IST Discover-E White Paper:

The 2 Most Important Security Questions to Ask Your eDiscovery Service Provider

Last year, the leading standards organization for the eDiscovery market, EDRM, announced the release of a Security Audit Questionnaire meant to act as a practical tool for evaluating the security capabilities of corporations, law firms, cloud providers, and third parties offering eDiscovery services.

The questionnaire is a godsend for organizations currently shopping for the best eDiscovery service providers as it highlights the importance of security and provides a template for comparison.  However, the questionnaire is thorough – very thorough.  It sets out 74 separate criteria under seven categories meant to evaluate not only the security capabilities of cloud providers and third parties, but also acts as a self-checklist for organizations testing the security capabilities of their own in-house systems.

In many cases, however, attorneys or practice groups may not have the time or subject matter expertise to distribute the questionnaire and analyze its findings.  For these situations, the questionnaire starts with the two most important, all-encompassing questions:

  1. Does your company maintain any security or other specialized certifications (SOC, ISO27001, PCA, or similar)? If so, please provide details on types and certification dates and please provide a copy of your most recent report, audit, or certification.
  2. Do you map your processes and procedures to standards (e.g. NIST, CIS, HITRUST, ISO, etc.)? If so, please list which ones.

These two questions are the silver bullet that can eliminate a great many would-be eDiscovery service providers.  The reason is that security certifications and process compliance with third-party/regulatory institutions indicate an organization’s maturity and demonstrate dedication to security and process protocols.

The single best certification in response to question #1 is a current Service Organization Controls (SOC) SOC 2 Type II certification.

SOC 2 Type II reports concern policies and procedures that have not just been placed into operation at a specific moment in time, but rather concern policies and procedures that have been in place successfully over a period of time.  A company that has achieved SOC 2 type II certification has proven that its system is designed to keep its clients’ sensitive data secure.  When it comes to working with the cloud and related IT services, such performance and reliability is absolutely essential and increasingly required by regulators, examiners and auditors.

Equally, in response to question #2, an organization that demonstrates compliance with the National Institute of Standards and Technology’s (NIST) NIST-800 protocols will prove to be an excellent and secure eDiscovery partner.

NIST-800 was developed by the US government to implement standards and guidelines, including minimum requirements, for providing adequate information security for all government agency operations and assets.  These protocols deliver precise best-practices for the management of secure data communications and security planning requirements. As applied to private enterprises, NIST frameworks allow organizations to grow leaps and bounds in information security readiness and their application makes them a fundamental must-have when evaluating third-party eDiscovery partnerships.

Attorneys or practice groups can save a ton of time narrowing their search for a quality eDiscovery partner by making these two questions a part of their early discussions with vendors.  That said, if a vendor cannot provide proof of certification or adherence to standards in technology protocols, it does not necessarily mean that they are a poor partner.  It may mean, however, that a more detailed evaluation is necessary to assess the level of risk the organization may be assuming by engaging the vendor partner.

At IST Discover-E, we recognize that by selecting partners that place a premium on data security, our clients can help ensure that a breach will not happen on their watch.  IST Discover-E take this responsibility very seriously and brings SOC 2 Type II certification along with NIST and FIPS protocols to your organization.  We are dedicated to adhering to stringent administrative, physical and technical safeguard standards to give our clients and their clients peace of mind as their data leaves their offices.

 

 

Reference – EDRM Duke Law:  https://www.edrm.net/resources/security-audit-questionnaire/

PREVIOUS

NEXT

Talent Acquisition Team

Innovative • Service • Technology • Passion

Contact