357
Guidance:
When there is a computer-related security breach, the machine
itself may contain evidence that might be useful if any legal action is pur-
sued. Procedures should be in place to ensure that the evidence is not cor-
rupted. The dilemma in this situation is whether the company preserves the
evidence or just fixes the problem. Company officials are caught between
trying to become fully operational as quickly as possible and at the same
time, preserving evidence in the event that it is required. The decision will
depend on a number of factors including (but not limited to) the severity
of the incident, what systems are affected (i.e., do the systems support core
operations), and whether any legal ramifications will result from the secu-
rity incident. Ideally, the company should have some criteria, similar to the
classification scheme used in classifying the incident. In addition, it is crit-
ical to assemble the right team of people who can quickly come to a sound
decision.
Risk:
If the company is seeking legal action, the evidence must be careful-
ly preserved. If its not carefully preserved, it has limited value in the legal
action.
Client Response:
10. Depending on the nature of the investigation, does the company engage
the appropriate security experts to investigate incidents?
Guidance:
Depending on the company, there may or may not be personnel
who are qualified to handle an investigation resulting from a security inci-
dent. Larger companies may have someone appropriate on their staff or
they may even have a security group that only handles investigations. In
smaller companies, this is less likely. In any case, companies should have
access to qualified individuals to perform investigations as needed. Some-
times, this might mean calling on external resources.
Risk:
Having unqualified people performing the investigation could result in
a botched investigation where evidence might be corrupted and recourse
might become impossible. Any legal action might also become more difficult.
Client Response:
11. Is there a process in place for an investigator to obtain administrator
access to a machine in a timely fashion if required for an investigation?
AU1706_book.fm Page 357 Wednesday, July 28, 2004 11:06 AM