publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1310179
I L T A W H I T E P A P E R | L I T I G A T I O N A N D P R A C T I C E S U P P O R T 34 privacy governance. How this is handled, who has access to it, and what data governance policies the vendor has instituted and documented are critical in your vetting. It is up to you to insure your vendor's security practices adhere to those requirements and regulations. Passing an audit does not equate to good security. We connected with Quincey Collins, Chief Security Officer at Sheppard Mullin. He noted that passing the security audit is a step in the process, but the evaluation and enforcement does not stop there. It is not enough to review ISO and SOC certificates. Security practices must be monitored with communication protocols in place to notify of any changes that may affect the vendor's security practices. As noted above, if your clients have notice requirement, or even if your firm does, make every effort to insure the vendor will comply with those requirements. As a minimum standard, your eDiscovery vendor should have achieved ISO and SOC certification. Depending on your practice or business, there are many other industry-standard certifications that are boxes you should tic in your audit and evaluation. However, the challenge lies not in the audit but through validating continuing industry- standard security practices. Passing an audit is a step in the right direction, but it does not stop there. We must have ongoing insight into incident management at the vendor and require it conform to firm or corporate standards. For instance, if your clients require 24 hour notice of security breach, are you certain your vendor complies with that standard? What can you ask to go above and beyond reviewing certifications? • How has your security posture changed in the last five years? • Do you utilize a privileged account security solution for role access? • Is your patch management program enforced? How often do you audit this? • How often do you conduct penetration testing? • Can you provide a copy of the results of of your last penetration testing? • What kind of security training do you provide your rank-and-file employees? Are they made aware of the threat landscape and given tools to combat that landscape? The Beat Goes On. Security audits are not one time efforts when " Passing an audit is a step in the right direction, but it does not stop there."