EDRM Releases Security Audit Questionnaire
Monday, March 13, 2017
Posted by: Mary Mack
The EDRM released a spreadsheet for teams evaluating cloud, e-discovery and managed services and technologies.
“E-discovery increasingly involves very large volumes of potentially sensitive data, and multiple organizations may play a role in processing, hosting, review and production of documents,” says George Socha, EDRM co-founder. “It’s critical that decision makers assess the security capabilities of e-discovery providers, and the questionnaire was designed to guide that assessment.”
For those evaluating options, the spreadsheet has 74 questions, and a way for teams to assign its own weights to rank responses. Areas of focus include risk management, asset security, communications and networking security, identity and access management, security operations and software development security.
For those proposing services, rather than answer the 74 questions, security aware organizations will be able to answer "Yes" to the general question on what kinds of certifications or audits the security of the services has passed. Even if an organization has not passed an audit, filling out this questionnaire once will allow the organization to save time at RFP time.
ACEDS asked some practitioners to comment on the newly released project. John Tredennick, Bruce Markowitz and Doug Austin shared their thoughts with us.
John Tredennick, CEO, Catalyst:
First, I would note from below that there is not certification for HIPAA to my knowledge. I don't see SOC 2 mentioned but I would mention it.
Second, I ran the spreadsheet by our security people. They said that we generally cover all those points.
I think the biggest danger is enshrining any particular security method. Very few stand alone without equally good alternatives.
For example, the weighting system seems to suggest that each of these items is a given and the more you have of them the more secure you are. I don't believe that is the case. Excellent security will cover all of these areas and include many of the items but they are all not equal nor necessary depending on your security schema.
There is a question that would seem to suggest that all client data be "segregated" on networks and computers during its lifecycle. B.02. This would be unnecessary from a security standpoint and inefficient. Modern security doesn't need separate hardware or systems. AWS certainly isn't offering that.
So, the problem with standards is that it doesn't move with the times and not all of the items are appropriate to every scheme.
Bruce S. Markowitz, IGP, Vice President, e-Discovery, Evolver Legal Services
Service Providers that are offering end to end eDiscovery services should have some type of nationally recognized certification, such as ISO, CMMI, NIST, HITECH (HIPPA), Privacy Sheild etc.. Having these types of certification will allow a purchaser to assure that those organization follow an industry standard that recognized how media storage and destruction should be handled; how data should be processed and how users will access this data. Keep in mind these policies are enhanced by the federal rules and EDRM/ACEDS required workflows.
Those providers that are governed by these certification, should be able to provide variety of documentation as it relates to each of the certification workflows.
Any one that knowingly works with clients PHI or PII data should have a HITECH of HIPAA data management policy in place on how these types of client data will be segregated and secure. The same will be true for those that deal with cross board, they should be part of some type of Privacy Shield and have documented policies to assure the security of this type of data.
Doug Austin, Vice President of Operations and Professional Service, CloudNine
Author, eDiscovery Daily Blog
With the number of data breaches rising exponentially and the number of privacy regulations increasing as well, security and privacy of electronically stored information has become a huge consideration within the eDiscovery life cycle. The new Security Audit Questionnaire released by EDRM last week via Excel workbook is a good initial set of criteria in providing a tool for organizations for evaluating the security capabilities of providers and law firms offering electronic discovery or managed services. Because the questionnaire is provided in an Excel workbook with detailed instructions for using and customizing, it can be tailored to the requirements of each organization for evaluating their providers’ security capabilities and procedures.
Congratulations from the ACEDS community to the EDRM and the Release Team:
- Julie Hackler, Account Executive, Avansic
- Lance Waston, Chief Information Officer, Avansic
- Beth Downing, Chief Operating Officer, Avansic
- Amy Sellars, Assistant General Counsel, Litigation Support Group, Walmart Legal
- Justin Hectus, Director of Information, Keesal, Young and Logan
- Tom MacKenzie, Vice President of Data Privacy & Compliance, TCDI
- Dean Van Dyke, Vice President, iBridge Global Services
- Kris Kadlac, Paralegal, Richman Greer, PA
- Andy Sokol, Director, CopyScan Technologies
- Michael Cammack, Chief Information Officer, Nightowl Discovery
- Lilith Bat-Leah, Director of ESI Solutions, Bluestarcs
- Deanna Fleener, Director of Managed Services, LDiscovery
- David Thomas, Enterprise Business Development Manager
- Kit Bright, Sr. Coordinator Information Systems, Gibsons
- Tom Gelbmann, Co-Founder, EDRM
- George Socha, Co-Founder, EDRM, and Managing Director, BDO
Download the EDRM Security Questionnaire here.