publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1310179
I L T A W H I T E P A P E R | L I T I G A T I O N A N D P R A C T I C E S U P P O R T 33 What's under that hood? Committing your firm or company to a vendor relationship is a complex and daunting process. In the past we may have relied on personal experience or relationships but in a climate of continuous threat, that is a risky hill on which to stake a claim. Vendor screening and management are a necessary and rigorous process that includes liability analysis and risk assessment. Security audits are a vital component to any vendor screening process. In order to truly validate a security posture, an audit using a standardized protocol must be used for all vendors. There are industry standard auditing protocols and your approach should include a Standard Information Gathering (SIG) questionnaire. The SIG cuts across industries and covers much of what should be evaluated. However, the eDiscovery vendor landscape is ever-evolving with rounds of mergers and acquisitions, so there are additional security questions specific to our industry that may be useful when evaluating a vendor. Whether the vendor you work with is acquiring or has been acquired, it is incumbent on the vendor relationship manager (a/k/a, you) to conduct an impact analysis of their environment. Below are some of the many things to consider, and questions to ask in the impact analysis. • Have you acquired, or merged with another company? • Are you in the process of, or have been, acquired by another company? • If so, what is the integration plan? • Have you put a plan in place to confirm patching and other security protocols with the acquired or acquiring company? • What auditing process have you put in place a standard to insure that the acquired or acquiring company conforms to the highest and best industry standard for security, backup and patching? • How is data segmentation handled at the acquiring/acquired company for processed and hosted data? • Do you maintain copies of data through each stage of data manipulation? Who has access? • What access controls do you have in place for each stage of data manipulation? Understanding the workflow and access controls of client data is essential. A marketing vendor has access to a different type of data than an eDiscovery company does. Client data may contain highly confidential documents, trade secrets, PHI/ PII, or other data that is subject to GDPR or other "Understanding the workflow and access controls of client data is essential."