Concerns • Effective eDiscovery program • Assurance Considerations • Conclusion
ISACA White Paper • Published 3/10/2011 (Link to ISACA download)
Questions? Chad Meyer chad.meyer@conagrafoods.com John Vyhlidal john.vyhlidal@conagrafoods.com