Whilst most business continuity and IT security risk insurance policies provide legal action cover, what is little known is that, in the event of a claim, premiums for this kind of insurance can rise very substantially, Infosecurity notes.
This makes the task of reducing the risk of legal action - a process known as e-discovery - all the more important, and is why it falls into the category of security governance.
ISACA's white paper, which is free to members and non-members of the association, recommends a number of steps that need to be taken in order to develop a successful e-discovery process:
Assess regulatory requirements specific to the organisation.
Ensure the proper mix of policy, process and technology to reduce reliance on any specific individual and maintain consistency.
Apply a consistent approach to e-discovery, giving the organisation time to evaluate and validate the information.
Establish information security controls - in line with the organisation's security policies - to protect information extracted.
Conduct employee training and awareness.
According to Kamal Dave, chief architect with HP, who co-authored the white paper along with Scott Shunners and John Vyhlidal of ConAgra Foods, one of the advantages of creating an e-discovery program is that it not only reduces risk related to litigation, but also can improve an organisation's compliance posture.
"It can also help control costs by eliminating a `keep everything' mentality that exists when an organisation is unclear about the type of information to retain and how long to store it", he explained.
ISACA, which has more than 95,000 members worldwide, says that an effective e-discovery program can help minimise several risks and security concerns in organisations.
These risks include the intentional removal - or adulteration - of records, as well as the possible inability to recover records, and the provision of unnecessary or incorrect records.
The white paper concludes by listing a seven-stage process to identify and mitigate an organisation’s e-discovery risks and outlines the COBIT processes that organisations can implement to maximise the value of their e-discovery programs.