IT Governance, Risk, and Compliance

Aug 6 2009   8:39PM GMT

Preserving Electronically Encoded Evidence – Part I

Robert Davis Robert Davis Profile: Robert Davis

Seeking to preserve electronically encoded evidence implies an incident or event has occurred that will require facts extrapolation for presentation as proof of an irregular, if not illegal act. Anticipating this potential scenario requires information security management proactively construct incident response and forensic investigation capabilities considering legal imperatives. Consequently, procedures addressing the infrastructure and processes for incident handling should exist within the security response documentation inventory.

Cardinally, all potential electronically captured evidence should be protected (as soon as possible) from deletion, contamination, modification and inaccessibility. When dealing with stored data, prudent information security management dictates informing appropriate parties that evidence will be sought through electronic discovery from the target IT; establishing specific protocols that address preserving electronically encoded evidence; and enforcing eradication restrictions for data residing within the target IT. Furthermore, when feasible, electronically captured evidence should be stabilized in the environment that existed during the suspected inappropriate activity.

Post Note: An expanded version of this blog entry is available through the ISACA Journal.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: