The biggest challenge in risk management is that many global organisations are growing rapidly and information is becoming more available.

Businesses want information faster and to quickly fire it off around the globe. They want to send it to their trading partners, and they also want to receive data from those partners or other stakeholders.

So information is growing in volume and is being distributed around the
organisation at a very fast rate. There has been an exponential increase over the past 10 years and now most organisations ­ and even people at home ­ have huge amounts of stored electronic data. In terms of volume and accessibility, it is getting quite complex.

Clearly, IT departments need to work very closely with legal teams, so that they understand the data that is in use in the organisation.

Legal experts have to set policies that can be interpreted by IT people so that controls and standards to manage that data can be implemented.

There has to be a good working relationship between the two disciplines, and this cannot be stressed enough. It is, of course, two-way, so legal teams have to understand the policy and the data in use in the organisation.

From an IT standpoint, it is important to communicate back to legal and explain the types of data that are in use, and the processes that data is being used for. IT controls need to be checked to ensure they are operating effectively, and legal teams need to be confident that the policy is being enforced.

IT should lead on the technical component of electronic discovery, to address where and in what systems the data can be found and to recover the information. Other IT or business professionals may well analyse the data.

However, from an incident and investigation perspective, direction needs to come from the legal team, because it is that team which will give the exact parameters of what discovery is needed.

Standards such as BS17799 which cover information security management are the core principles of managing information within an organisation. One of the things to which an organisation should pay attention is a confidentiality policy, so that how to label data and apply the appropriate security controls is clearly
understood.

A classification policy about data is absolutely fundamental and, from there on, an information security management system, IT controls and procedures can be implemented. And it is important not to forget the importance of testing.

Alessandro Moretti is a risk management expert from UBS Investment Bank, and sits on the European advisory board of IT security certification body ISC2.

This article is based on a transcript of Moretti speaking at the Computing web seminar “Do you know where your data is? How IT and legal teams can work together on data protection implications.”
www.computing.co.uk/webseminars