After the recent security breach, Always Fresh decided to form a computer security incident response team (CSIRT). As a security administrator, you have been assigned the responsibility of developing a CSIRT policy that addresses incident evidence collection and handling. The goal is to ensure all evidence collected during investigations is valid and admissible in court. Consider the following questions for collecting and handling evidence: 1. What are the main concerns when collecting evidence? 2. What precautions are necessary to preserve evidence state? 3. How do you ensure evidence remains in its initial state? 4. What information and procedures are necessary to ensure evidence is admissible in court? Create a policy that ensures all evidence is collected and handled in a secure and efficient manner. Remember, you are writing a policy, not procedures. Focus on the high-level tasks, not the individual steps. Address the following in your policy: Ø Description of information required for items of evidence Ø Documentation required in addition to item details (personnel, description of circumstances, and so on) Ø Description of measures required to preserve initial evidence integrity Description of measures required to preserve ongoing evidence integrity Ø Controls necessary to maintain evidence integrity in storage Documentation required to demonstrate evidence integrity

Computer Security Incident Response Team (CSIRT) Policy: Evidence Collection and Handling

Introduction:
The purpose of this policy is to establish guidelines for the collection and handling of evidence in computer security incidents. The primary goal is to ensure that all evidence collected during investigations is valid and admissible in court. This policy will outline the main concerns when collecting evidence, the precautions necessary to preserve evidence state, the measures required to ensure evidence remains in its initial state, the information and procedures necessary to ensure evidence is admissible in court, and the controls and documentation required to maintain evidence integrity in storage.

1. Main Concerns when Collecting Evidence:
When collecting evidence, it is crucial to consider the following main concerns:
– Integrity: Ensuring that evidence has not been tampered with, altered, or modified in any way.
– Authenticity: Verifying the source and origin of the evidence to establish its credibility.
– Confidentiality: Protecting the privacy and sensitive information contained within the evidence.
– Chain of Custody: Maintaining a documented record of the handling and transfer of evidence to establish its admissibility and credibility in court.

2. Precautions to Preserve Evidence State:
To preserve the state of evidence, the following precautions are necessary:
– Using forensic tools and techniques that do not modify or alter the evidence.
– Avoiding activities that may introduce changes to the evidence, such as powering off or restarting affected systems.
– Employing write-blocking mechanisms to prevent any unintentional modifications to the digital evidence.
– Documenting the date, time, and location of evidence collection to establish its integrity and continuity.

3. Ensuring Evidence Remains in its Initial State:
To ensure evidence remains in its initial state, the following measures are necessary:
– Utilizing read-only methods to access and analyze digital evidence to prevent unintentional modifications.
– Creating forensic copies of evidence to work with, rather than directly manipulating the original source.
– Monitoring and restricting access to evidence to prevent unauthorized alterations.
– Implementing a strict change control process for any modifications made to the evidence, ensuring proper documentation and approvals are obtained.

4. Information and Procedures for Admissible Evidence:
To ensure evidence is admissible in court, the following information and procedures are necessary:
– Detailed documentation of the item of evidence, including its source, date/time of collection, and location.
– Documentation of the personnel involved in the collection process, ensuring their qualifications and expertise are noted.
– Description of the circumstances surrounding the collection of the evidence, providing context and relevance.
– Adherence to applicable laws, regulations, and legal standards when collecting and handling evidence.

5. Controls for Evidence Integrity in Storage:
To maintain evidence integrity in storage, the following controls are necessary:
– Implementing secure storage mechanisms, such as encrypted containers or locked cabinets, to protect against unauthorized access.
– Regularly monitoring and reviewing the storage environment to identify any potential risks or vulnerabilities.
– Implementing access controls and authentication mechanisms to restrict access to stored evidence only to authorized individuals.
– Establishing a proper backup and recovery plan to prevent loss or damage to stored evidence.
– Maintaining a log of all access and activities related to the stored evidence to ensure accountability and traceability.

6. Documentation for Demonstrating Evidence Integrity:
To demonstrate evidence integrity, the following documentation is required:
– A detailed evidence log, including a chain of custody, documenting all activities and individuals involved in the collection, handling, and storage of evidence.
– Information about the tools, techniques, and methodologies used to collect and analyze evidence.
– Documentation of any deviations from standard procedures, justifying the reasons and providing any approvals obtained for such deviations.
– Relevant legal documentation and consent forms associated with the collection and handling of evidence.

Conclusion:
This policy provides guidelines for the collection and handling of evidence in computer security incidents. By adhering to these guidelines, Always Fresh will ensure that all evidence is collected and handled in a secure and efficient manner, ensuring its validity and admissibility in court. It is the responsibility of all personnel involved in incident response to familiarize themselves with and adhere to this policy.

Need your ASSIGNMENT done? Use our paper writing service to score better and meet your deadline.


Click Here to Make an Order Click Here to Hire a Writer