Ken 7 Windows Limited has decided to form a computer security incident response team (CSIRT). When making any security-related changes, they know the first step is to modify the security policy. As a security administrator, you have been assigned the responsibility of developing a CSIRT policy that addresses incident evidence collection and handling. This policy will guide CSIRT team members in developing procedures on proper techniques in handling evidence. The goal is to ensure all evidence collected during investigations is valid and admissible in court. You will write a policy to ensure all evidence is collected and handled in a secure and efficient manner. All procedures and guidelines will be designed to fulfill the policy you create. Answer the following questions for collecting and handling evidence: 1. What are the main concerns when collecting evidence? 2. What precautions are necessary to preserve evidence state? 3. How do you ensure evidence remains in its initial state? 4. What information and procedures are necessary to ensure evidence is admissible in court? Format: Microsoft Word Font: Times New Roman, 12-Point, Double-Space Citation Style: APA Style with 3 references

The main concerns when collecting evidence in a computer security incident response team (CSIRT) include maintaining the integrity, authenticity, and confidentiality of the evidence.

Integrity refers to ensuring that the evidence collected is not altered or tampered with during the collection process. This involves using proper chain of custody procedures to track the evidence from the time it is collected until it is presented in court. Additionally, all evidence collection tools and processes should be properly documented to establish the reliability of the evidence.

Authenticity is another concern when collecting evidence. It is important to establish the origin and source of the evidence to ensure its credibility. This can be achieved by using trusted and validated forensic tools and techniques to collect the evidence. Documentation of the collection process, including the time, date, and individuals involved, is also necessary to validate the authenticity of the evidence.

Confidentiality is crucial in handling evidence to protect the privacy and rights of individuals involved. Proper security measures must be implemented to ensure that the evidence is securely stored and accessed only by authorized personnel. This includes encryption of sensitive data, secure storage facilities, and restricted access controls.

To preserve the state of the evidence, precautions need to be taken to prevent any changes or modifications to the evidence. This includes creating a clone or image of the original evidence rather than working directly on the original. Any analysis or examination should be performed on the cloned or imaged evidence to preserve its integrity. Proper documentation should also be maintained to record any actions taken on the evidence and to ensure reproducibility.

Ensuring that evidence remains in its initial state involves maintaining the chain of custody throughout the entire process. This includes documenting the transfer of custody of the evidence from one individual to another, ensuring that proper controls and security measures are in place during transportation or storage, and maintaining a log of all activities related to the evidence.

To ensure that evidence is admissible in court, certain information and procedures need to be followed. This includes properly documenting the evidence collection process, including the time, date, and individuals involved, as well as the tools and techniques used. The evidence should be properly preserved, stored securely, and protected from any unauthorized access or tampering. The CSIRT policy should outline the procedures and guidelines for evidence handling to ensure compliance with legal requirements and to establish the admissibility of the evidence in court. Additionally, the CSIRT team members should be trained on legal considerations and requirements for evidence collection and handling.

In conclusion, the CSIRT policy on evidence collection and handling should address the main concerns of integrity, authenticity, and confidentiality of the evidence. Precautions need to be taken to preserve the state of the evidence and ensure its admissibility in court. Proper documentation, chain of custody procedures, and adherence to legal requirements are essential in collecting and handling evidence.