athulin wrote:
Adampski wrote:
"Forensic readiness is complementary to, and an enhancement of, many existing information security activities.".
I think I disagree with that -- I'd say that FR is to at least 90% nothing but standard IS risk/threat preparation, only that it relate to the forensic arena, and for that reason may appear to stand out.
But then I look at it from the IS world, which I view as dealing with all unwanted events that touch on information as an asset. If one unwanted event is that an important incident investigation fails due to poor log retention, it's primarily an IS matter -- from this particular viewpoint. Thus, Step 5 in the 10-step process can also be veiwed as a pure IS requirement, instead of a FR requirement.
And from that viewpoint, the ten steps reads generally as an action plan from a threat assessment, after it has been de-identified, distilled, and generalized: a number of unwanted events, relating to forensic requirements, have been identified, and hopefully prioritized, root/cause analysis has been performed, and a number of activities for the prevention, mitigation, transfer, and possibly even acceptance of those risks formulated.
(Of course, in a company with an active legal department, FR could easily be a responsibility of that department, rather than the IS dept.)
One area where the word 'complementary' may apply is that 'evidence process'. Most IS/IT department I have come in contact with separate the 'get back to working conditions' process from the 'now, what really happened and how do we avoid it in the future' process. (ITIL identifies those as 'Incident management' and 'problem management' respectively, I believe.) That is, IT technicians rarely focus on the 'collect evidence' part -- they typically have to get the user or system back into production. And once that's done, there may not be much evidence left to examine.
Focussing on FR makes great sense for an IS or IT person who may need a slight jog to understand just why all this is important
The UK appears to have Forensic Readiness as a mandatory requirement for all government departments. And of course, many of the basic requirements are part of other frameworks and models, though typically not expressed as forensic requirements, but usually as traceability requirements (Sarbanes-Oxley, etc.)
Just stumbled on a thesis on the subject by Jeroen de Wit, which I will now proceed to read ...
Hi Athulin, thanks for taking the time to reply with useful insight!
I agree to the point that being forensic ready is somewhat similar to a risk/threat analysis, but instead with an action plan in order to yield evidence rather than retain business continuity. However, I don't feel it would be of the responsibility of a legal department to manage an organisation's forensic readiness status. Perhaps the policy, where they would have the insight to what evidence would be needed for a strong and suitable case, thus recommending what actions should be apart of the action plan, so the evidence doesn't become contaminated. I believe it would of the IT/IS members of the organisation to ensure the status is maintained.
With that said, I have read one or two papers where it is of primary interest for IT departments to resume business continuity, as that is the pressure applied by management and the customers. Therefore in turn of reacting to that pressure, evidence does get trampled on and the legal department may be left short for admissible evidence.
Gathering from what you've written, have you suggested that the ITIL framework provides a system where an IT department can implement a systematic approach to business continuity and an evidence collection plan, after an attack?
It's somewhat straight forward to complete a threat analysis report and an action plan (simple in the sense of creating the documents, rather than thinking of the possible threats), but if these actions are apart of an already existing framework, it can make recommendations far more reliable for my project.
↧