The first step is to identify forensic resources that the organization can utilize in case of an incident. No amount of policy change will be effective if the company does not have access to forensically trained individuals. One approach an organization can take is to get basic forensic training for its own IT security staff. Many computer-related college degrees now include forensic courses, and most security-related degrees include at least an introductory forensic course. If no one on the company’s IT security staff has had such training, it may be helpful to send staff members to be trained in computer forensics and perhaps to obtain one of the major forensic certifications.

Another option the organization can pursue is to identify an outside party that can respond to incidents with forensically trained personnel. In this case, part of incident planning would involve ensuring there is an agreement in place with a reliable forensic company or individual consultant. If this is the option an organization wants to pursue, it is critical to ensure that the company or individual has both an appropriate level of competency and the resources to respond to incidents.

Once appropriate forensic resources have been identified, forensic methodology must be interwoven into the incident response policy for the organization. This means that all policies regarding disaster recovery and incident response will need to be updated.

The purpose of updating policies is to ensure that, in the process of recovering from an incident or disaster, evidence is not destroyed and the proper procedures to ensure the integrity and chain of custody of the evidence remain intact. For example, the policy regarding how to handle a malware infection would be modified so that as soon as the infection was contained, at least one infected machine would be imaged for forensic evidence prior to the eradication of the malware. In the case of external intrusions, the policies would be changed to preserve all logs prior to full recovery.

It is likely that even if the IT security staff is not trained specifically in forensics, they have some basic knowledge of the field. The reason is that many security textbooks now include at least a chapter on basic forensics. Most of the general computer security certifications, such as CompTIA Security + and CISSP, also include sections on basic forensics. Even if your staff lacks the appropriate training to perform a forensic investigation, they should be trained well enough to know how to preserve evidence.