Security Crossroads: E-Discovery and Your CIRT

Walk into any organization today and you're likely to find some sort of computer incident response team (CIRT). If you're lucky, you'll also find a CIRT that is well organized and seamlessly laced into each functional area of the organization.

Speaking of laced, many organizations are finding that the new kid on the block, e-discovery, already overlaps with many of core components of a well-defined CIRT. So it begs the question, should e-discovery be a functional component of the CIRT?

E-Discovery and CIRT Defined

Before we continue, let's just be clear on what a CIRT and e-discovery are.

Electronic discovery, or e-discovery, refers to discovery in civil litigation, which deals with information in electronic form. In this context, electronic form means stored as binary data. Electronic information is different from information stored on paper because of its intangible form, volume, transience, and persistence. Also, electronic information is usually accompanied by metadata, which is rarely present in paper documents.

Examples of the types of data included in e-discovery include e-mail, instant messaging chats, Microsoft Office files, accounting databases, CAD/CAM files, Web sites, and any other electronically-stored information which could be considered relevant evidence in a lawsuit or criminal inquiry. Also included in e-discovery is "raw data" which Forensic Investigators can review for hidden evidence.

Individuals working in the field of electronic discovery commonly refer to the field as Litigation Support.

A computer incident response team (CIRT) is a carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered from. It is typically comprised of members from within the company. By necessity, they must be people that can drop what they're doing at a moment's notice and have the authority to make decisions and take actions with little in the way of red tape.

As an integral part of the CIRT, the members of the Information Security team are the employees who are trained in the area of handling electronic incidents. They are valuable assets not only because of the ability to manage a multitude of incidents, but for their ability to provide options -- and the implications of those options -- to management and other members of the team. Information Security's role includes assessing the extent of the damage, containment, basic forensics, and recovery.

Where Your Security and Legal Departments Meet

Now, within your CIRT, you will also find representatives from the legal department. An attorney is useful for supplying a CIRT with legal advice. The attorney's role is to ensure the usability of any evidence collected during an investigation in the event that the company chooses to engage in legal action. An attorney can also provide advice regarding liability issues in the event that an incident affects customers, vendors, and/or the general public.

Because of the roles of legal and information security, and the skill sets of each group, it makes a lot of sense to augment the CIRT with the e-discovery function. E-discovery professionals form a natural flow of skills and communication between the legal and information security professionals on the CIRT.

Why bother? Well let's look at a specific example.

Let's say that a hard drive needs to be secured in order to perform a forensic investigation. Information security, traditionally, would handle this from start to finish. Now, information security professionals may be excellent at the technical execution of this task but perhaps leave something to be desired when it comes to the proper legal aspects of the investigation.

An e-discovery professional can work alongside the information security personnel to ensure that data collection is performed correctly, completely, and most importantly, legally. Certain aspects, like document coding found in the Federal Rules of Civil Procedure, are strengths that an e-discovery professional can bring to the table during a forensic investigation conducted by information security.

This relationship can work in both directions as well.

There will undoubtedly come occasions when the basic framework of e-discovery will need some fleshing out with the highly specialized skills held by an information security professional. Cases where byte-level forensics are required is one example.

As the security field matures, we will continue to see natural integrations of new disciplines such as e-discovery. Key to these endeavors is to have managers in place that have a finger on the pulse of the security sector. This enables organizations to adapt on the fly in order to meet the challenges that come with the fast paced world of electronic information.

If your management team is still operating several years behind the curve, you're going to find yourself, at very least, on the losing end of e-discovery. At worst, you may end up facing counter litigation for improper evidence collection and handling.

That is one situation that's best avoided and you'll have a hard time finding anyone from the IT to Legal departments, or the mail room to boardroom for that matter, that disagrees.

For more background, visit the following online resources.

Computer Incident Response Team - SANS Institute

E-Discovery - Wikipedia

This article was first published on EnterpriseITPlanet.com.