Data Risk Governance

Advanced E-Discovery Institute 2011

Matt — Thu, 17 Nov 2011 13:47:01 +0000

Notes taken during presentations made at the 2011 Advanced E-Discovery Institute, held at the Ritz Carlton hotel, Washington D.C., November 17-18 2011.

Information Security Policy

Matt — Fri, 17 Dec 2010 21:32:58 +0000

New Policy content added to the Resources section.

SANS Legal 523: Law of Data Security and Investigations

Matt — Fri, 17 Dec 2010 04:26:07 +0000

This past week I’ve had the privilege of attending the one of the nation’s best training events dealing with information security and legal issues. See my review here.

Infected by Malware: Throw the Computer Away?

Matt — Fri, 17 Dec 2010 02:03:27 +0000

There are some forms of malware circulating that infect the persistent memory on graphics processing cards (GPU), network interface cards and any other hardware component that contains its own memory distinct from the computers RAM. This means that you cannot remove the malware simply by reinstalling your operating system after formatting your hard drive, because the malware is located in the memory of one of your hardware components. The difficulty in removing the malware from these locations may just mean you’re better off throwing the computer out and buying a new one! This has been the case for some organizations that have been infected by these types of malware. So much for not hurting the hardware.

http://www.vizworld.com/2010/09/gpuassisted-malware/

Discovered: http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/

Live Blog From Georgetown Advanced E-Discovery Conference

Matt — Thu, 18 Nov 2010 16:06:02 +0000

See my notes covering the below topics, here: 2010 Georgetown Advanced E-Discovery Institute (Nov. 18-19, 2010)

Case Law Update

International E-Discovery

RULE 502: Inadvertent Waiver

Proportionality: Is It Real or a Paper Tiger? Kevin F. Brady, Conor R. Crowley, Joseph P. Guglielmo, Hon. Andrew J. Peck, Hon. Joseph R. Slights, III.

Sedona Conference published in October, 2010, the Principles of Proportionality.

The Business of E-Discovery

Major themes and lessons learned in the session: 1- The “problems” of disappointing IT solutions for E-discovery is no different than the general pitfalls of IT providing solutions for general business problems. Good old-fashioned IT project management, requirements gathering, and integration of business process (in this case, legal processes) expertise in the delivery of technology. 2- Legal now has a place at the table in the GRC and information governance. Chief Compliance Officers are now able to have budgets dedicated to managing the information risks of their organizations.

Not Just EU Privacy: A Global View on International E-Discovery

Early Evidence Assessment & Strategies for Search, Retrieval & Review (Early Case Assessment)

2010: A Sanctions Odyssey

Craig Ball, Database Discovery.

Cloud Computing; Dan Regard, Tanya Forsheit, Hon. Francis Allegra, Theresa Beaumont

Is Stuxnet the ‘best’ malware ever?

Matt — Mon, 04 Oct 2010 18:32:27 +0000

Is Stuxnet the ‘best’ malware ever?.

Failed Risk-Based Security: Notes from Donn Parker RSA 2010 Presentation

Matt — Thu, 22 Apr 2010 17:23:08 +0000

Failed Risk-Based Security

Helping Lawyers Overcome Cloud Anxiety

Matt — Thu, 22 Apr 2010 17:08:26 +0000

Author and attorney Julie Tower-Pierce contributed short little article to the April 2010 issue of Information Security magazine, that encourages IT personnel to provide insight and clarity on cloud computing to corporate counsel. Corporate counsel are rightly concerned about a variety of data protection risks stemming from the use of third-party computing services. Tower-Pierce writes, “By using straightforward, practical explanations and real-world analogies/examples, minus excessive technicalities when possible, you can impart a firm understanding of the mechanics of cloud computing and help lawyers gain perspective.”

I have no qualms about this approach whatsoever. The challenge is getting the two sides to even have the conversation. Most likely, the conversation would originate during the a company’s vendor (third-party) assessment process. This is the most frequent interaction between in-house counsel and information security or other risk assessors. The contractual relationship is often hammered out simultaneously with the IT controls assessment.

Another opportune time to have the conversation is during a corporate risk committee or IT governance steering committee meeting. These meetings take on a variety of shapes, names and participants, but whatever the risk management authority looks like, it should incorporate discussions on emerging topics such as cloud computing.

A third opportunity to have such discussions would be to invite legal to participate in the development of a cloud computing security policy, a part of a firm’s overall information security policy framework.

ISO 31000

Matt — Mon, 12 Apr 2010 19:50:34 +0000

Here’s a link to a short article describing the new ISO 31000:2009 standard, purportedly a generic risk management process guide that is industry agnostic.

Albert Gonzalez Gets 20 Years

Matt — Sun, 28 Mar 2010 21:26:50 +0000

See WSJ article here.