eDiscovery Daily Blog

• March 14, 2017

As promised when they announced the project last August, EDRM announced last week the release of a new Security Audit Questionnaire, which is designed to be a practical tool for evaluating the security capabilities of corporations, law firms, cloud providers, and third parties offering electronic discovery or managed services.

The security survey evaluates an organization’s data security and practices, allowing potential customers to assess the risk of entrusting sensitive data to the vendor. The tool can be used to assess data protection from destruction or unauthorized access, as well as to assure regulatory compliance with data-related legislation such as HIPAA, the Sarbanes-Oxley Act, and security breach notification laws.

The evaluation allows the assessor to determine the level of risk the organization may be assuming by engaging the vendor or partner and to make suggestions to improve security practices and enhance the service provided.  The tool is also suited for organizations who wish to conduct a self-audit to assess security capabilities and identify areas for improvement.

The seven security disciplines addressed in the audit questionnaire include 74 separate criteria, as follows:

• General Security (2 questions)
• Security and Risk Management (17 questions)
• Asset Security (5 questions)
• Communications and Network Security (23 questions)
• Identity and Access Management (10 questions)
• Security Operations (15 questions)
• Software Development Security (2 questions)

The rank scale is dependent on the category, as some categories have “yes/no” questions only and others have a rank scale from 1 to 10.  Each question allows for recording of additional notes and a summary sheet keeps track of the scores across the seven security disciplines.

A team of EDRM members representing e-discovery providers, corporate legal, and law firms convened in August 2016 to discuss security and compliance requirements and create a plan for the Security Audit Questionnaire.  Amy Sellars, assistant general counsel, litigation support for Walmart Legal, and Julie Hackler, account executive at Avansic, led the team of 14 professionals with backgrounds in e-discovery, security, IT technologies, and litigation support in creating the tool. Over several months of collaborative effort, the team identified the seven key security areas for audit, developed checklists and audit questions, and built and tested the questionnaire.

“E-discovery increasingly involves very large volumes of potentially sensitive data, and multiple organizations may play a role in processing, hosting, review and production of documents,” said George Socha, EDRM co-founder. “It’s critical that decision makers assess the security capabilities of e-discovery providers, and the questionnaire was designed to guide that assessment.”

A copy of the questionnaire can be downloaded from the EDRM/Duke Law website here.

So, what do you think of the questionnaire?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.