Data Minimization Framework 1. Create and Maintain an Accurate Data Inventory. Information governance starts with knowing your data. An accurate, up-to-date datamap identifies what information you have, where it exists, media types, applications, third-party access, reference value and sensitive elements. 2. Use Industry-Specific Retention Standards. Generic record naming and retention standards are of little value. Adopt standards that are specific to your industry and incorporate valid business needs unique to your organization. 3. Tag Records to Relevant Sensitive Elements. The sensitivity of data is a critical factor in determining retention decisions. It’s not only a good idea, it’s often the law. 4. Address Obsolete and Redundant Information. Information that is retained longer than valid regulatory requirements or business needs should be systematically disposed of through an appropriate and defensible process. 5. Target Sensitive Data Immediately at Risk. Review the data inventory for unauthorized movement, access, storage, retention and disclosure of sensitive employee, customer and corporate data. Get rid of all records as soon as they are eligible! 6. Prioritize Email. 90% of discovery and review costs go toward email. Email is a prime target for cyber criminals. Prioritize appropriate email deletion in your data minimization strategy. 8 .

Human Risk Framework 1. Conduct an Enterprise-Wide Risk Assessment Annually. You can’t address risks you don’t know exist. Evaluate existing safeguards and practices of key subject matter experts, department mangers as well as employees. 2. Establish Clear Guidelines. Review and update existing policies and establish clear guidelines that are easy for employees to understand and comply with. 3. Evaluate Policy Awareness Levels and Training. Policies are only effective if employees are aware of and comply with them, and the company can demonstrate they are consistently enforced. 4. Communicate Policy Expectations Consistently. Establish a set frequency for communicating policies and guidelines to increase awareness and improve policy effectiveness and defensibility. 5. Track Compliance Verification. Require employees to certify their awareness and compliance with policies and guidelines. This establishes an audit trail and evidence of diligence. 6. Address Risky Employee Practices. Identify employee behaviors that put sensitive information at risk and are out of compliance with policies. 7 .

Information Governance Framework 1. Create and Maintain an Accurate Data Inventory. Information governance starts with knowing your data. An accurate, up-to-date datamap identifies what information you have, where it exists, media types, applications, third-party access, reference value and sensitive elements. 2. Tag Records to Relevant Sensitive Elements. Appropriate security needs are determined by the sensitive content each record type contains and is a critical factor in determining retention and disposal decisions. 3. Use Industry-Specific Retention Standards. Generic record naming and retention standards are of little value. Adopt standards that are specific to your industry and incorporate valid business needs unique to your organization. 4. Address Obsolete and Redundant Information. Information that has been retained longer than valid regulatory or business needs should be systematically disposed of through an appropriate and defensible process. 5. Communicate Policies and Security Guidelines Consistently. People forget. When they forget, they don’t comply. Routinely communicate program expectations and diligently track compliance verification. 6. Demand Strict Compliance with Retention Rules and Policy. Retention rules aren’t minimum standards – they are absolute standards. Program adherence – including disposal consistency – provides a strong defense. 7. Keep Your Program Up-To-Date. Review and update your program annually and send out appropriate communications to improve employee awareness and compliance. 6 .

Vendor Diligence Framework 1. Assess Every Vendor - Not Just Your Largest. Every third party, including law firms and small companies, with access to your systems or data poses a threat. Their data breach is your data breach. 2. Use Relevant Standards. Evaluate your vendors’ current security practices against recognized standards. 3. Segment Vendors By Risk. Identify high-risk and (presumed) low-risk vendors to balance effective evaluation with process efficiency. 4. Eliminate Manual Processes. Manual diligence processes are resource-intensive and error-prone. The right technology eliminates bandwidth restrictions and provides consistent, documented evidence of your controls. 5. Consider Both the Letter and Spirit of Regulations. Vendor diligence standards must be comprehensive and consider existing technical controls as well as compliance with applicable regulations. 6. Make It Easy for Vendors to Respond. The right technology, process and question sets enable accurate, timely responses from your vendors. You’ll identify issues faster so you can stop problems before they happen. 7. Assess Law Firms Against the ACC Model Controls. Law firms have some of your most sensitive information. The ACC Model Controls provide a recognized starting point for evaluating your law firms’ cybersecurity practices. 8. Conduct Annual Assessments. The cyber threat landscape is continually changing and relationships with vendors evolve. Every vendor should complete a vendor risk profile at least annually. 6 .

PROFESSIONAL SERVICES. PERFECTLY DELIVERED. About Jordan Lawrence For over a decade, Jordan Lawrence has served as an ACC Alliance Partner providing services that enable members around the world to effectively and defensibly meet legal obligations, mitigate risks and reduce the costs of information compliance and control. Senior executives and corporate counsel depend on our specialty risk-assessment services to address critical areas of risk and to stay in compliance with international and domestic regulations. Third-Party Diligence for Cybersecurity Risks Data Minimization for Email, ESI and Paper Records Data Inventory Development for Information Privacy and Litigation Readiness Records Retention Standards and Defensible Deployment Human Factors of Cybersecurity Risks Our innovative service delivery model provides predictability, accuracy and speed for every client. Our industry benchmarking and world-class best practices are relied upon and proven defensible in the most vital areas of corporate risk. PROFESSIONAL SERVICES. PERFECTLY DELIVERED.

www.jordanlawrence.com/acc (636) 821-2222 services@jordanlawrence.com