Back

Establish, implement, and maintain a digital forensic evidence framework.


CONTROL ID
08652
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

This Control has the following implementation support Control(s):
  • Retain collected evidence for potential future legal actions., CC ID: 01235
  • Define the business scenarios that require digital forensic evidence., CC ID: 08653
  • Contact affected parties to participate in forensic investigations, as necessary., CC ID: 12343
  • Identify potential sources of digital forensic evidence., CC ID: 08651
  • Document the legal requirements for evidence collection., CC ID: 08654
  • Establish, implement, and maintain a digital forensic evidence collection program., CC ID: 08655
  • Establish, implement, and maintain secure storage and handling of evidence procedures., CC ID: 08656
  • Prepare digital forensic equipment., CC ID: 08688
  • Collect evidence from the incident scene., CC ID: 02236


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • An incident monitoring and management process to address the identification and classification of incidents, reporting, escalation, preservation of evidence, the investigation process (Critical components of information security 1) 2) k., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establishing the capability to investigate information security incidents through various modes like forensics, evidence collection and preservation, log analysis, interviewing, etc. (Critical components of information security 10) (ii) d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Digital evidence is similar to any other form of legal proof - it needs to withstand challenges to its integrity, its handling must be carefully tracked and documented, and it must be suitably authenticated by concerned personnel as per legal requirements. Since the evidence resides on or is generat… (Critical components of information security 1) 5), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • information security investigation, including preservation of evidence and forensic analysis; and (16(h)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • monitoring and incident management to address the identification and classification of incidents, reporting and escalation guidelines, preservation of evidence and the investigation process; (¶ 27(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • In the event a follow-up action concerning a person or organization after an information security incident requires legal action, proper forensic procedures, including chain of custody, shall be required for the preservation and presentation of evidence to support potential legal action subject to t… (SEF-04, Cloud Controls Matrix, v3.0)
  • Forensic analysis may need to be established by a third party in order to be acceptable by a legal authority. (§ 3.4.5, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • Principle: Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include: - preparation of incident responses for those types of incidents to which the firm is most lik… (Incident Response Planning, Report on Cybersecurity Practices)
  • Under SaaS, the CSP must perform the capture, preserve, and protect functions in conjunction with their CSSP. The CSP will then share their results with the Mission Owner's organization performing MCD Actions. (Section 6.5.4.2 ¶ 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Forensics (e.g., analysis of potentially compromised systems). (App A Objective 8.1.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Provide technical assistance on digital evidence matters to appropriate personnel. (T0212, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Process exfiltrated data for analysis and/or dissemination to customers. (T0774, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView). (T0172, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information. (T0532, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Process exfiltrated data for analysis and/or dissemination to customers. (T0774, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)