In-Depth

Forensic Contingency Planning: Where to Start

A forensic readiness program helps a company protect its assets and know when they’ve been compromised.

• By Mathew Schwartz
• 10/25/2005

Does your organization have a digital forensic evidence-gathering plan?

Such evidence is essential for investigating information-security breaches. In general, it’s also “a significant means of reducing risk” to the business, notes Pauline Neville-Jones, chair of the Information Assurance Advisory Council (IAAC), a private group composed of corporate leaders, public policy makers, law enforcement experts, and security researchers.

According to the IAAC, “organizations and individuals currently have little idea how to collect and preserve evidence from computers and the Internet.” The resulting lack of evidence makes it difficult for companies or law enforcement agencies to pursue criminals in court, or for companies to receive proper compensation from insurers.

To help, the IAAC released a new report, “Directors and Corporate Advisors’ Guide to Digital Investigations and Evidence,” written by Peter Sommer, a senior research fellow at the London School of Economics. In the report, Sommer advocates organizations maintain a forensic readiness program, and details how organizations should gather and preserve evidence. He notes the limitations of surveillance, which laws companies must beware of, and exactly how evidence-gathering fits into a security incident-response plan.

Creating a Forensic Readiness Program

A forensic readiness program helps organizations retain and process any data they might need to investigate breaches, assist in criminal cases, or solve legal disputes. Creating such a program doesn’t require training and retaining a crack staff of digital forensics experts. “Most businesses and individuals don’t need to have on their staff a digital Sherlock Holmes, but they should have plans to identify and preserve important digital evidence such as e-mail, Web transactions, PCs, PDAs, and cell phones, and have a broad understanding of some of the associated legal problems such as admissibility and privacy,” says Sommer.

Another reason to have a forensic program is that organizations are sometimes required to produce digital evidence, regardless of whether they have a well-functioning forensic program in place. In fact, “nearly all organizations underestimate how often they may be called on to produce reliable evidence of what has happened in and around their information and communication technology systems,” he says. “They also underestimate the demands that the legal system makes in terms of ensuring the admissibility and reliability of digital evidence.” The failure or inability to comply with such requests “can have a profound impact on business welfare.”

Safeguarding Intangible Assets

Today, information security breaches are “commonplace, high-frequency events,” notes Sommer, so it’s surprising that while many organizations don’t have forensic plans, they do “have in place contingency plans for low likelihood/high impact events” such as fires or natural disasters.

Furthermore, the impact of information-security breaches is only increasing. For example, as Neville-Jones notes, “the nature of company assets is changing from purely tangible ones to include more intangible assets.” Those intangible assets include “knowledge, intellectual property, electronic processes, electronic supply chains, customer databases, and electronic order books.” If those intangible assets are compromised by someone with malicious intent, an organization can suffer an ongoing loss of business, face regulatory penalties, or worse.

A forensic readiness program, then, helps a company not only protect its assets, but also know when they’ve been compromised. Management can then take appropriate steps to fix the damage, apply for compensation, and so on.

Even so, don’t mistake forensic readiness for proper prevention. From the get-go, companies need to inform employees about “how their individual actions can affect computer security,” says Neville-Jones. Furthermore, “computer policies need to be kept up to date and be well communicated,” she says, plus “everyone in any organization needs to appreciate the potential damage to brand value that can go well beyond the purely financial losses associated with computer crime.”