Back

Establish, implement, and maintain a digital forensic evidence collection program.


CONTROL ID
08655
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a digital forensic evidence framework., CC ID: 08652

This Control has the following implementation support Control(s):
  • Include roles and responsibilities in the digital forensic evidence collection program., CC ID: 15724


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A service provider must ensure its telecommunications systems or postal systems are technically capable of supporting lawful interceptions at all times. (§ 9(1)(a), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure it installs software, hardware, and other devices to enable the interception of communications at all times or when required. (§ 9(1)(b), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure it is capable of rendering real-time and fulltime monitoring for intercepting communications. (§ 9(1)(c), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure all call-related information is furnished in real-time or as soon as possible after the call has terminated. (§ 9(1)(d), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure it has one or more interfaces to transmit the intercepted communication to the monitoring center. (§ 9(1)(e), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure intercepted communications are transmitted to the monitoring center by switched connections or fixed connections. (§ 9(1)(f), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure it provides access to interception subjects that are temporarily or permanently operating in the communications systems and access to other providers or equipment when they may be using features to divert calls to other terminal equipment or service providers. (§ 9(1)(g), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure it has the capacity for a number of simultaneous interceptions with monitoring by more than one authorized person. (§ 9(1)(h)(i), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure it has the capacity for a number of simultaneous interceptions while safeguarding the identities of the monitoring agents and the confidentiality of the investigations. (§ 9(1)(h)(ii), South African Interception of Communications Act, No 6/2007)
  • A service provider must ensure that all interceptions are accomplished in a way that the interception target or other unauthorized persons are aware of any changes made to fulfill the warrant. (§ 9(1)(i), South African Interception of Communications Act, No 6/2007)
  • Establishing the capability to investigate information security incidents through various modes like forensics, evidence collection and preservation, log analysis, interviewing, etc. (Critical components of information security 10) (ii) d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence. (Critical components of information security 21) vii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establish a capability for securely gathering legally admissible evidence to meet the requirement. (§ 4, A Ten Step Process for Forensic Readiness)
  • How is evidence collected, managed, and shared? (Appendix D, Maintain an Information Security Policy Bullet 7 Sub-bullet 5, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Security Incident Management, E-Discovery, and Cloud Forensics. Review and update the policies and procedures at least annually. (SEF-01, Cloud Controls Matrix, v4.0)
  • The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. (A.16.1.7 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. (§ 16.1.7 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. (§ 5.28 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment. (§ 16.1.7 Table, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Examine recovered data for information of relevance to the issue at hand. (T0103, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0432, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Examine recovered data for information of relevance to the issue at hand. (T0103, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. (T0432, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Recognize and accurately report forensic artifacts indicative of a particular operating system. (T0216, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)