Ready or not ?

Posted on March 25, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , , , |

In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.

While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.

By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.

So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?

Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.

I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.

There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.

If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.

P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

One Response to “Ready or not ?”

RSS Feed for Forensically sound(ing off) Comments RSS Feed

To your note:
P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.

No matter, if incident results in court action or not, it always should result to some internal or external (legal) actions. Result of investigation is “evidence” about incident, who, when, how, why, etc. You allways should use forensic methodes for it. I think we should use word “forensic” also in internal (not exclusively court) actions. It is used in ISO 27002 (13.2.1 c) 2) because you never know, if incicent could leads to legal action or not, in 27035 (3.2.2 and others) – there are the same reasons of using forensic analysis… I understand, that “client” could be afraid, in case “forensic” is used, becouse of potentioal problems with court, because of expensive, because of … But reality is, that forensic methodes are used, so why to supress it? In case you use forensic methodes a client have the guarantee of quality. And it is not necessary expensive.


Where's The Comment Form?

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: