# eDiscovery and Legal Hold Operations One-sentence definition: Operational process to preserve, collect, and produce electronically stored information (ESI) under legal hold. ## Key Facts - Triggered by litigation/regulatory request; suspend normal retention/deletion. - Notify custodians; track acknowledgments; defensible collection workflows. - Preserve integrity (hashing, WORM), chain-of-custody, and scope minimization. - Coordinate with counsel and privacy; limit to need-to-know access. - Maintain inventories of data sources (email, chat, endpoints, cloud, backups). - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose legal hold to avoid spoliation and sanctions. **Mnemonic:** “**Hold** first, then **harvest**.” ## Mini Scenario Q: Backup purge scheduled during lawsuit—what do Ops do? A: Pause deletion for in-scope data; document hold; notify custodians. ## Revision Checklist - Two legal hold actions. - Integrity controls. - Scope/need-to-know. ## Related [[Legal Holds and Evidence Retention for Security Tests]] · [[Log Integrity Time Sync and Retention]] · [[Digital Forensics in Operations (Triage First Response)]] · [[Reporting and Executive Summaries]] · [[Domain 7 - Index]]