Incident Response Plan

sepola
bd_ch_10_sect_08_04.html
Home>Computer Science homework help>Incident Response Plan

Evidentiary Policy and Procedures

In information security, most operations focus on policies—those documents that provide managerial guidance for ongoing implementation and operations. In digital forensics, however, the focus is on procedures. When investigating digital malfeasance or performing root cause analysis, keep in mind that the results and methods of the investigation may end up in criminal or civil court. For example, during a routine systems update, a technician finds objectionable material on an employee’s computer. The employee is fired and promptly sues the organization for wrongful termination, and so the investigation of that objectionable material will come under scrutiny by the plaintiff’s attorney, who will attempt to cast doubt on the ability of the investigator. While technically not illegal, the presence of the material may have been a clear violation of policy, thus prompting the dismissal of the employee, but if an attorney can convince a jury or judge that someone else could have placed the material on the plaintiff’s system, then the employee could win the case and potentially a large financial settlement.

When the scenario involves criminal issues, where an employee discovers evidence of a crime, the situation changes somewhat. The investigation, analysis, and report are typically performed by law enforcement personnel. However, if the defense attorney can cast reasonable doubt on whether organizational InfoSec professionals compromised the digital EM, the employee might win the case.

How do you avoid these legal pitfalls? Strong procedures for the handling of potential EM can minimize the probability of an organization’s losing a legal challenge. Organizations should develop specific procedures, along with guidance (as in policy) on the use of these procedures. The EM policy The policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams. document should specify:

  • Who may conduct an investigation

  • Who may authorize an investigation

  • What affidavit-related documents are required

  • What search warrant-related documents are required

  • What digital media may be seized or taken offline

  • What methodology should be followed

  • What methods are required for chain of custody or chain of evidence

  • What format the final report should take and to whom it should it be given

The policy document should be supported by a procedures manual based on the documents discussed earlier, along with guidance from law enforcement or consultants. By creating and using these policies and procedures, an organization can best protect itself from challenges by employees who have been subject to unfavorable action (administrative or legal) resulting from an investigation.

Once the policy is in place, the organization can develop EM procedures to guide the actual collection, handling, processing, and storage of EM. Note that both the policy and procedures documents may be developed independently, or may be part of the organization’s digital forensics document set. Either way, it is imperative that formalized documents are developed, reviewed, and approved, so that if the organization’s handling of EM is challenged, those responsible for handling the information can assert their compliance with established policies and procedures. Unless the organization has completely committed to the protect and forget philosophy, most likely all EM processing (as in investigation) will be performed by a law enforcement agency.

Listen webReader by ReadSpeaker Open/close toolbar