ISACA Training eDiscovery Presentation

8/2/2019 ISACA Training eDiscovery Presentation

http://slidepdf.com/reader/full/isaca-training-ediscovery-presentation 1/33

eDiscovery Risk & Audit

Scott Shinners and John Vyhlidal

ConAgra Foods Inc



Objectives

• Overview of the eDiscovery landscape

• Discuss the risks related to the area of eDiscovery

• Overview of best practice strategies for dealing with eDiscovery risks

• Describe the related information technology management issues

• Discuss the development of the eDiscovery Audit Program



Content

• Background

• Risks

• Management Processes and Controls

• Audit Program

• Debrief

• Sources



Background

• Every year enterprises collect, process and accumulate a snowballing amount

of data from an ever-expanding set of internal and external sources

– According to a recent estimate by market researcher IDC, The expanding digital

universe — reaching 1.8 trillion gigabytes — will drive demand for cloud-friendly

information infrastructure and real-time analytics for "big data" – In a 2010 study Gartner showed that data growth was one of the top three

challenges for data center managers at 47 percent of large enterprises

• This amount of data holds abundant potential to provide guidance for decision

making in many areas of the enterprise

• Most of the data is relevant and necessary to an organization, and so collectingless data is not a viable option

• Data can however constitute several risks to the organization if not properly

managed – we will focus on litigation and regulatory risk



Background

• Electronic discovery (eDiscovery) is pertinent to criminal or civil litigation and

deals with the exchange of information in electronic format

– Electronically stored information (ESI)

– All other forms of information (digital or print)

– Digital forensics analysis for evidential recovery• Electronic discovery was the subject of amendments to the Federal Rules of

Civil Procedure (FRCP), effective December 1, 2006

– States have copied these e-discovery rules into their own requirements

– Effectively forced civil litigants into a compliance mode

– Impacts both the proper retention and management of ESI

– Response to discovery and day-to-day data management impact

– Improper handling could lead to adverse inference, summary judgment, or sanctions

– Attorneys can be brought before the bar and risk their livelihood



Background

• Discovery

– The process of identifying, locating, securing and producing information and

materials for the purpose of obtaining evidence for utilization in the legal process

– Additionally the process of reviewing all materials that may be potentially relevant

to the issues at hand and/or that may need to be disclosed to other parties, and of evaluating evidence to prove or disprove facts, theories or allegations

– Common discovery methods include interrogatories, requests for productions of

documents and depositions

• What is eDiscovery:

– The process of collecting, preparing, reviewing, and producing electronicallystored information (ESI) in the context of legal discovery



Background

• Organizations have aligned their legal and information technology (IT)

functions for day-to-day data management and requests for information related

to possible, pending, or actual litigation

– IT typically owns data governance and data management, but that is changing

– Litigation support functions have matured in most organizations

– e-discovery business processes and software tools are maturing

– Data archiving and retention practices are ―catching up‖

– Organizations also need solutions for archiving that are both cost effective but are

also comprehensive

– Controls must be put in place to ensure data’s accessibility and integrity



Background

• What is the definition of electronically stored information (ESI)

– Data is identified as relevant by attorneys and placed on legal hold

– Evidence is then extracted and analyzed using digital forensic procedures, and is

usually converted into read-only format for potential use in court

– ESI is considered different from paper information because of its intangibleform, volume, transience and persistence

– ESI is usually accompanied by metadata that is not found in paper documents

and that can play an important part as evidence (e.g., the date and time a

document was written could be useful for copyright)

– The preservation of metadata from electronic documents creates specialchallenges to prevent spoliation



Background

• All types of electronically stored information could be relevant evidence:

– Hard copy documents

– Graphics/charts

– Business data

– E-mail

– Instant messaging chats

– CAD/CAM files

– Recorded sessions (video or audio)

– Images

– Web sites



Background

• Common Issues

– The number of different people may be involved (e.g. lawyers for both parties,

forensic specialists, IT managers, records managers, etc.)

• Potential for miscommunication or ineffective coordination

• Forensic examination and the use of unusual terminology and acronyms

• Failure to understand or apply the organization’s policies and practices

• Potential for accidental alteration or destruction of data

– Given the complexities of modern litigation and the wide variety of information

systems on the market, electronic discovery often requires specialized

technology that may be difficult to manage

– Failure to get expert advice from knowledgeable personnel often leads toadditional time and unforeseen costs in acquiring new technology or adapting

existing technologies to accommodate the collected data



Background

• Legal Defensibility – Critical Success Factors

– Documentation

– Accuracy

– Auditability

– Reproducibility

– Collection methods

– People



Background

• Goals For An Effective eDiscovery Program

– Ability to provide discovery-requested electronically stored information

regardless of the type of content and storage location across the organization

– Responding to requests for discovery efficiently, effectively and completely

– Providing required information completely – Refraining from providing information not requested



Background

• Process

– Critical to identify the sources of data that may be needed to formulate the

information or to satisfy the request for information

– Information may need to be mapped to identify the relevant sources of

information:• Owner/Custodian

• Content

• Format

• Source

• Systems/Device/Technology

– Preservation process needs to be established so information relevant to current or

reasonably anticipated litigation, audit or government investigation is preserved

– Failure to properly preserve information can negatively affect the outcome of the

case and can expose organization to additional sanctions



Risks

• Intentional/unintentional removal of records

• Intentional/unintentional adulteration of records

• Data security, integrity, and privacy considerations

• Inability to recover records

• Providing unnecessary records

• Providing the wrong records

• Social media/non-traditional communication channels subject to eDiscovery

• Losing litigation cases (macro level risk)• Fines for non-compliance (macro level risk)



Management Processes and

Controls

• Management processes using the Electronic Discovery Reference Model

• Process steps to implement an effective eDiscovery solution

• Assessing management’s processes using a capability maturity model

• Entity level control practices for effective data management

• Application and IT general controls for eDiscovery solutions




Controls




Controls

• Legal Hold Process

– Communications issued to record owners/custodians as a result of current or

anticipated litigation, etc. that suspends the normal disposition and processing

of records

– Integral part of the overall preservation process




Controls

• Model Legal Response/Legal Hold Process Steps:

Identify

Team

Identify

Sources

Identify

Locations

Manage and

Monitor

• Legal

• Records Mgmt.

• IT

• Business

• Individuals

• Paper Sources

• Electronic Sources

Email

IMs

Documents

• Backups

• Equipment

Servers

Desktops

Laptops

• File Shares

•

PDAs• Removable

storage

• Third Parties

• Initiate

• Custodians

• Incident

• Legal Hold Notice

• Tracking

•

Monitoring• Enforcement

• Status

• Communication

• Follow-up




Controls

• Processing

– Capture and preservation of electronic documents

– Association of collected documents with particular users, owners, custodians

– Capture and preservation of metadata

– Establishment of parent-child relationships between source data files

– Automation of the identification and elimination of redundant and duplicate data

– Provide programmatic means to suppress material not relevant to the review

– Unprotect and reveal information within files

– Maintain defensibility, cost effectiveness and expediency of process




Controls

• Production

– Production of paper documents

– Types of ESI comprising the data set for production

– Appropriate format of documentation

– Appropriate storage media production

– Production capabilities and limitations

– Technical formats

– Communication of production issues between parties




Controls

• Process steps to implement an effective eDiscovery solution:

– Step 1: Identify the risk

– Step 2: Consider the existing control environment

– Step 3: Evaluate the design of current controls as related to e-discovery – Step 4: Identify any gaps

– Step 5: Consider the cost/benefit of mitigating existing gaps

– Step 6: Select and implement solutions

– Step 7: Monitor



Software Options

• Gartner classifies software and eDiscovery solutions into the following

categories for analysis:

– Information governance and archiving tools - using existing e-mail and file

archiving, records or content management, with associated litigation hold,

preservation, and processing

– Identification, collection, preservation and processing tools - that have either a

workflow-based system for attorneys to track custodian-led collection or a search

and information access system for the IT and legal departments to use

– Analysis tools - for processing, reviewing and analyzing documents, either early

case assessment or a later state of review, including features such as document

categorization, redaction and mechanisms to mark documents as privileged or inother ways to categorize and process them (includes the attorney review

platforms that have been used for 10 or more years by the legal community to

perform document review)



Capability Maturity Model

Source: An EDRM White Paper – part of the EDRM White Paper Series

September, 2010 – Adam Hurwitz, BIA CIO, Business Intelligence Associates, Inc.




Controls

• Entity-level controls needed to address risk associated with e-discovery

– Policies, procedures and a standard code of conduct can have a significant impact

on the enterprise’s ability to execute a strategy to mitigate the risk

– Specific IT policies and procedures should be developed to address the risk

• May entail developing or modifying existing IT policies on data retention/archiving• Appropriate data retention and deletion schedules must be created and maintained

• Implementation and maintenance of specific technologies

• IT operations and support for the overall e-discovery process and technology solutions

– While these policies may currently exist within the enterprise, they should be

reviewed to ensure that e-discovery risk is specifically considered




Controls

• Relevant Entity Level Controls

– Control Environment

• Code of conduct

• Assignment of Authority and Responsibility

• Risk assessment – Information and Communication

• Policies and procedures

• Effective coordination across legal, IT, and business operations

• Training and awareness programs

– Monitoring

• Data retention and archiving review process

• Data destruction and deletion review

• Internal audit assurance




Controls

• Application and IT General Controls:

– Existing applications and systems

• Role-based access restrictions for update to critical data

• Application security to enforce ―need to know‖ restrictions

• Backup and recovery controls• Data integrity controls

– eDiscovery systems

• Read-only access

• IT administrative access

• Data completeness and integrity

• Backup and recovery



Audit Program

• Policy

– Obtain and inspect records retention, legal hold and eDiscovery policies and

procedures from Legal and IT

– Compare IT and Legal polices for completeness and applicability to the current

environment – Compare policies to industry leading practices to identify potential gaps



Audit Program

• Evaluation of management processes to identify relevant data

– Data mapping: make sure that management has a way to provide an accurate

picture of the company’s data

– Make sure that identification process implicates many types of servers with

active and dynamic data (e.g. file servers, collaboration servers, e-mail servers) – Make sure management considers interrelated data management systems (e.g.

document management systems, financial systems, disaster recovery and backup

systems)



Audit Program

• Data Retention

– Review process for identifying and categorizing data in existing applications

as related to the records retention policy

• Inspect data stored in a selection of applications as compared to the organization’s

data retention policy

• Make sure data is maintained only as required by a written formal data retention

policy and that the retention period is consistent with the policy

• Make sure that data is not deleted prior to the expiration of the data per the relevant

section of the policy



Audit Program

• Legal Hold Process

– Identify population of legal ―cases‖ – identify ―legal holds‖

– Trace from legal holds to communication and approvals

– Assess the completeness of the data acquired

– Assess data access requirements for that legal hold are appropriate

– Test that read-access to the data is limited as appropriate

– Verify that update-access to the data is prevented



Audit Program

• Technology and Data Security

– Inspect system settings to determine access to critical systems

• Email systems

• Shared drives, intranet locations, MS SharePoint, etc.

• Primary databases for relevant business systems• Backup databases, backup tapes, or DRP stored data

– Inspect system configurations and settings of operating systems and logical

security settings used to protect the data

– Audit users’ access to the data

• Update access

• Read access (strict need to know basis only)

• Be careful of IT system administrative access and privileges

– Make sure data secured for legal holds is backed up and that periodic processes

assess recoverability



Debrief

• Provided an overview of the eDiscovery landscape

• Discussed the risks related to the area of eDiscovery

• Provided best practice strategies for dealing with eDiscovery risks and

related information technology management issues• Discussed the development of the eDiscovery Audit Program



Contact Information

Scott M. Shinners

Finance Director – Internal Audit

ConAgra Foods

(402) 240 – [email protected]

mailto:[email protected]

mailto:[email protected]