digital forensic within enterprise risk management

profileseshi
The_Governance_of_Corporate_Forensics_Using_COBIT_NIST_and_Increased_Automated_Forensic_Approaches.pdf

The Governance of Corporate Forensics using COBIT, NIST and Increased Automated Forensic

Approaches

Henry Nnoli1, Dale Lindskog2, Pavol Zavarsky2, Shaun Aghili2, Ron Ruhl2 1ATB Financial, Edmonton T5J 1P1, Canada

2Information Systems Security Management, Concordia University College of Alberta, Edmonton T5B 4E4, Canada [email protected], {dale.lindskog, pavol.zavarsky, shaun.aghili, ron.ruhl}@concordia.ab.ca

Abstract—Today, the ability to investigate internal matters such as policy violations, regulatory compliance, and employee separation has become important in order for corporations to manage risk. The degree of information security threats evolving on a daily basis has increasingly raised concerns for enterprise organizations. These threats include but are not limited to fraud, insider threat and intellectual property (IP) theft. These have increased the demand for organizations to implement corporate forensics as a deterrent to illegitimate acts or for linking perpetrators to their illegitimate acts. This explains why forensic practices are expanding from the traditional role in law enforcement and becoming an essential part of business processes. However, most organizations may not be maximizing the benefits of corporate forensic capabilities because of lack of corporate forensic governance best practices, needed to ensure organizations prepare their operating environment for digital forensic investigation. Corporate forensic governance will help ensure that digital evidence is obtained in an efficient and effective way with minimal interruption to the business. This paper presents a corporate forensic governance framework intended to enhance forensic readiness, governance, and management, and increase the use of automated forensic techniques and in-house forensically sound practices in large organizations that have a need for these practices.

Index Terms—corporate forensic governance; corporate forensic readiness; increased automated forensic solutions; digital forensic investigation; digital evidence

I. INTRODUCTION Most organizations waste effort, time and resources in

carrying out forensic investigations due to lack of corporate forensic preparedness [4]. Forensic readiness (preparedness) can be defined as the process of being prepared (having the right policies, procedures, people, techniques in place to respond professionally and timely) before an incident occurs. Rowlingson [4], in his paper, ‘A Ten Step Process for Forensic Readiness’ described forensic readiness as the ability of an organization to maximize its potential to use digital evidence while minimizing the cost of an investigation. In his paper he discussed practices that, when implemented before a digital incident occurs, can help organizations to be ready to carry out forensic investigations. However, forensic readiness is one part of a comprehensive and well-structured corporate forensic governance program.

Governance is the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that applicable strategies are aligned with and support business objectives, and are consistent with applicable laws and regulations through adherence to policies and internal controls, and assignment of responsibility, all in the effort to manage risk [22]. In most organizations when incidents occur, the incident response team’s major concern is to contain the incident and restore operations, paying less attention to potential evidence. In most cases digital evidence is contaminated, incomplete and untrustworthy, all of which inhibits linking perpetrators to their illegitimate acts if a crime is committed [2]. This is simply because of the lack of forensic readiness which is part of a good corporate forensic governance program. Grobler et al [5] stated, “all disciplines need some form of policy, procedures, standards and guidelines hence necessitating the proper facilitation of governance”. In their paper, entitled ‘Managing digital evidence - The governance of digital forensics’, they introduced a preliminary framework for the governance of digital forensics.

According to COBIT [10], the principles of governance best practices include strategic alignment, risk management, value delivery, resource optimization, and continuous performance evaluation. Board briefings on IT governance [22] stated that, governance practices have been confirmed to yield huge benefits in the field of information technology (IT) and information security (IS) due to the establishment and adoption of applicable frameworks like COBIT. “In other words, top management of various organizations are realizing the significant impact information technology and information security can have on the success of their enterprise because of governance of these fields” [22]. Such governance practices are lacking in the field of digital forensics [5]. For various reasons which will be highlighted later in this paper, there is a need for effective and efficient governance practices for corporate forensic programs to ensure that value, risk and resources are optimized during forensic investigations. Most organizations are still biased about in-house forensic readiness and capability because they feel that it involves complex processes but with proper best practice framework for corporate forensic governance and readiness they will observe that in-house forensic readiness can be conducted in an efficient and effective way. In addition, the use of innovative, user friendly and increased corporate forensic automated solutions (like

2012 ASE/IEEE International Conference on Social Computing and 2012 ASE/IEEE International Conference on Privacy, Security,

Risk and Trust

978-0-7695-4848-7/12 $26.00 © 2012 IEEE

DOI 10.1109/SocialCom-PASSAT.2012.109

734

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

Encase Enterprise) reduces the amount of resources (time, effort and personnel) used for such practices. With the existence of COBIT [10][11] and other IT and IS governance frameworks, including research work like [1][2][3][4][5][8] it is obvious that there is a governance gap in the field of corporate forensics.

In this paper, a governance framework is presented, one that will guide those large organizations who are in need of a corporate forensic program on how best governance practices can enhance corporate forensic readiness and in-house forensically sound practices in an efficient and effective way. This paper is organized into the following sections: Section II argues the need for corporate forensic readiness and governance; Section III explains best practice governance principles; Section IV is a brief discussion of related work; Section V is a description of the proposed framework; finally, in Section VI we conclude and recommend future work.

II. CORPORATE FORENSIC READINESS AND GOVERNANCE According to [8], litigation is a last option for most

organizations, because of concerns like negative publicity and its negative impact to the business. Therefore, corporate forensic readiness, governance and in-house forensic capability will help organizations to be prepared to gather and use digital evidence as a deterrent and for making firm conclusions during internal investigations of non-criminal violations. The objective of corporate forensic readiness is to ensure that digital evidence is collected using sound forensic processes and in an effective way with minimal interruption to the business. This evidence can also be used for the organizations interest and defense. Although many organizations outsource forensic activities, it is likely that most will prefer to perform them internally. The reasons for this include privacy, confidentiality of organizational and customer data, legal risk, delayed forensic results from consultants and compliance with regulations like Sarbanes Oxley, King 3 Report, the Basel Committee report on banking supervision, and FIPS PUB 200. In addition, it is costly to outsource forensic activities in those large organizations that experience recurring digital incidents. Regulations like FIPS PUB 200 (2002) mandated all federal agencies in the United States to comply with the standard’s Audit and Accountability section, which states that “Organizations must:

1. Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

2. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions” [12]. These considerations show that, in a great many cases, there is a clear need for corporate forensic readiness and in-house forensic capability.

Rowlingson [4] articulates ten steps toward corporate forensic readiness:

1. “Define the business scenarios that require digital evidence.

2. Identify available sources and different types of potential evidence.

3. Determine the evidence collection requirement. 4. Establish a capability of securely gathering admissible

evidence to meet the requirement. 5. Establish a policy for secure storage and handling of

potential evidence. 6. Ensure monitoring is targeted to detect and deter major

incidents. 7. Specify circumstances when escalation to a full formal

investigation should be launched. 8. Train staff in incident awareness so that all those

involved understand their role in the digital process and the legal sensitivities of evidence.

9. Document an evidence-based case describing the incident and its impact.

10. Ensure legal review to facilitate action in response to the incident”.

A good governance framework consists of both governance and management processes [11]. Rowlingson’s work should be incorporated into management processes and we therefore refined and used it in the development of the management processes (CFM domain) of our proposed corporate forensic governance framework. More elaboration on the need for corporate forensics can be found in [8].

A. The Relationship between IT Governance, IS Governance and Corporate Forensics It could be argued that corporate forensics falls, in some

respects, under IT governance and IS governance. However, some important aspects of corporate forensics, like jurisprudence (legal) and forensically sound processes are not fully part of IT and IS governance [3]. According to ACPO [30], forensically sound processes mean performing forensic practices (collection, examination, analysis, documentation, preservation of evidence and chain of custody) according to applicable jurisdiction. It also means that forensic practices should be conducted in such a way that if necessary an independent third party is able to repeat the same processes and obtain the same result. This shows that the preservation of the integrity of evidence is very important during forensic investigations. Corporate forensics (CF) and digital forensics (DF) will be used interchangeably in this paper. Researchers like Von Solms [3] and Grobler [5] explains the relationship between Digital Forensic (DF), IS Governance, IT Governance and Corporate Governance. Von Solms et al states “that the proactive mode of information security ensures all policies, procedures, and technical mechanisms are in place to prevent harm to the organization’s information; the reactive mode ensures that if harm occur, it will be repaired (Business continuity planning, Good backup and Disaster recovery techniques are part of the reactive mode)” [3] . “The proactive mode of digital forensics ensures all policies, procedure, technical and automated mechanisms are in place to be able to act when required; the reactive mode ensures that the necessary actions can be performed to support specified analytical and investigative techniques required by digital forensics”[3]. This shows that some components of Digital forensic, IS and IT governance overlap and are related. Therefore, the best practice

735

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

governance principles used for effective IT and IS governance can also be used for corporate forensic governance.

Fig. 1. Relationship between Corporate governance, IT governance, IS governance and Digital forensic [3]

Figure 1 shows a holistic view of DF and its relationship with corporate governance, IS governance and IT governance.

III. BEST PRACTICE GOVERNANCE PRINCIPLES According to best practices [10][11][22] governance

principles include strategic alignment with business objectives, value delivery to the business, risk management, resource optimization of available resources and continuous performance evaluation.

A. Strategic Alignment Good governance of corporate forensics (CF) will ensure

that the objectives of CF practices are aligned to the organization’s goals. According to Board briefing on IT governance [22], the cost effectiveness of a security program is determined by how well it supports the organization’s objective. Corporate forensic governance will also ensure that corporate forensic objectives are defined in business terms and all CF controls tracked to a specific business requirement. The following will indicate alignment: a corporate forensic program that enhances business activities; a corporate forensic program that is responsive to defined business needs; corporate forensic program and organization objectives that are defined and clearly understood by relevant stakeholders; corporate forensic program that is mapped to organizational goals and is validated by senior management; a corporate forensic strategy and steering committee made up of key executives to ensure continuous alignment of corporate forensic objectives and business goals.

B. Value Delivery Good governance of corporate forensic practices will also

ensure that corporate forensic investments are optimized in support of enterprise objectives. It also ensures that the organization gets benefits from their corporate forensic investments. Governance will ensure corporate forensic investments are supporting business needs and adding expected value. For instance, in a scenario where there is no governance, there won’t be monitoring and evaluation to ensure that corporate forensic investment is continuously supporting the business in achieving some of its strategic needs. Therefore, forensic investments may not add expected value to the business, since there are no metrics to measure if value is optimized. Corporate forensic governance increases the likelihood of corporate forensic program’s success considering the significant cost associated with corporate forensic practices.

Figure 2 shows some of the questions governance will ask to ensure value is optimized.

Fig. 2. Val IT Framework 2.0, Value according to the Four ‘Are’s as described in the information paradox [34]

C. Risk Management For applicable IT related business risk to be mitigated using

corporate forensic practices, CF governance would help ensure that corporate forensic practices are an integral part of enterprise risk management program. CF governance will also ensure that corporate forensic strategy and program will help organizations achieve acceptable level of applicable IT related business risk. A structure for risk assessment as defined by NIST 800-30 is shown in figure 3 below. If corporate forensic practices are part of enterprise risk management program, potential evidence sources will be identified in a proactive manner. Also, CF governance will ensure legal risk involved during corporate forensic practices are fully identified, communicated, mitigated and managed.

Fig. 3. NIST 800-30 Risk Assessment Methodology [32] Furthermore, from the risk assessment methodology shown

in Figure 3, step 4 requires control analysis and selection. This

736

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

is where different controls are selected for all identified risks. Different controls are weighed and analyzed based on their strength and weaknesses and the best control to mitigate each risk effectively is selected. All risks that could be best mitigated with corporate forensic practices should be identified, documented in a risk profile chart and rated to show their potential value impact to the business. This is one of the principles of good CF governance which will ensure that all risk that could be mitigated with corporate forensic practices are mitigated and optimized.

D. Resource Optimization This principle of good corporate forensic governance deals

with planning, allocation and control of corporate forensic resources which include people, processes and technologies (increased automated forensic suites) towards adding value to the business. CF resources need to be managed properly for its effectiveness. Proper CF resource management will ensure that corporate forensic practices are efficient, cost effective and most importantly ensure corporate forensic is effectively addressing applicable business needs.

E. Performance Evaluation Since there is a clear saying that “you cannot manage what

you cannot measure,” the governance of corporate forensic practices will ensure measures are in place to monitor corporate forensic processes and measure its performance. This will help management to make informed decisions about the state of corporate forensic program and ascertain if it is effective or not. Methods like Maturity model, checklist and other tools could be used. Some of the indicators of effective corporate forensic program as observed from performance measurement include: the time it takes to detect and uncover potential security threats to the business; number of threats effectively traced to their sources within minimal time interval without interruption to the business; number of security breaches reported (lesser number of reported breaches means effectiveness of the control in terms of deterrent). The performance measurement module of the governance framework is represented in the corporate forensic evaluation (CFE) domain of the proposed framework.

IV. RELATED WORK Researchers like [4][6][7][8] have looked into some form of

forensic readiness while [2][8][9][21] have looked into some form of proactive digital forensics which are considered part but not a comprehensive representation of good governance practices. They did not comprehensively address the establishment of a good governance framework and major governance processes for corporate forensics practices which will obviously make their work more effective. In other words, they did not address in details how corporate forensic practices could be enhanced using governance best practices. Lack of CF governance practices might explain why management see digital forensic as an abstract and highly technical field and have very little interest in leveraging on its benefits to achieve some of their corporate goals. Good governance referred to in the beginning of this section means getting senior management involved in an interactive manner by using globally adopted common business languages in a governance framework for

forensic practices; management taking ownership of forensic program by assuming responsibility and accountability (RACI Chart) of forensic processes; use of increased automated forensic suites with generation of user friendly executive reports, remote forensics and automated processes; use of forensic practices to minimize high IT related business risk. All these enhancements are expected to help organizations maximize the benefits of forensic practices in an efficient and effective way. Discussing proactive or corporate forensic readiness by [2][4][6][7][8][9][21] without the establishment of a governance structure, framework and obtaining management support will result in the corporate forensic readiness program not being fully effective and efficient.

Furthermore, at the time this paper was written, only one researcher, Grobler et al [5], to the best of our knowledge, had researched on the governance of digital forensics. Their paper was a preliminary framework in the form of an outline for the governance of digital forensics. The scope of the paper did not comprehensively address how globally accepted governance best practices [10][11][22] can be used to enhance a corporate forensic program in enterprise organizations.

V. DESCRIPTION OF THE PROPOSED FRAMEWORK According to best practice [11] a governance framework

should consist of two major processes: the governance and management processes. The governance processes involve direction in strategic alignment, risk management, resource optimization, value delivery and performance evaluation. The governance field directs the management field and ensures management processes are achieving their goals. The management field is responsible for executing and implementing directions from the governance field. The management processes involved specialized and operational processes which governance uses to achieve its tactical and operational goals. The management section performs more hands-on tasks than the governance section. The proposed framework was developed with this principle. The framework was categorized into three domains namely Corporate Forensic Governance ((CFG) governance processes), Corporate Forensic Management ((CFM) management processes) and Corporate Forensic Evaluation (CFE). The third domain CFE maintains a life cycle model for the framework by evaluating, monitoring and continually improving forensic processes through lesson learned and evaluation using maturity model. Figure 4 shows the corporate forensic governance framework lifecycle.

Fig. 4. The three major domains of the proposed corporate forensic governance framework lifecycle

The proposed corporate forensic governance framework was developed with the common languages and best practices used in related governance models.

737

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

A. Corporate Forensic Governance (CFG) Corporate Forensic Governance was developed with the

major principles of best governance practices as recommended by COBIT [10][11] and Board briefing on IT governance [22], which includes strategic alignment, risk management, resource optimization, and value delivery. These principles represent control objectives CFG 1 to CFG 4 of the corporate forensic governance domain. Detailed control practices were developed under each of these control objectives.

B. Corporate Forensic Management (CFM) The second domain Corporate Forensic Management

(CFM) contains functions classified as management functions in the framework. This domain was developed from best practices, Rowlingson’s work [4] and all other literatures reviewed in the reference section. The control objectives in these domain (CFM 1 to CFM 10) include: manage legal and ethical requirements; define policies; define procedures; manage education, training and awareness; perform pro-active evidence identification; collect evidence; examine and analyze evidence; manage evidence; manage third party; document, report and present evidence. Detailed control practices were developed under each of these control objectives.

C. Corporate Forensic Evaluation (CFE) The third domain Corporate Forensic Evaluation (CFE)

contains processes to evaluate (maturity model), monitor, assess and improve (with lesson learned and feedback) forensic practices to ensure the objective of the framework is continuously achieved. The objective of the framework includes performing corporate forensic activities in an efficient and effective way, with minimal disruption to the business; collecting evidence in a forensically sound way and reduction of applicable potential IT related risk to the business. This domain was developed from process assessment best practices from all the literatures reviewed. Detailed control practices were developed under each of the control objectives (CFE 1 to CFE 3) for this domain.

D. Corporate Forensic Governance Structure Figure 5 shows a high level hypothetical corporate forensic

governance structure. Other Assurance functions like HR, Internal Audit, Privacy, Value Management office, Legal etc are part of the corporate forensic strategy and steering committee. To establish effective CF governance program, the first step is to establish a governance structure that will oversee the governance of corporate forensics program. This is one of the requirements of good governance. According to several regulations and best practices [11][22], senior management is ultimately responsible for good governance and to exercise due care in performing task involving all specialized disciplines. Corporate forensics, Information technology and Information Security are examples of those specialized disciplines in a corporate environment. Therefore the overall accountability of good governance is the responsibility of the board of directors.

The Board or the CEO should set up a steering and strategy committee to oversee its corporate forensic responsibilities and report back to them since they have many commitments. This responsibility could also be taken by the CIO depending on how large the organization is or the business environment of the organization. Therefore, this is just a hypothetical structure; organizations can set up their governance structure as it suits their business environment. For instance, if an organization is experiencing various insider frauds and other negative publicity due to security breaches, the Board of directors will be interested in knowing the most effective mitigation strategy to mitigate that risk. This will increase the organization’s interest in implementing a corporate forensic program which the CEO or board might want to oversee.

Fig. 5. A hypothetical corporate forensic governance structure

Each member of the governance and management teams in the proposed framework has assigned roles and responsibilities similar to those seen in [22]. They are either responsible, accountable, consulted and/or informed on each of the governance, management and evaluation processes of the corporate forensic governance framework. This is achieved using the RACI chart which means who is Responsible, Accountable, Consulted and/or Informed. Table I briefly explains the RACI chart.

E. Corporate Forensic Governance Framework The framework consists of 3 domains (CFG, CFM & CFE),

17 high level control objectives (CFG1-CFG4, CFM1-CFM10, CFE1-CFE3) and 119 detailed control practices. The control practices and RACI assignment of roles and responsibilities can be adjusted to suit each organization’s needs and business environment. In other words some of the control practices might not be applicable in some organizations depending on how they are structured and what their business environment is like.

TABLE I. THE RACI CHART

RACI Task R means Responsible Those responsible for performing the task or ensuring the task is done A means Accountable The person who must approve or sign off before the process is effective or person accountable for the success of the process.

738

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

C means Consulted Those who provide input needed to complete the task I means Informed Those who are regularly updated on the outcome of decisions, processes and actions taken

In addition, some of these controls have already been implemented in some organizations (maybe for information security) enhancement is needed in such scenario to accommodate forensic practices. During implementation of the framework CFG1 – CFG4 will be implemented first before CFM1 – CFM10 and then CFE1 – CFE3. RACI chart was used in assigning roles and responsibilities to the governance and management team according to best practices [10][22]. Refer to Section V. for more explanation on the structure of the proposed framework. Brief explanation of the scope and control objectives of the proposed framework is shown in Table II.

The scope of the proposed corporate forensic governance framework is based on the use of increased automated forensic suites like Encase Enterprise for forensic practices. These increased automated suites are known for increased automation and provision of ease of use approach towards performing forensic practices. However, a forensic expert is needed in the forensic team for effective and efficient use of these automated suites to achieve applicable organizational goals. The framework was designed for global use and in a high level format with general requirements for performing forensic practices using automated forensic suites. Brief explanation of the control objectives are shown below.

TABLE II. EXPLANATION OF THE SCOPE AND CONTROL OBJECTIVES FOR THE PROPOSED FRAMEWORK

Control objectives Brief explanation of the controls in the proposed framework

CFG1 Strategic alignment This control ensures clear goals and objectives of a corporate forensic program are defined and that these defined goals and objectives are strategically aligned to enterprise goals and objectives. In other words this control ensures that corporate forensic program is helping the organization achieve some of its goals and objectives.

CFG2 Ensure risk is optimized with CF implementation

This control ensures that business risk which can be mitigated with corporate forensics are identified and mitigated. To achieve this a corporate forensic program should be part of enterprise risk management program to ensure CF is effectively used as a mitigation control in managing applicable IT related business threat and risk such as insider threat, fraud, IP theft, staff sabotage etc.

CFG3 Ensure resources are optimized with CF implementation

Due to the significant cost involved in establishing a CF program, this control will ensure that CF resources are managed properly and are optimized efficiently. Also this control will ensure CF resource management is aligned with enterprise resource management for efficient utilization of budget and organization finances.

CFG4 Ensure value is optimized with CF implementation

This control ensures that CF program is adding expected value to the business. It will also ensure that forensic investments are monitored and value documented to determine if it is helping the business achieve some of its goals and objectives.

CFM1 Manage legal and ethical requirements

This control ensures that digital evidence is obtained in accordance with applicable law, regulation and standards for digital evidence acquisition.

CFM2 Define policies Grobler et al stated that “policies are the building blocks for management to provide a framework to manage DF in an organization” [2]. This control will ensure that the necessary policies required for a CF program are established and managed.

CFM3 Define procedures This control ensures that procedures for a CF program are established and are based on standards like ACPO [30].

CFM4 Manage education, training and awareness

This control ensures that awareness is created for CF program in an organization. It also ensures that forensic resources are reputable and that forensic personnel have relevant skills to perform CF tasks.

CFM5 Perform pro-active evidence identification

This control ensures that digital evidence is identified in a proactive manner by analysis and assessment of enterprise resources that might be potential evidence source. This is based on enterprise risk assessment.

CFM6 Collect evidence This control ensures that evidence is collected in a forensically sound manner using automated forensic suites.

CFM7 Examine and analyze evidence

This control ensures that evidence is examined and analyzed in a forensically sound manner using automated forensic suites.

CFM8 Manage evidence (chain of custody)

This control ensures that evidence is managed, secured and chain of custody monitored and managed to ensure the integrity of evidence is maintained.

CFM9 Manage third party This control ensures that third party forensic consultants are managed in other not to introduce new business risk to the organization when outsourcing forensic practices.

CFM10 Documentation, Reporting and Presentation

This control ensures that forensic processes are documented in such a way that an independent forensic examiner can repeat the same process and obtain the same result. It also ensures digital evidence is presented using the right format to the applicable audience.

CFE1 Monitor and evaluate forensic process compliance with regulation

This control will ensure that all forensic processes conform to regulation and legal requirement of obtaining forensically sound digital evidence in each applicable jurisdiction.

CFE2 Monitor, evaluate and report forensic process performance and conformance

This control ensures that all forensic practices are monitored, evaluated using maturity model, checklist to ensure the controls are effectively achieving its objectives.

CFE3 Continuously improve corporate forensic processes

Without proper monitoring and evaluation of CF practices, it will be difficult to improve CF practices or make CF program effective. This control also ensures that CF practices are continuously improved using lesson learned and maturity model to make CF program more effective in mitigating applicable business risk.

739

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

Table III below shows the proposed corporate forensic governance framework at a high level with only the control objectives. The full table with its control practices will be

available for download at infosec.concordia.ab.ca after the conference.

TABLE III. THE PROPOSED CORPORATE FORENSIC GOVERNANCE FRAMEWORK

D om

ain

Control Objectives and Practices

B oard

C E

O

C F

O

C O

O

C IO

C orporate F

orensic Strategy &

Steering C om

m ittee

C hief R

isk O fficer

C hief Inform

ation Security O fficer

H R

Internal A udit

C om

pliance

B usiness P

rocess O w

ners

V alue M

anagem ent O

ffice

F orensic Specialist (s)

P rivacy O

fficer

G eneral C

ounsel/L egal

CFG CFG1 Strategic alignment C C C C R A C R C C R C R C C

CFG2 Ensure risk is optimized with CF implementation C R C

R R R A R C R R C I R R R

CFG3 Ensure resources are optimized with CF implementation I C C C A R I R C I I C C R C C

CFG4 Ensure value is optimized with CF implementation C R R R R A C R I C C C R R C C

CFM CFM1 Manage legal requirements I C I C C C C R I I C C I R C A/R CFM2 Define policies C A C C R R C R C C C C C R C C CFM3 Define procedures C C I A/R I C C C I R C C

CFM4 Manage education, training and awareness: I I I I A/R R C C C R C C

CFM5 Perform pro-active evidence identification I I I C A/R C I C C C R C C

CFM6 Collect evidence I I I C A I I C C I R C C

CFM7 Examine and analyze evidence I I I A C C C R C

CFM8 Manage evidence (chain of custody) I I I C R C C R A

CFM9 Manage third party C C C I C R I C C C C R C A

CFM10 Documentation, Reporting and Presentation I I I I I I I A I I I R I C

CFE CFE1

Monitor and evaluate forensic process compliance with regulation

I I R R C R C C C I R C A

CFE2 Monitor, evaluate and report forensic process performance and conformance

I I A R C R I C C C I R C C

CFE3 Continuously improve corporate forensic processes I I I A R C R I C C C I R C C

F. Corporate Forensic Governance Flow Diagram This explains summarily the flow of processes explained in

the corporate forensic governance framework. The flow diagram shows the processes from the establishment of a

corporate forensic governance structure to the evaluation of corporate forensic processes and improvements applied to ensure the goal of the program is constantly being achieved. The flow diagram can be seen in the full paper and will be available for download at infosec.concordia.ab.ca after the conference.

740

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.

VI. CONCLUSION AND FUTURE WORK This paper provided best practices for corporate forensic

governance, and management that will help empower organizations with efficient and effective corporate forensic readiness and an in-house forensic capability using automated forensic techniques. It also showed how governance best practices can ensure organizations get benefits from forensic investments. In addition, it can show that implementation of an enterprise automated forensic suites can detect, deter and reduce high profile business threats like insider threat, fraud and intellectual property theft since all employees are aware that illegitimate acts can be linked to the perpetrators. Therefore, compliance with regulation like FIPS PUB 200 will be effectively established in such applicable organizations. Furthermore, the developed framework will enhance the way organizations perform forensic practices by reducing the rate of unsuccessful investigations and the effective use of resources (time, cost and personnel) during forensic investigations. Also the forensic governance framework used common and business languages that management understands with roles and responsibilities assigned using RACI Chart. This will increase the effectiveness of the program since accountability and responsibility for each corporate forensic process is properly defined.

For future work, since the framework was developed for global usage in a high level structure, the CFM domain section of the framework can be narrowed down to a specific jurisdiction (continent) with the development of a more comprehensive step-by-step details of all forensically sound processes considering legal requirements for collecting evidence applicable to the chosen jurisdiction. Also, the framework can be tested and evaluated in a real organization with analysis of the test result documented.

ACKNOWLEDGMENT The authors are thankful to the Faculty of Graduate Studies

at Concordia University College of Alberta for providing resources used in the accomplishment of this research. Special thanks go to Amer Aljaedi for his advice and discussions.

REFERENCES [1] C. Grobler and C. Louwrens, “Digital evidence management plan,”

Proc. IEEE Information Security for South Africa (ISSA), South Africa, August 2-4, 2010, pp. 1-6.

[2] C. Grobler, C. Louwrens and S. Von Solms, “A framework to guide the implementation of proactive digital forensics in organizations,” Proc. IEEE ARES ’10, Krakow, Poland, February 15-18, 2010, pp. 677-682.

[3] S. Von Solms and C. Louwrens, “The relationship between digital forensics, corporate governance, it governance and is governance,” in Digital Crime and Forensic Science in Cyberspace, PA: Idea, 2006, pp. 243- 265

[4] R. Rowlingson, “A ten step process for forensic readiness,” International Journal of Digital Evidence, 2004, Available: http:/ijde.org

[5] M. Grobler and I. Dlamini, “Managing digital evidence: the governance of digital forensics,” Journal of Contemporary Management, 2010, Available: http://www.researchspace.csir.co.za

[6] S. Von Solms, C. Louwrens, C. Reekie and T. Grobler, “A control framework for digital forensics,” Information Federation for Information Processing, 2006, vol. 222, pp. 343-355.

[7] C. Grobler and C. Louwrens, “Digital forensic readiness as a component of information security best practice,” Information Federation for Information Processing, 2007, vol. 233, pp. 13-24.

[8] G. Pangalos, C. IIioudis and I. Pagkalos “ The importance of corporate forensic readiness in the information security framework,” Proc. IEEE WETICE ’10, Krakow, Poland, June 28-30, 2010, pp. 12-16.

[9] M. Kohn, J. Eloff, M. Oliver, “Framework for a Digital Forensic Investigation,” Unpublished Paper.

[10] Information System Audit and Control Association (ISACA), “COBIT 4.1,” 2007, Available: http://www.isaca.org

[11] Information System Audit and Control Association (ISACA), “COBIT 5.0,” 2011, Available: http://www.isaca.org

[12] FIPS PUB 200 “Minimum Security Requirements for Federal Information and Information. Systems”, 2006.

[13] FIPS PUB 199 “Standard for Security Categorization of Federal Information and Information Systems”, 2002.

[14] Y. Shin, “New digital forensic investigation procedure model,” Proc. NCM ’08, 2008, vol. 1, pp 528-531.

[15] C. Shields, “Towards proactive forensic evidentiary collection,” Proc. HICSS ’10, 2010, pp 1-9.

[16] C. Walker. (2010), “Computer Forensics: Bringing the Evidence to Court”, Unpublished Paper, Available: http://www.infosecwriters.com

[17] K. Nance, B. Hay and M. Bishop, “Digital forensics: defining a research agenda,” Proc. HICSS ’09, 2009, pp 1-6.

[18] D. Barske, A. Stander, J. Jordan, “A digital forensic readiness framework for South African SME’s,” Proc. ISSA, 2010, pp 1-6.

[19] CSI report “Computer crime security survey 2010/2011, Available: http://www.gocsi.com/survey

[20] G. Mohay, “Technical challenges and directions for digital forensics,” Proc. SADFE, 2005, pp 155-161.

[21] C. Grobler, C. Louwrens and S. Von Solms, “A multi-component view of digital forensics,” Proc. ARES 2010, pp 647-652.

[22] ISACA, “Board briefing on IT governance”, 2003, Available: http://www.isaca.org

[23] B. Endicott and D. Frincke, “Embedding forensic capabilities into networks: addressing inefficiencies in digital forensic investigations,” Proc. IAW 2006, pp 133-139

[24] “The practitioner’s guide to legal issues related to digital investigations and electronic discovery,” Encase Legal Journal, 2011, Available: http://www.guidancesoftware.com/

[25] Guidance Software, “The seven best practices of highly effective eDiscovery practitioners,” 2010, Available: http://www.guidancesoft ware.com/

[26] ACFE Report 2010/2011, “Report to the nations on occupational fraud and abuse”, Available: http://www.acfe.com/rttn.aspx

[27] NIST SP 800-86, “Guide to integrating forensic techniques into incident response,” 2006Available: http://www.nist.gov

[28] ISO/IEC FDIS 27001, “Information security management systems requirements”, 2005, Available: http://www.iso.org

[29] ISO/IEC FDIS 27037, “Guideline for identification, collection, acquisition and preservation of digital evidence, 2005, Available: http://www.iso.org

[30] ACPO Association of chief police officers, Available: http://www.acpo.police.uk

[31] NIST SP 800-92, “Guide to computer security log management,” 2006, Available: http://www.nist.gov.

[32] NIST SP 800-30, “Risk management guide for information technology systems”, Rev. 1, 2010, Available: http://www.nist.gov

[33] ISACA, The risk IT practitioner guide, 2009, Available: http:// www.isaca.org

[34] ITGI, “The VAL IT framework 2.0,” 2008, Available: http:// www.isaca.org

741

Authorized licensed use limited to: University of the Cumberlands. Downloaded on August 07,2021 at 17:23:00 UTC from IEEE Xplore. Restrictions apply.