Virginia Lawyers Weekly

The ubiquity of corporate data presents cyber security challenges and threats. Most organizations are now required to comply with various regulations and requirements – Sarbanes-Oxley (SOX), GLBA, HIPAA, SEC, PCI and so forth – to reduce some of the business risks stemming from cyber crimes. Moreover, the recent amendments to the Federal Rules of Civil Procedure address the discovery of electronically stored information (ESI). Organizations with a forensics investigation and e-discovery readiness (FIER) plans are better positioned to quickly and cost-effectively find and produce necessary ESI during investigations and better respond to cyber attacks and corporate investigations.

This article suggests a process for getting an organization ready for computer forensics investigations and e-discovery requests. By following these suggestions, you can establish a capability to securely gather legally admissible evidence, conduct
digital investigations and produce ESI promptly to avoid adverse court rulings.

Form a Forensics Investigation and e-Discovery Team (FIET). Under the oversight of a FIET manager, a FIET team should be formed. The team should include key company personnel from legal, human resources, compliance, privacy, records management, disaster recovery, backup team, computer security, incident response, forensics and outside consultants. Including members from various parts of the organization provides good insight and information about the location of potentially relevant electronic documents and where digital evidence might reside.

Get a firm grip on your data. Without a thorough knowledge of the data collected or processed by the organization and the storage location of these corporate jewels, attempts to formulate an e-discovery or forensics readiness plan, conduct an investigation, or respond to e-discovery requests can result in a cost-prohibitive endeavor. If a central data repository doesn’t already exist, one should be created and continuously updated.

Create a repository of data custodians and storage locations. Corporate data may be stored in email servers, web servers, database servers, employees’ desktops, personal laptops, PDA devices, backup tapes, removable media and off-site storage locations. For each type of corporate data, the storage location and data custodian must be identified and documented. This repository or inventory can be as complex as a database or as simple as a spreadsheet that is maintained and kept updated by the FIET manager or their designee.

Establish a data collection and logging policy. A data logging policy should establish the type of data to store, as may be dictated by business, regulatory or legal requirements. Certain system log information may be collected for either root-cause analysis, after-the fact forensics investigation, or live-incident response events.

Institute a data retention plan and policy. Data retention policies address the need to maintain information in an organization’s possession for a period of time, depending on the type of data and the business, legal or regulatory requirements. Clear written policies and procedures should be developed, taking into account procedures that address the creation, retention, retrieval, archival and destruction of the information at stake.

Build and equip a forensics investigation lab. Once the team is established and there is a firm grip on the data, secure an environment for conducting investigation. Among the many activities that need to take place are identifying a facility to conduct investigations, determining the tools which may be used, what personnel will staff the lab and what testing may be needed.

Obtain a facility to conduct investigations. A critical part of the FIERP is to create a lab environment where investigations can be conducted. This lab may be an entire building or part of a building that is sectioned off and secured, has strong access control and entry is granted on a need-to-know basis. These decisions will vary by the size of the organization and will largely be cost driven.

Acquire investigative tools and technologies for the lab. Tools and technologies for evidence or data collection/acquisition, analysis, processing and reporting are crucial. Tools to include should support multiple platforms such as Mainframe, Unix, Windows and MAC OS, and should include handheld device forensics, computer forensics, e-discovery and incident response tools.
Test and validate the tools. Before purchasing investigative tools, they should be tested to ensure that they work in the target environment. These tools should be validated to ensure that technologies used for collection, investigation and analysis maintain data integrity before an actual investigation occurs.

Train the investigation and e-discovery team. Employees that are responsible for collecting, processing and analyzing evidence should be trained continuously, especially on how to collect certain types of evidence, new ways of investigating emerging attacks and new hacking techniques.

Create a standard operating procedure (SOP). Standard Operating Procedures need to be developed as part of the FIERP. SOPs define the procedures that employees are to follow in order to carry out a specific investigative task, ensuring that errors are minimized and a standard process has been followed. These procedures should describe how requests for investigation or e-discovery are to be initiated, how evidence is to be collected, how data are to be analyzed and how reports are to be produced.

Test and rehearse the plan. One of the best ways to gauge if your plan is working is to actually test it before it is used in a real-world scenario. Creating scenarios for e-discovery requests, litigation holds or computer hacks is suggested to demonstrate how the organization can respond to the investigations and test employees in their awareness of the FIERP.

Conduct FIERP awareness campaign and training. A well-developed plan will serve no useful purpose unless it is clearly communicated to stakeholders, employees or parties to whom the plan applies. Employees should receive training on incident recognition, security awareness, applicable laws, litigation holds, e-discovery requests, and their roles in ensuring that the organization implements the FIERP and cooperates with any investigation.

Update the FIERP. The FIERP should be a living document; therefore, evaluation and revision is critical to its viability. The output and documented results from testing and scenario role-playing should be documented and incorporated as necessary for the FIERP to reflect the current state of the organization and its processes.

This article suggests a process for getting an organization ready for computer forensics investigations and e-discovery requests. By following these suggestions, you can establish a capability to securely gather legally admissible evidence, conduct digital investigations and produce ESI promptly to avoid adverse court rulings.

Inno Eroraha is the president and chief forensics investigator of NetSecurity Corporation (http://NetSecurity.com), a company that provides digital forensics, hands-on security consulting and Hands-On How-To® training solutions that are high-quality, timely and customer-focused. He can be reached at Inno@NetSecurity.com or (703) 444-9009.

Close this Window Bookmark and Share This Page

Save to Browser Favorites / Bookmarks

Print RSS Feed Ask backflip blinklist BlogBookmark Bloglines BlogMarks Blogsvine BuddyMarks BUMPzee! CiteULike co.mments

Connotea del.icio.us Digg diigo DotNetKicks DropJack dzone Facebook Fark Faves Feed Me Links Friendsite folkd.com

Furl Google Hugg Jeqq Kaboodle kirtsy linkaGoGo LinksMarker Ma.gnolia Mister Wong Mixx MySpace MyWeb

Netvouz Newsvine oneview OnlyWire PlugIM Propeller Reddit Rojo Segnalo Shoutwire Simpy Slashdot Sphere

Sphinn Spurl Squidoo StumbleUpon Technorati ThisNext Twitter Webride Windows Live Yahoo!

Email This to a Friend

Copy HTML: 

 If you like this then please subscribe to the RSS Feed.

More »