adventuresinsecurity.com Blog » Management Tips

eDiscovery Challenges

Tom Olzak — Fri, 17 Feb 2006 16:31:10 +0000

During the past two decades, the shift from paper to electronic filing of business documents introduced a new challenge: meeting the requirements of litigation discovery. Not only are organizations keeping more information; the vast amounts of email messages and other types of documents are typically not organized in a way that facilitates quick, cost effective extraction from personal and enterprise storage.

If you’re responsible for the security of your company’s information, your role extends to protecting documents required by discovery requests. Are you prepared to assure your executive management, or to testify, that you’ve done everything reasonable and appropriate to meet the court’s expectations?

In this article, I explore the challenges of eDiscovery (Electronic Discovery) followed by recommendations that might help avoid the high costs of compliance – or non-compliance.

The Challenges

According to Fulbright and Jaworski’s Second Annual Litigation Trends Survey, electronic discovery is the top litigation issue (2005). Courts are getting tougher on companies that fail to provide documents, especially email, requested by Plaintiffs. The following are some examples of the results of non-compliance (Patzakis, 2006):

Morgan Stanley suffered a default judgment of $1.45 billion
Phillip Morris incurred a judgment of $10 million
UBS incurred $30 million

One of the problems associated with electronic discovery is the failure to locate documents and email because they’ve been deleted. But the routine deletion of documents is not a reasonable defense when faced with a discovery request. In the 2003 Zubulake vs. UBS Warburg case, the court found that the UBS attorneys failed to implement proper litigation holds to prevent the routine destruction of email. The following list describes the material points of the standard (CGOC, 2005):

Enable your “discovery liaison” to readily describe information custodians, systems, storage, and your retention policies
Affirmatively and repeatedly communicate legal holds to all affected parties
Integrate your retention policies and coordinators with discovery challenges and responsibilities
Actively manage and monitor document collections
Interview affected employees to determine sources of information
Monitor compliance with legal holds on an ongoing basis
Thoroughly document and demonstrate the efficacy of your process
Prepare to take responsibility for ensuring that information is preserved, collected, and produced.

The problems with electronic discovery are not always related to deleted documents. In many cases, documents exist on storage somewhere in the organization’s data center. Locating it might be expensive or close to impossible. In these cases, management is faced with the decision to either incur the displeasure of the court or pay a consultant millions of dollars to scour the storage environment. Neither option is attractive to investors.

The Solution

There are two basic types of documents that have different archiving requirements – messages and electronic documents. For the purpose of this discussion, messages include email and instant messaging (IM) exchanges. Electronic documents include word processing and spreadsheet files.

Through the proper management of messages and electronic documents, companies can reduce the volume of information potentially subject to discovery and reduce the cost of collecting information (Roitblat, 2005). Reducing the amount of information collected might not seem like a goal on which management is willing spend money. But consider the alternative. If a good way to quickly access requested information doesn’t exist, then overly intrusive actions might have to be taken to ensure compliance with discovery requests.

Messaging
It’s difficult to determine which messages might be material to current or future litigation. Some organizations take a chance by relying on users for proper message management. IM communications are typically not captured at all. Both of these approaches put a company at risk.

It’s important to be seen as taking a proactive stance in electronic discovery activities. The best approach is to archive all messages, including IM, without user intervention. Figure 1 is an example of a possible solution.

Figure 1

Email and IM messages pass through management systems that automatically intercept and write them to an archival storage system. Neither the sender nor the receiver plays any role in whether the information is archived. The archived messages are cataloged, indexed, and centrally managed according to the organization’s records retention policy.

Electronic Documents As with messages, electronic documents must be preserved according to a company’s records retention policy. They should also be available for discovery without significant cost. Deploying an electronic document archival system is a good way to meet these objectives.Archival systems can operate automatically or with some operator intervention. In either instance, the system should be capable of enforcing business rules, including the imposition of litigation holds, related to document maintenance. Documents should be indexed, cataloged, and easily searched to reduce the effort required to produce information on any litigation issue.

Justify your Solutions with Standards
Even if you purchase the best archival solutions possible, you’re still missing one piece necessary to complete the electronic discovery puzzle. If called to testify or to be deposed, the questions will focus more on your company’s practices and less on the solutions implemented (Flaherty, 2002). A good way to select justifiable processes is to follow a set of recognized best practices. I’m not a strong advocate of blindly buying into a methodology. But there’s value in using one or more industry recognized methodologies to create an electronic document and messaging management environment conducive to fair and cost effective discovery. At the very least, it makes it easier to justify the policies and procedures that resulted in the current discovery results.

Conclusion

As the amount of information stored electronically increses, so does the cost of providing that information during litigation. The old methods of allowing users to manage their own documents without the benefits of a central repository present too great a risk. As with all business processes, the management of electronic documents and messages should be approached in a way that minimizes risk to the business while keeping costs under control.

Author: Tom Olzak

Resources: RSS Feed to our Podcasts

Sources:

CGOC (2005). The Zubulake checklist. Retrieved February 15, 2006 from http://www.pss-systems.com/resources/zubulake_checklist.html

Flaherty, M. P. (2005, June). Would you please swear in the Chief Security Officer? SC Magazine. Retrieved February 15, 2006 from http://scmagazine.com/us/news/article/419805/would-please-swear-chief-security-officer/

Fulbright & Jaworski (2005). Second annual litigation trends survey findings. Retrieved February 15, 2006 from http://www.fulbright.com/mediaroom/files/FJ0536-US-V13.pdf

Patzakis, J. (2006, February). Why the ediscovery revolution is important to infosec. The ISSA Journal, February 2006, p. 6.

Roitblat, H. L. Ph. D. (2005, December). Proactive solutions: the next generation of eDiscovery? Retrieved February 15, 2006 from http://www.discoveryresources.org/pdfFiles/Proactive_Solutions.pdf

Security Risk Management

Tom Olzak — Tue, 07 Feb 2006 12:23:12 +0000

Risk management is an important part of securing today’s information assets. Security has moved from the fringes of technology to take its place alongside other critical business activities. And like other business activities, the resources expended on the people, processes, and technology necessary to protect an organization’s information infrastructure must be justified in terms of return on investment (ROI).

In this article, we’ll explore the fundamentals of risk management as it applies to information security.

What is Risk?

We encounter risk every day. There’s the risk associated with making a financial investment. There’s the risk of hiring the wrong persion to manage a key operation. Risk can also involve something as simple as making a left turn at a busy intersection. Although each of these situations occurs within a unique context, they all have something in common; they can all be generally defined by a simple formula:

Risk = Threats x Vulnerabilities x Impact

A closer look at this formula shows that the elements of threats, vulnerabilities, and impact are multipled together to arrive at the risk level. So reducing any one of the three will significantly reduce risk. Let’s examine our left turn example.

While making our turn, oncoming traffic is a threat. Vulnerabilities might include visibility restrictions on you or other drivers, not wearing a seatbelt, or operating a vehicle that has a low impact safety rating.  The impact on you or your family if an accident occurs increases with factors such as having family members in the car or the size of your insurance deductible.

The lack of oncoming traffic eliminates threats. Since the threat factor in our formula drops to zero, the result of the formula is zero. Wearing your seatbelt or ensuring you use your headlights when appropropriate reduces your vulnerabilities. Finally, reducing your deductible might lower the financial impact of an accident. But how do the elements of risk apply to information assets?

Information assets include information, in any form, upon which an organization places value. These assets may include databases, programs, and the components of your network as well as information on paper. Also included is your most important asset – your people. A malicious hacker attempting to access your financial data, a virus that might corrupt production information, and a hurricane are all examples of threats against these assets.

Within the context of information security, a threat is any technological, natural, or man-made cause of harm to an information asset. Vulnerabilities are weaknesses in the security of an information system that can be exploited by a threat. Examples include programs that haven’t had security patches applied, unlocked computer rooms, and weak or widely known passwords. A threat exploiting a vulnerability resulting in the partial or total loss of one or more business assets consitutes business impact.

Eliminating threats to information resources is difficult, if not impossible. We have very little control over the actions of malicious hackers, malicious code moving across the the Internet, or the unintentional destruction of an asset by a trusted employee. Similarly, reducing impact to zero might mean that the assets involved had little or no value to begin with. This leaves vulnerabilities. Eliminating or minimizing vulnerabilities is usually the most effective way to maintain acceptable levels of risk to the confidentiality, integrity, and availability of your information assets.

Risk Management

Risk management is about identifying risk, assessing the impact on your business if a security incident occurs, and making the right financial decision about how to deal with the results of your assessment. It also includes the implementation of a program to continually measure and assess the effectiveness of existing safeguards in protecting your critical assets.

Managing risk is not a one time activity; it’s an ongoing process. Figure 1 depicts the Risk Management Cycle.

Figure 1 (Click on graphic to enlarge)

The first step in the cycle is to conduct a risk assessment. A risk assessment identifies:

Critical information assets

Potential threats

Vulnerabilities

The risk level associated with each asset

The risk assessment is followed by an evaluation of the risks identified. The first evaluation task is the prioritization of the various risks. During the prioritization process, the assets with the highest risk levels should be assigned the highest priority. The final evaluation activity is the identification of safeguards, and associated costs, to reduce each system risk to an acceptable level.

Next, management selects and implements the appropriate approach to managing each risk. Risk management is based on the premise that risk can probably never be reduced to zero; the cost would be too high. Rather, management’s goal should be to address specific risks in one of the following ways:

Reject

Accept

Transfer

Mitigate

Rejecting Risk

By rejecting risk, a manager is saying that he doesn’t believe the risk exists. So he does nothing. This is the head-in-the-sand approach. Ignore it, and maybe it’ll go away. This is a dangerous way to deal with potential negative business impact. If used as a general approach to dealing with security issues, rejection of risk exposes the organization to a host of threats.

Accepting Risk

Accepting risk might seem the same as rejecting risk, but it’s actually much different. When a manager performs a security safeguard cost/benefit analysis, she might discover that the cost of mitigating the risk is greater that the probable impact on the business. In such cases, it’s a better business decision to accept the risk and spend her security dollars in more effective ways.

Transferring Risk

Once a manager decides to deal with the risk, there are two approaches. He can either transfer or mitigate it. Transferring risk is most often accomplished by purchasing insurance to cover some or all of the cost of a security incident.

Mitigating Risk

Mitigation involves the implementation of security safeguards across people, processes, and technology in a reasonable and appropriate manner such that risk is reduced to an acceptable level.

Once the assessment and management steps are complete, you should measure the effectiveness of your risk management efforts. The metrics used should be simple and meaningful.

Maintaining a completely secure network is a security manager’s dream; or should I say fantasy. As the time-tested saying goes, the only completely safe network is the one that is powered off. Risk management is about using business principles to reduce your organization’s risk so that a single security incident won’t cripple or destroy the business. With each security investment, there should be a corresponding value sufficient to show ROI. In some cases, as with regulatory mandates, this might be difficult. But the principle of “reasonable and appropriate” should still prevail.

Author: Tom Olzak

Resources:

Governing for Enterprise Security

Managing risk as important as avoiding it

Security Means Managing Risk

Your email:
subscribe unsubscribe

Planning for the Ultimate Hack

Tom Olzak — Tue, 24 Jan 2006 17:33:51 +0000

The attack surface for hacking opportunities is getting larger every day. Even anti-virus applications are vulnerable. F-Secure just announced a patch for a vulnerability in their product. On this side of the ocean, Symantec announced several weeks ago that its AntiVirus Library might allow the execution of malicious code because of a high-risk buffer overflow vulnerability. The important point to take from these announcements is that AV applications are still just that – client-side applications. ALL client side applications are written by humans. Humans make mistakes. Mistakes equal security vulnerabilities.

As organizations shore up their Windows operating systems, non-Microsoft applications are becoming a more attractive target for hackers. The SANS institute warns that the number of flaws in client-side applications continues to grow; this includes applications ostensibly intended to protect our end user devices and our networks. This is providing easier access to sensitive information, which can result in HIPAA violations, identity theft, etc. The bottom line? Plan for a hacking, because it’s coming to a network near you.

But what is the best planning approach? Some organizations plan for small events. They base their planning decisions on the premise that the probability is quite low that a worst case scenario will become reality. Other organizations plan for worst case scenarios, with the understanding that if their response team is trained in the worst that can happen, they can take care of lesser incidents. I subscribe to the latter approach.

Incident response includes planning, team development, and testing. If your team trains for small hacks, it may not be able to react to the big one when it occurs. The proverbial handwriting is on the wall; the probability that your business will be the victim of a major compromise is growing every day. Plan accordingly.

Author: Tom Olzak

Resources:

Anti-virus Software: The Next Big Worm Target?

The Worst-Case Hack Scenario

NIST Guide to Malware Incident Prevention and Handling

Your email:
subscribe unsubscribe