Just because I carry a first aid kit in my car, does that make me equipped to deal with a road traffic incident? Probably not, writes Cheryl Hennell, ISC2 member and head of IT and information assurance LRE, Openreach.
The intention is clearly there, but when reality strikes... When we arrive at the point where we need to conduct an investigation, the incident has often occurred many months before (according to the Data Breach Investigations Report, Verizon, 2009). So we become historians, archaeologists poring over the ancient architecture looking for clues to the sociology within the silicon landscape. The most dangerous time for any investigation is, of course, when the "crime" is discovered and the uninitiated trample the "crime scene", innocently tampering with potential evidence, contaminating the scene by leaving unwelcome digital fingerprints.
Whether, as organisations, we are equipped to perform forensic investigations is then a question of resources and appetite. Do we have appropriate back-up systems in place? Do we have appropriate audit systems for access controls in place? Do we have information retention policies in place (for e-mails and documents)? Do we have acceptable use policies? Do we have skilled people who understand how to approach a digital crime scene or at least know enough not to "touch" anything when suspicion is aroused?
Many of you may have the fundamentals built into your security policies, but will rely on outsourcing your investigations on the basis that dynamic overheads "when investigation needs occur" are less costly than FTEs on your books for JIC (just in case). Building that relationship in these litigious days could save or gain you millions of pounds, and with internal training, education and awareness, you could even claim a level of maturity in your ability to perform forensic investigations.
Read more think tank articles
This was first published in April 2010