digital forensic within enterprise risk management


The Governance of Corporate Forensics using COBIT, NIST and Increased Automated Forensic


Henry Nnoli1, Dale Lindskog2, Pavol Zavarsky2, Shaun Aghili2, Ron Ruhl2 1ATB Financial, Edmonton T5J 1P1, Canada

2Information Systems Security Management, Concordia University College of Alberta, Edmonton T5B 4E4, Canada [email protected], {dale.lindskog, pavol.zavarsky, shaun.aghili, ron.ruhl}

Abstract—Today, the ability to investigate internal matters such as policy violations, regulatory compliance, and employee separation has become important in order for corporations to manage risk. The degree of information security threats evolving on a daily basis has increasingly raised concerns for enterprise organizations. These threats include but are not limited to fraud, insider threat and intellectual property (IP) theft. These have increased the demand for organizations to implement corporate forensics as a deterrent to illegitimate acts or for linking perpetrators to their illegitimate acts. This explains why forensic practices are expanding from the traditional role in law enforcement and becoming an essential part of business processes. However, most organizations may not be maximizing the benefits of corporate forensic capabilities because of lack of corporate forensic governance best practices, needed to ensure organizations prepare their operating environment for digital forensic investigation. Corporate forensic governance will help ensure that digital evidence is obtained in an efficient and effective way with minimal interruption to the business. This paper presents a corporate forensic governance framework intended to enhance forensic readiness, governance, and management, and increase the use of automated forensic techniques and in-house forensically sound practices in large organizations that have a need for these practices.

Index Terms—corporate forensic governance; corporate forensic readiness; increased automated forensic solutions; digital forensic investigation; digital evidence

I. INTRODUCTION Most organizations waste effort, time and resources in

carrying out forensic investigations due to lack of corporate forensic preparedness [4]. Forensic readiness (preparedness) can be defined as the process of being prepared (having the right policies, procedures, people, techniques in place to respond professionally and timely) before an incident occurs. Rowlingson [4], in his paper, ‘A Ten Step Process for Forensic Readiness’ described forensic readiness as the ability of an organization to maximize its potential to use digital evidence while minimizing the cost of an investigation. In his paper he discussed practices that, when implemented before a digital incident occurs, can help organizations to be ready to carry out forensic investigations. However, forensic readiness is one part of a comprehensive and well-structured corporate forensic governance program.

Governance is the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that applicable strategies are aligned with and support business objectives, and are consistent with applicable laws and regulations through adherence to policies and internal controls, and assignment of responsibility, all in the effort to manage risk [22]. In most organizations when incidents occur, the incident response team’s major concern is to contain the incident and restore operations, paying less attention to potential evidence. In most cases digital evidence is contaminated, incomplete and untrustworthy, all of which inhibits linking perpetrators to their illegitimate acts if a crime is committed [2]. This is simply because of the lack of forensic readiness which is part of a good corporate forensic governance program. Grobler et al [5] stated, “all disciplines need some form of policy, procedures, standards and guidelines hence necessitating the proper facilitation of governance”. In their paper, entitled ‘Managing digital evidence - The governance of digital forensics’, they introduced a preliminary framework for the governance of digital forensics.

According to COBIT [10], the principles of governance best practices include strategic alignment, risk management, value delivery, resource optimization, and continuous performance evaluation. Board briefings on IT governance [22] stated that, governance practices have been confirmed to yield huge benefits in the field of information technology (IT) and information security (IS) due to the establishment and adoption of applicable frameworks like COBIT. “In other words, top management of various organizations are realizing the significant impact information technology and information security can have on the success of their enterprise because of governance of these fields” [22]. Such governance practices are lacking in the field of digital forensics [5]. For various reasons which will be highlighted later in this paper, there is a need for effective and efficient governance practices for corporate forensic programs to ensure that value, risk and resources are optimized during forensic investigations. Most organizations are still biased about in-house forensic readiness and capability because they feel that it involves complex processes but with proper best practice framework for corporate forensic governance and readiness they will observe that in-house forensic readiness can be conducted in an efficient and effective way. In addition, the use of innovative, user friendly and increased corporate forensic automated solutions (like

2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security,

Risk and Trust

978-0-7695-4848-7/12 $26.00 © 2012 IEEE

DOI 10.1109/SocialCom-PASSAT.2012.109


Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

Encase Enterprise) reduces the amount of resources (time, effort and personnel) used for such practices. With the existence of COBIT [10][11] and other IT and IS governance frameworks, including research work like [1][2][3][4][5][8] it is obvious that there is a governance gap in the field of corporate forensics.

In this paper, a governance framework is presented, one that will guide those large organizations who are in need of a corporate forensic program on how best governance practices can enhance corporate forensic readiness and in-house forensically sound practices in an efficient and effective way. This paper is organized into the following sections: Section II argues the need for corporate forensic readiness and governance; Section III explains best practice governance principles; Section IV is a brief discussion of related work; Section V is a description of the proposed framework; finally, in Section VI we conclude and recommend future work.

II. CORPORATE FORENSIC READINESS AND GOVERNANCE According to [8], litigation is a last option for most

organizations, because of concerns like negative publicity and its negative impact to the business. Therefore, corporate forensic readiness, governance and in-house forensic capability will help organizations to be prepared to gather and use digital evidence as a deterrent and for making firm conclusions during internal investigations of non-criminal violations. The objective of corporate forensic readiness is to ensure that digital evidence is collected using sound forensic processes and in an effective way with minimal interruption to the business. This evidence can also be used for the organizations interest and defense. Although many organizations outsource forensic activities, it is likely that most will prefer to perform them internally. The reasons for this include privacy, confidentiality of organizational and customer data, legal risk, delayed forensic results from consultants and compliance with regulations like Sarbanes Oxley, King 3 Report, the Basel Committee report on banking supervision, and FIPS PUB 200. In addition, it is costly to outsource forensic activities in those large organizations that experience recurring digital incidents. Regulations like FIPS PUB 200 (2002) mandated all federal agencies in the United States to comply with the standard’s Audit and Accountability section, which states that “Organizations must:

1. Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

2. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions” [12]. These considerations show that, in a great many cases, there is a clear need for corporate forensic readiness and in-house forensic capability.

Rowlingson [4] articulates ten steps toward corporate forensic readiness:

1. “Define the business scenarios that require digital evidence.

2. Identify available sources and different types of potential evidence.

3. Determine the evidence collection requirement. 4. Establish a capability of securely gathering admissible

evidence to meet the requirement. 5. Establish a policy for secure storage and handling of

potential evidence. 6. Ensure monitoring is targeted to detect and deter major

incidents. 7. Specify circumstances when escalation to a full formal

investigation should be launched. 8. Train staff in incident awareness so that all those

involved understand their role in the digital process and the legal sensitivities of evidence.

9. Document an evidence-based case describing the incident and its impact.

10. Ensure legal review to facilitate action in response to the incident”.

A good governance framework consists of both governance and management processes [11]. Rowlingson’s work should be incorporated into management processes and we therefore refined and used it in the development of the management processes (CFM domain) of our proposed corporate forensic governance framework. More elaboration on the need for corporate forensics can be found in [8].

A. The Relationship between IT Governance, IS Governance and Corporate Forensics It could be argued that corporate forensics falls, in some

respects, under IT governance and IS governance. However, some important aspects of corporate forensics, like jurisprudence (legal) and forensically sound processes are not fully part of IT and IS governance [3]. According to ACPO [30], forensically sound processes mean performing forensic practices (collection, examination, analysis, documentation, preservation of evidence and chain of custody) according to applicable jurisdiction. It also means that forensic practices should be conducted in such a way that if necessary an independent third party is able to repeat the same processes and obtain the same result. This shows that the preservation of the integrity of evidence is very important during forensic investigations. Corporate forensics (CF) and digital forensics (DF) will be used interchangeably in this paper. Researchers like Von Solms [3] and Grobler [5] explains the relationship between Digital Forensic (DF), IS Governance, IT Governance and Corporate Governance. Von Solms et al states “that the proactive mode of information security ensures all policies, procedures, and technical mechanisms are in place to prevent harm to the organization’s information; the reactive mode ensures that if harm occur, it will be repaired (Business continuity planning, Good backup and Disaster recovery techniques are part of the reactive mode)” [3] . “The proactive mode of digital forensics ensures all policies, procedure, technical and automated mechanisms are in place to be able to act when required; the reactive mode ensures that the necessary actions can be performed to support specified analytical and investigative techniques required by digital forensics”[3]. This shows that some components of Digital forensic, IS and IT governance overlap and are related. Therefore, the best practice


Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

governance principles used for effective IT and IS governance can also be used for corporate forensic governance.

Fig. 1. Relationship between Corporate governance, IT governance, IS governance and Digital forensic [3]

Figure 1 shows a holistic view of DF and its relationship with corporate governance, IS governance and IT governance.

III. BEST PRACTICE GOVERNANCE PRINCIPLES According to best practices [10][11][22] governance

principles include strategic alignment with business objectives, value delivery to the business, risk management, resource optimization of available resources and continuous performance evaluation.

A. Strategic Alignment Good governance of corporate forensics (CF) will ensure

that the objectives of CF practices are aligned to the organization’s goals. According to Board briefing on IT governance [22], the cost effectiveness of a security program is determined by how well it supports the organization’s objective. Corporate forensic governance will also ensure that corporate forensic objectives are defined in business terms and all CF controls tracked to a specific business requirement. The following will indicate alignment: a corporate forensic program that enhances business activities; a corporate forensic program that is responsive to defined business needs; corporate forensic program and organization objectives that are defined and clearly understood by relevant stakeholders; corporate forensic program that is mapped to organizational goals and is validated by senior management; a corporate forensic strategy and steering committee made up of key executives to ensure continuous alignment of corporate forensic objectives and business goals.

B. Value Delivery Good governance of corporate forensic practices will also

ensure that corporate forensic investments are optimized in support of enterprise objectives. It also ensures that the organization gets benefits from their corporate forensic investments. Governance will ensure corporate forensic investments are supporting business needs and adding expected value. For instance, in a scenario where there is no governance, there won’t be monitoring and evaluation to ensure that corporate forensic investment is continuously supporting the business in achieving some of its strategic needs. Therefore, forensic investments may not add expected value to the business, since there are no metrics to measure if value is optimized. Corporate forensic governance increases the likelihood of corporate forensic program’s success considering the significant cost associated with corporate forensic practices.

Figure 2 shows some of the questions governance will ask to ensure value is optimized.

Fig. 2. Val IT Framework 2.0, Value according to the Four ‘Are’s as described in the information paradox [34]

C. Risk Management For applicable IT related business risk to be mitigated using

corporate forensic practices, CF governance would help ensure that corporate forensic practices are an integral part of enterprise risk management program. CF governance will also ensure that corporate forensic strategy and program will help organizations achieve acceptable level of applicable IT related business risk. A structure for risk assessment as defined by NIST 800-30 is shown in figure 3 below. If corporate forensic practices are part of enterprise risk management program, potential evidence sources will be identified in a proactive manner. Also, CF governance will ensure legal risk involved during corporate forensic practices are fully identified, communicated, mitigated and managed.

Fig. 3. NIST 800-30 Risk Assessment Methodology [32] Furthermore, from the risk assessment methodology shown

in Figure 3, step 4 requires control analysis and selection. This


Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

is where different controls are selected for all identified risks. Different controls are weighed and analyzed based on their strength and weaknesses and the best control to mitigate each risk effectively is selected. All risks that could be best mitigated with corporate forensic practices should be identified, documented in a risk profile chart and rated to show their potential value impact to the business. This is one of the principles of good CF governance which will ensure that all risk that could be mitigated with corporate forensic practices are mitigated and optimized.

D. Resource Optimization This principle of good corporate forensic governance deals

with planning, allocation and control of corporate forensic resources which include people, processes and technologies (increased automated forensic suites) towards adding value to the business. CF resources need to be managed properly for its effectiveness. Proper CF resource management will ensure that corporate forensic practices are efficient, cost effective and most importantly ensure corporate forensic is effectively addressing applicable business needs.

E. Performance Evaluation Since there is a clear saying that “you cannot manage what

you cannot measure,” the governance of corporate forensic practices will ensure measures are in place to monitor corporate forensic processes and measure its performance. This will help management to make informed decisions about the state of corporate forensic program and ascertain if it is effective or not. Methods like Maturity model, checklist and other tools could be used. Some of the indicators of effective corporate forensic program as observed from performance measurement include: the time it takes to detect and uncover potential security threats to the business; number of threats effectively traced to their sources within minimal time interval without interruption to the business; number of security breaches reported (lesser number of reported breaches means effectiveness of the control in terms of deterrent). The performance measurement module of the governance framework is represented in the corporate forensic evaluation (CFE) domain of the proposed framework.

IV. RELATED WORK Researchers like [4][6][7][8] have looked into some form of

forensic readiness while [2][8][9][21] have looked into some form of proactive digital forensics which are considered part but not a comprehensive representation of good governance practices. They did not comprehensively address the establishment of a good governance framework and major governance processes for corporate forensics practices which will obviously make their work more effective. In other words, they did not address in details how corporate forensic practices could be enhanced using governance best practices. Lack of CF governance practices might explain why management see digital forensic as an abstract and highly technical field and have very little interest in leveraging on its benefits to achieve some of their corporate goals. Good governance referred to in the beginning of this section means getting senior management involved in an interactive manner by using globally adopted common business languages in a governance framework for

forensic practices; management taking ownership of forensic program by assuming responsibility and accountability (RACI Chart) of forensic processes; use of increased automated forensic suites with generation of user friendly executive reports, remote forensics and automated processes; use of forensic practices to minimize high IT related business risk. All these enhancements are expected to help organizations maximize the benefits of forensic practices in an efficient and effective way. Discussing proactive or corporate forensic readiness by [2][4][6][7][8][9][21] without the establishment of a governance structure, framework and obtaining management support will result in the corporate forensic readiness program not being fully effective and efficient.

Furthermore, at the time this paper was written, only one researcher, Grobler et al [5], to the best of our knowledge, had researched on the governance of digital forensics. Their paper was a preliminary framework in the form of an outline for the governance of digital forensics. The scope of the paper did not comprehensively address how globally accepted governance best practices [10][11][22] can be used to enhance a corporate forensic program in enterprise organizations.

V. DESCRIPTION OF THE PROPOSED FRAMEWORK According to best practice [11] a governance framework

should consist of two major processes: the governance and management processes. The governance processes involve direction in strategic alignment, risk management, resource optimization, value delivery and performance evaluation. The governance field directs the management field and ensures management processes are achieving their goals. The management field is responsible for executing and implementing directions from the governance field. The management processes involved specialized and operational processes which governance uses to achieve its tactical and operational goals. The management section performs more hands-on tasks than the governance section. The proposed framework was developed with this principle. The framework was categorized into three domains namely Corporate Forensic Governance ((CFG) governance processes), Corporate Forensic Management ((CFM) management processes) and Corporate Forensic Evaluation (CFE). The third domain CFE maintains a life cycle model for the framework by evaluating, monitoring and continually improving forensic processes through lesson learned and evaluation using maturity model. Figure 4 shows the corporate forensic governance framework lifecycle.

Fig. 4. The three major domains of the proposed corporate forensic governance framework lifecycle

The proposed corporate forensic governance framework was developed with the common languages and best practices used in related governance models.


Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

A. Corporate Forensic Governance (CFG) Corporate Forensic Governance was developed with the

major principles of best governance practices as recommended by COBIT [10][11] and Board briefing on IT governance [22], which includes strategic alignment, risk management, resource optimization, and value delivery. These principles represent control objectives CFG 1 to CFG 4 of the corporate forensic governance domain. Detailed control practices were developed under each of these control objectives.

B. Corporate Forensic Management (CFM) The second domain Corporate Forensic Management

(CFM) contains functions classified as management functions in the framework. This domain was developed from best practices, Rowlingson’s work [4] and all other literatures reviewed in the reference section. The control objectives in these domain (CFM 1 to CFM 10) include: manage legal and ethical requirements; define policies; define procedures; manage education, training and awareness; perform pro-active evidence identification; collect evidence; examine and analyze evidence; manage evidence; manage third party; document, report and present evidence. Detailed control practices were developed under each of these control objectives.

C. Corporate Forensic Evaluation (CFE) The third domain Corporate Forensic Evaluation (CFE)

contains processes to evaluate (maturity model), monitor, assess and improve (with lesson learned and feedback) forensic practices to ensure the objective of the framework is continuously achieved. The objective of the framework includes performing corporate forensic activities in an efficient and effective way, with minimal disruption to the business; collecting evidence in a forensically sound way and reduction of applicable potential IT related risk to the business. This domain was developed from process assessment best practices from all the literatures reviewed. Detailed control practices were developed under each of the control objectives (CFE 1 to CFE 3) for this domain.

D. Corporate Forensic Governance Structure Figure 5 shows a high level hypothetical corporate forensic

governance structure. Other Assurance functions like HR, Internal Audit, Privacy, Value Management office, Legal etc are part of the corporate forensic strategy and steering committee. To establish effective CF governance program, the first step is to establish a governance structure that will oversee the governance of corporate forensics program. This is one of the requirements of good governance. According to several regulations and best practices [11][22], senior management is ultimately responsible for good governance and to exercise due care in performing task involving all specialized disciplines. Corporate forensics, Information technology and Information Security are examples of those specialized disciplines in a corporate environment. Therefore the overall accountability of good governance is the responsibility of the board of directors.

The Board or the CEO should set up a steering and strategy committee to oversee its corporate forensic responsibilities and report back to them since they have many commitments. This responsibility could also be taken by the CIO depending on how large the organization is or the business environment of the organization. Therefore, this is just a hypothetical structure; organizations can set up their governance structure as it suits their business environment. For instance, if an organization is experiencing various insider frauds and other negative publicity due to security breaches, the Board of directors will be interested in knowing the most effective mitigation strategy to mitigate that risk. This will increase the organization’s interest in implementing a corporate forensic program which the CEO or board might want to oversee.

Fig. 5. A hypothetical corporate forensic governance structure

Each member of the governance and management teams in the proposed framework has assigned roles and responsibilities similar to those seen in [22]. They are either responsible, accountable, consulted and/or informed on each of the governance, management and evaluation processes of the corporate forensic governance framework. This is achieved using the RACI chart which means who is Responsible, Accountable, Consulted and/or Informed. Table I briefly explains the RACI chart.

E. Corporate Forensic Governance Framework The framework consists of 3 domains (CFG, CFM & CFE),

17 high level control objectives (CFG1-CFG4, CFM1-CFM10, CFE1-CFE3) and 119 detailed control practices. The control practices and RACI assignment of roles and responsibilities can be adjusted to suit each organization’s needs and business environment. In other words some of the control practices might not be applicable in some organizations depending on how they are structured and what their business environment is like.


RACI Task R means Responsible Those responsible for performing the task or ensuring the task is done A means Accountable The person who must approve or sign off before the process is effective or person accountable for the success of the process.


Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

C means Consulted Those who provide input needed to complete the task I means Informed Those who are regularly updated on the outcome of decisions, processes and actions taken

In addition, some of these controls have already been implemented in some organizations (maybe for information security) enhancement is needed in such scenario to accommodate forensic practices. During implementation of the framework CFG1 – CFG4 will be implemented first before CFM1 – CFM10 and then CFE1 – CFE3. RACI chart was used in assigning roles and responsibilities to the governance and management team according to best practices [10][22]. Refer to Section V. for more explanation on the structure of the proposed framework. Brief explanation of the scope and control objectives of the proposed framework is shown in Table II.

The scope of the proposed corporate forensic governance framework is based on the use of increased automated forensic suites like Encase Enterprise for forensic practices. These increased automated suites are known for increased automation and provision of ease of use approach towards performing forensic practices. However, a forensic expert is needed in the forensic team for effective and efficient use of these automated suites to achieve applicable organizational goals. The framework was designed for global use and in a high level format with general requirements for …