Back

Retain collected evidence for potential future legal actions.


CONTROL ID
01235
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a digital forensic evidence framework., CC ID: 08652

This Control has the following implementation support Control(s):
  • Protect devices containing digital forensic evidence during transport., CC ID: 08687
  • Protect devices containing digital forensic evidence in sealed containers., CC ID: 08685
  • Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence., CC ID: 08686


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • to collect and preserve forensic evidence as appropriate to facilitate subsequent investigation and prosecution of offenders if necessary; and (§ 8.2.1(v), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • The organization should transfer the raw audit trails to media for secure archiving and secure the manual log records for retention. (Control: 0138 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should store network traffic for at least 7 days after the cyber security incident. (Control: 1213, Australian Government Information Security Manual: Controls)
  • If evidence storage is needed, the keys or the lock combination should be given only to a select few individuals. The evidence storage room should have individual lockable containers and a separate intrusion detection system. Documents and evidence should be retained in their original format until a… (Revised Volume 2 Pg 1-I-31, Protection of Assets Manual, ASIS International)
  • The information security policy should require that tampering with evidence in the case of information security incidents that may require forensic investigation is prohibited. (CF.01.01.03g, The Standard of Good Practice for Information Security)
  • Electronic evidence should be collected in accordance with legal constraints by creating a list of possible privacy implications (e.g., human rights and data protection). (CF.11.04.05a, The Standard of Good Practice for Information Security)
  • Electronic evidence should be collected in accordance with legal constraints by identifying constraints in employment legislation. (CF.11.04.05b, The Standard of Good Practice for Information Security)
  • Electronic evidence should be collected in accordance with legal constraints by complying with legal conditions in which investigations are allowed (e.g., regulation of investigatory powers act 2000 (uk)). (CF.11.04.05c, The Standard of Good Practice for Information Security)
  • The integrity of evidence should be protected by demonstrating that appropriate evidence has been collected, preserved, and that it has not been modified. (CF.11.04.08a, The Standard of Good Practice for Information Security)
  • The information security policy should require that tampering with evidence in the case of information security incidents that may require forensic investigation is prohibited. (CF.01.01.03g, The Standard of Good Practice for Information Security, 2013)
  • Electronic evidence should be collected in accordance with legal constraints by creating a list of possible privacy implications (e.g., human rights and data protection). (CF.11.04.05a, The Standard of Good Practice for Information Security, 2013)
  • Electronic evidence should be collected in accordance with legal constraints by identifying constraints in employment legislation. (CF.11.04.05b, The Standard of Good Practice for Information Security, 2013)
  • Electronic evidence should be collected in accordance with legal constraints by complying with legal conditions in which investigations are allowed (e.g., regulation of investigatory powers act 2000 (uk)). (CF.11.04.05c, The Standard of Good Practice for Information Security, 2013)
  • The integrity of evidence should be protected by demonstrating that appropriate evidence has been collected, preserved, and that it has not been modified. (CF.11.04.08a, The Standard of Good Practice for Information Security, 2013)
  • Begin to identify evidence immediately. The day and time, location, serial numbers, and any other identifying information must be written down in a log. All printouts and notes must be numbered, dated, and signed. Law enforcement agencies may require drives to be sealed and retained as evidence. The… (Action 2.3.1, Action 2.3.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • Procedures should be developed for collecting evidence in the event of a security incident that results in legal action. (§ 13.2.3, ISO 27002 Code of practice for information security management, 2005)
  • The applicable entity shall retain evidence of each requirement in this standard for three calendar years. (C. 1. 1.2. ¶ 2 Bullet 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • The Responsible Entity shall keep data or evidence to show compliance as identified below unless directed by its CEA to retain specific evidence for a longer period of time as part of an investigation: - Each Responsible Entity shall retain evidence of each requirement in this standard for three cal… (C. 1. 1.2. ¶ 2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Does the incident response plan include procedures to collect and maintain a chain of custody for evidence during incident investigation? (§ J.1.2.4, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • Incidents and compromises will happen. When they do, they must be reported and then forensically analyzed to gain detailed information regarding how it occurred how to prevent it or protect the system in the future, and potentially who is responsible. Incident information must be gathered and handle… (Section 6.5.4 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Consistent with §160.310(c)(3), testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding. (§ 160.314(c), 45 CFR Part 160 - General Administrative Requirements)
  • Evidence shall be collected, retained, and presented to conform to the rules of evidence when follow-up action after an information security incident involves legal action. (§ 5.3.2.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Where a follow-up action against a person or agency after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). (§ 5.3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Where a follow-up action against a person or agency after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). (§ 5.3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Defining threat monitoring policies that provide for both continual and ad hoc monitoring of communications and systems, effective incident detection and response, and the use of monitoring reports in subsequent legal proceedings. (App A Objective 8.4.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • A policy should be developed by the organization for how long evidence from an incident should be kept. Many organizations opt to retain all evidence for months or years. The following should be considered when making this decision: prosecution (if the attacker will be prosecuted, the evidence will … (§ 3.4.3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Gather and preserve evidence used on the prosecution of computer crimes. (T0430, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations. (T0112, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify elements of proof of the crime. (T0114, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Personally Identifiable Information should not be sanitized until the organization has determined if the Personally Identifiable Information must be preserved as evidence. (§ 5.3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations. (T0112, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify elements of proof of the crime. (T0114, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Gather and preserve evidence used on the prosecution of computer crimes. (T0430, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)