Back

Establish, implement, and maintain secure storage and handling of evidence procedures.


CONTROL ID
08656
CONTROL TYPE
Records Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a digital forensic evidence framework., CC ID: 08652

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Digital evidence is similar to any other form of legal proof - it needs to withstand challenges to its integrity, its handling must be carefully tracked and documented, and it must be suitably authenticated by concerned personnel as per legal requirements. Since the evidence resides on or is generat… (Critical components of information security 1) 5), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The integrity of evidence gathered during an investigation is maintained by investigators: (Security Control: 0138; Revision: 4, Australian Government Information Security Manual, March 2021)
  • creating checksums for all evidence (Security Control: 0138; Revision: 4; Bullet 2, Australian Government Information Security Manual, March 2021)
  • the steps necessary to ensure the integrity of evidence relating to a cyber security incident (Security Control: 0043; Revision: 3; Bullet 7, Australian Government Information Security Manual, March 2021)
  • The integrity of evidence gathered during an investigation is maintained by investigators: (Control: ISM-0138; Revision: 5, Australian Government Information Security Manual, June 2023)
  • the steps necessary to ensure the integrity of evidence relating to a cyber security incident (Control: ISM-0043; Revision: 4; Bullet 7, Australian Government Information Security Manual, June 2023)
  • The integrity of evidence gathered during an investigation is maintained by investigators: (Control: ISM-0138; Revision: 5, Australian Government Information Security Manual, September 2023)
  • the steps necessary to ensure the integrity of evidence relating to a cyber security incident (Control: ISM-0043; Revision: 5; Bullet 7, Australian Government Information Security Manual, September 2023)
  • Establish a policy for secure storage and handling of potential evidence. (§ 5, A Ten Step Process for Forensic Readiness)
  • The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. (A.16.1.7 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization should define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. (§ 16.1.7 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. (§ 5.28 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Incidents and compromises will happen. When they do, they must be reported and then forensically analyzed to gain detailed information regarding how it occurred how to prevent it or protect the system in the future, and potentially who is responsible. Incident information must be gathered and handle… (Section 6.5.4 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. (T0241, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Document original condition of digital and/or associated evidence (e.g., via digital photographs, written reports, hash function checking). (T0471, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CDs, PDAs, mobile phones, GPS, and al… (T0048, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. (T0241, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)