Electronic discovery standardization.
| Author | Hibbard, Eric |
| Position | Electronic Discovery and Digital Evidence |
INTRODUCTION
After a somewhat rocky start, the International Organization for Standardization (ISO), in conjunction with the International Electrotechnical Commission (IEC), Joint Technical Committee 1 (JTC 1), Information Technology, Subcommittee 27 (SC 27), and Security Techniques, is developing an E-Discovery standard with potential global implications. This standard, known as ISO/IEC 27050, Information Technology--Security Techniques--Electronic Discovery, seeks to harmonize terminology, describe core concepts, offer guidance in several key areas (e.g., E-Discovery governance, processes, readiness), and identify relevant requirements. While ISO/IEC 27050 is not intended to contradict or supersede local jurisdictional laws and regulations, it is likely to have an impact because International Standards play an important role in cross-border issues, and if nothing else, it could help address the "reasonableness" of one's actions.
-
BACKGROUND ON INTERNATIONAL STANDARDS DEVELOPMENT ORGANIZATIONS (SDOs)
ISO is the world's largest developer of voluntary International Standards and it is an independent, non-governmental organization made up of members from the national standards bodies of 162 countries and 3,368 technical bodies. (1) Since its founding in 1947, ISO has published over 19,500 International Standards covering almost all aspects of technology, business, and manufacturing (e.g., from food safety to computers, and agriculture to healthcare). (2)
Founded in 1906, the IEC is the world's leading organization that prepares and publishes International Standards for all electrical, electronic and related technologies, collectively known as "electrotechnology." (3) The IEC reports that "[o]ver 10,000 experts from industry, commerce, government, test and research laboratories, academia and consumer groups participate in IEC Standardization work." (4)
ISO and IEC are two of the three global sister organizations (International Telecommunication Union, or ITU, being the third) that develop International Standards for the world. (5) When appropriate, some or all of these standards development organizations cooperate to ensure that International Standards fit together seamlessly and complement each other: "Joint committees [e.g., JTC 1] ensure that International Standards combine all relevant knowledge of experts working in related areas." (6) All ISO/IEC International Standards are fully consensus-based and represent the needs of key stakeholders of every nation participating in ISO/IEC work: "Every member country, no matter how large or small, has one vote and a say in what goes into an [ISO or] IEC International Standard." (7)
-
STANDARDIZING IT SECURITY TECHNIQUES
Within JTC 1, Subcommittee 27 (SC27) has responsibility for the development of standards for the protection of information as well as information and communications technology (ICT).
This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:
* Security requirements capture methodology;
* Management of information and ICT security; in particular, information security management systems (ISMS), security processes, security controls and services;
* Cryptographic and other security mechanisms, including, but not limited to, mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
* Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
* Security aspects of identity management, biometrics and privacy;
* Conformance assessment, accreditation, and auditing requirements in the area of information security;
* Security evaluation criteria and methodology. (8)
Since convening its first plenary session in April 1990, SC27 has published more than 120 standards and currently has in excess of seventy-five active projects. (9) To manage these projects and the ongoing maintenance associated with the published standards, SC27 is organized into the following working groups (WGs) (10):
* WG 1: Information security management systems (ISMS)
* WG 2: Cryptography and security mechanisms
* WG 3: Security evaluation, testing, and specification
* WG 4: Security controls and services
* WG 5: Identity management and privacy technologies
* SWG-T: Special working group on transversal items.
To complete the picture, the United States is one of the fifty-three participating countries (voting members) along with seventeen observing countries. (11) Within the United States, the American National Standards Institute (ANSI) serves as the formal United States National Body (USNB) to SC27. (12) Under ANSI's auspices, the International Committee for Information Technology Standards (INCITS) serves as the U.S. Technical Advisory Group (TAG) to JTC 1, and INCITS Technical Committee Cyber Security (CS1) has been delegated responsibility to interface with SC27. (13) SC27 meets twice a year, typically during spring and fall, at a wide range of international venues. Plenary sessions, where major decisions are made, occur at the spring meetings. (14)
-
SC27/WG4 Investigative Projects
Starting in April 2008 at the SC27 meeting in Kyoto, Japan, SC27/WG4 initiated a Study Period (15) on Evidence Acquisition Procedure for Digital Forensics, (16) and issued the New Work Item Proposal (NWIP) (17) after the SC27 meeting in Limassol, Cyprus, in October 2008. This project would be the first of what would become a set of "investigative" projects that focus on incidents, investigation, and evidence. (18) As of this writing, these projects include (19):
* ISO/IEC 27035 (draft), Information Technology--Security Techniques--Information Security Incident Management (multi-part)
* ISO/IEC 27037: 2012-11-01 (1st ed.), Information Technology-Security Techniques-Guidelines for Identification, Collection, Acquisition and Preservation of Digital Evidence
* ISO/IEC 27038: 2014, Information Technology-Security Techniques--Specification for Digital Redaction
* ISO/IEC 27040 (draft), Information Technology-Security Techniques--Storage Security
* ISO/IEC 27041 (draft), Information Technology-Security Techniques-Guidance on Assuring Suitability and Adequacy of Investigation Methods
* ISO/IEC 27042 (draft), Information Technology-Security Techniques-Guidelines for Analysis and Interpretation of Digital Evidence
* ISO/IEC 27043 (draft), Information Technology-Security Techniques-Incident Investigation Principles and Processes
* ISO/IEC 27050 (draft), Information Technology-Security Techniques-Electronic Discovery (multi-part)
The above investigative projects are not intended to contradict or supersede local jurisdictional laws and regulations, and further, they are expected to have relevance outside of the legal domain. (20)
It is important to note that the USNB has argued on several occasions that the investigative projects were outside the scope of SC27, and further, that SC27 did not have the technical expertise to deal with some of these topics. (21) The USNB concerns were overridden because of the perceived needs in developing countries; in some countries, ISO standards carry the weight of laws or regulations. (22)
-
Genesis of the ISO/IEC 27050 Electronic Discovery Project
At about the same time--October 2008--that SC27/WG4 began development of ISO/IEC 27037, the American Bar Association's (ABA) Section of Science & Technology Law (SciTech) formed the E-Discovery and Digital Evidence (EDDE) Committee. (23) At the Committee's first meeting in November 2008 in Washington, D.C., a member of INCITS/CS1 reached out to the EDDE Committee for reaction and comments on the NWIP for ISO/IEC 27037. These initial interactions eventually transitioned into a more formal liaison relationship between INCITS/CS1 and ABA SciTech in February 2009. (24) This relationship continued throughout the development of ISO/IEC 27037 and to this day, as SC27 has expanded its investigative projects. The net result of this liaison relationship is that the ABA SciTech expertise improved the quality of the USNB comments and contributions on SC27's quasi-legal drafts, while at the same time giving the ABA SciTech experts insight into the SC27 projects and the international standardization process.
In December 2011, at the EDDE Committee face-to-face meeting in Washington, D.C., the topic of E-Discovery standardization (both domestic and international) was discussed at length. (25) The general sense of the participants was that there was definite merit in having an international standard, but organizational politics made it unlikely that a domestic project would result in anything useful. That said, the mechanics and feasibility of pursuing such an endeavor were unknown, so the Liaison Officer to INCITS/CS1 was tasked with determining the USNB's level of interest in serving as a project sponsor and outlining the process.
The response from the INCITS/CS1 members was positive, with the caveat that the ABA SciTech would need to provide support if the project was successfully launched in SC27. (26) Given the lengthy lead times often required for SC27 proposals, INCITS/CS1 needed a go/no-go recommendation from the EDDE Committee by March 2012, so that a proposal for a SC27 Study Period could be developed, approved by INCITS/CS1, and then submitted to SC27 as an on-time contribution from the USNB (i.e., routed through INCITS and then ANSI), which would enable consideration of the proposal at the April 2012 SC27 meeting in Stockholm, Sweden.
The EDDE Committee was briefed at its February 2012 face-to-face meeting in San Francisco, California. A defining moment for the EDiscovery standardization occurred at this meeting when the Honorable John M. Facciola (U.S. Magistrate Judge, U.S. District Court, District of Columbia) brought the Committee to a decision point by moving to support the development of a standard; then the Honorable Andrew J. Peck (U.S...
-
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
