Thursday, August 8, 2013

CCSK Study - Domain 3: Legal Issues: Contracts and Electronic Discovery

Notes
  • Legal Issues
    • Many different regions and countries have numerous laws in place to protect the privacy of personal data and the security of information and computer systems.
    • Most specify terms such as "Adopt reasonable technical, physical, and administrative measures in order to protect personal data from loss, misuse, or alternations"
    • Examples
      • OECD: Organization for economic cooperation and development
      • APEC: Asia Pacific Economic Cooperation's Privacy Framework
      • European Union Data Protection Directive
    • Organizations should be aware of the laws they are subject to
      • Even contractors of corporations may be subject to certain laws
      •  HIPAA, GLBA, PCI DSS, ISO 27001, COPPA
    • May not be in the form of laws, but rather contractual obligations
    • Some laws may prohibit the export of data/information outside of the country
      • Obviously comes into play with cloud providers
    • Key point:  under many of these laws, the responsibility for protecting and securing the data typically remains with the collector or custodian of the data.  Before entering into a cloud computing arrangement, a company should evaluate it's own processes.  A company should, and in some cases is legally bound to, conduct DD of the proposed cloud service provider.
    • Companies should keep in mind that CSPs are constantly updating, and they should continually monitor, test, and update their process to reflect any changes in the CSP
      • Example: CYBEX
    • E-Discovery Issues
      • I think that although these issues were brought up during a conversation about e-discovery, they are relevant to all types of data being stored in the cloud
      • ESI: Electronically stored information
      • Possession, Custody, and Control
        • Clients are expected to turn over all data in their control (that pertains)
        • Clients do not have access to CSPs DR locations, or certain metadata that the CSP has created about a document
        • Clients should have an understanding of what data is and is not avaliable
      • Relevant Cloud Applications and Environment
        • The cloud app may come into scope and may require a separate subpoena
      • Searchability and E-discovery Tools
        • Certain tools will not work with the cloud, or may be expensive to run
        • Client may not have rights to search all data in the cloud
      • Preservation
        • Clients need to preserve the data (using all reasonable steps)
        • What about SLA's?  What happens if the SLA expires before the preservation term?
        • Monitoring of cloud provider?
        • What about the costs of storage for preservation?
        • Can the client effectively download the data in a forensically sound manner so it can be preserved off-line / near-line?
        • How is data tagged or scoped for preservation in the cloud?  Does the cloud provider offer that granularity?
      • Collection
        • Due to CSP, collection of data may be more difficult
        • Data may only be available in batches at a time
        • Access and bandwidth restrictions?
        • SLA may restrict the speed at which data is accessed or the manner in which it is accessed
        • Cannot do bit-by-bit forensics, if required
        • Client is subject to take reasonable steps to validate that its collection from its CSP is complete and accurate
      • CSP may deny direct access to its hardware
      • CSP may be able to produce "native production" of the data but it may not be in a usable format
      • Documents should not be considered more or less admissible or credible from the cloud (provided no evidence to contradict)
      • Clients should contract in provisions that they be notified and given sufficient time to fight subpoena or search warrant
Summary
This section brings up some good points about storing data in a CSP.  Although the focus here was more on the legal end, it is important to understand that these issues around the trust of data stored, how it is stored, and how it is accessible are applicable to all types of data.  The courts obviously require some degree of validation to be done that the data can be admissible in court.  Further to that, with respect to e-discovery, the courts need some degree of assurance that all the data that should have been submitted in fact was.  A subset of these issues may be important to other types of data based on contractual obligations or corporate policies.