The national Scot-Secure Summit is the largest annual Cyber Security Conference in Scotland: the event brings together senior IT leaders and Information Security personnel, providing a unique forum for knowledge exchange, discussion and high-level networking.
The Summit is organised by DIGIT, with support from ScotlandIS, Police Scotland, SBRC, The Cyber Academy and ISACA. The conference programme is focussed on promoting best-practice cyber security; looking at the current trends, the key threats - and offering practical advice on improving resilience and implementing effective security measures.
5. OFFICIAL: NONE
OFFICIAL: NONE
Agenda
1. Police Scotland's role
2. A more resilient Scotland
3. Challenges & Threats
4. Cybercrime Capability Programme
5. Incident Planning & Response
6. Collaboration
6. OFFICIAL: NONE
OFFICIAL: NONE
Cybercrime – it’s our job
Police & Fire Reform (Scotland) Act 2012
• To prevent & detect crime
• To maintain order
• To protect life & property
• To take such lawful measures, and make such reports to the appropriate
prosecutor, as may be needed to bring offenders with all due speed to
justice
• Where required to serve and execute a warrant, citation or deliverance
issued, or process duly endorsed, by a Lord Commissioner of Justiciary,
sheriff, justice of the peace or stipendiary magistrate in relation to
criminal proceedings
and
• To attend court to give evidence
9. OFFICIAL: NONE
OFFICIAL: NONE
So what are the challenges/threats?
• Global, international, industrial & automated
• Jurisdictional reach
• Increased criminal opportunities
• Anyone can be (or hire) a cyber criminal!
• Lack of clear & concise statistical data
• Underreporting
• Technological advances provide opportunities but does
increase the threat of cybercrime - The ‘Internet of Things’
• Social media as an attack vector
• Data Analytics
• Disaster Recovery & Business Continuity
13. OFFICIAL: NONE
OFFICIAL: NONE
OFFICIAL: NONE
OFFICIAL: NONE
• Feezan Hameed
• £60 - £113 million Frauds
• Vishing / Social engineering of Banking
customers.
• Data acquired including account
details/passwords.
• Money transferred online – mule
account networks.
• UK wide investigation
• Numerous UK Law Enforcement
agencies.
• Arrested in Paris on false passport
• Convicted and sentenced to 11 years
imprisonment
21. OFFICIAL: NONE
OFFICIAL: NONE
Digital
Transformation:
• A key challenge for Police Scotland
• Pace of change will increase and
accelerate
– Empowering our staff to be agile and
innovative.
– Ensuring our staff are informed and
appropriately trained.
• How to win public and political
confidence – values endure
– Ethics, Proportionality, Transparency
Our ability to respond to technology determines
capabilities which determines effectiveness and
improves delivery and service!!
22. OFFICIAL: NONE
OFFICIAL: NONE
CyberCrime Capability Programme Vision
Our People are equipped with the knowledge
and capability and our infrastructure
designed to deliver an excellent service to all
our communities in support of digital,
technological and cyber advances.
23. OFFICIAL: NONE
OFFICIAL: NONE
What we will do ……
Digital
Knowledge
and Skills
Digital
Investigative,
Intelligence and
Analytical
Capacity and
Capability
Digital Safety
Prevention and
Resilience
Digital Forensic
Services
Enhanced Management
Information and Threat
Assessment to augment
effective decision making within
PSOS by providing an improved
intelligence and analytical
capability, current demand
analysis and opportunities to
exploit the criminal digital
footprint
Improved
safety/prevention/resilience
service to all Scottish
communities to support
victims and potential victims
of CyberCrime. PSOS will be a
Public Sector Cyber Catalyst in
proactively communicating the
Scottish Government Cyber
Resilience message
Digital and technological
investigative capability will
be enhanced by delivering a
workforce with the skills &
knowledge to ensure that
we are appropriately
equipped to provide
investigative services when
tackling any crime with a
digital, technological or
CyberCrime facet
Improved quality of digital
forensic services as a result
of investing in the capability
and capacity required to
keep pace with digital,
technological and
CyberCrime advances
24. OFFICIAL: NONE
OFFICIAL: NONE
The story so far….
• Forensic Telephony Extractions - Kiosks
• Data Exploitation - Nuix
• Integration - Digital Forensic Hubs
• Increase in specialist Cyber resources
• Established Cybercrime Safety,
Prevention & Resilience Unit
• Technical Surveillance for the
21st Century – TS21C
25. SBRC CYBER EXPERT
GROUP
TRUSTED
PARTNERS
SCOTTISH CRIME
CAMPUS CYBER HUB
NATIONAL
CYBER AWARDS
ETHICAL HACKING
COMMS SERVICES
ACCREDITING
PRACTITIONERS
8 MEMBERSHIP
GROUPS
ABERTAY UNIVERSITY
CYBER QUARTER
PUBLIC
AWARENESS
INIIATIVES
SCOTLAND’S
CYBER ECO SYSTEM
UK GOVERNMENT
CYBER STRATEGY
SCOTTISH GOVERNMENT CYBER
RESILIENCE STRATEGY
POLICE SCOTLAND STRATEGIC PLANS
SCOTTISH CYBER HUB
EDUCATION
PROSPERITYANDSAFETY
ENFORCEMENT
PREVENTION
UK GOV
(ENGLAND
& WALES)
& OTHER LEA
INDUSTR
Y
&
OTHER
SECTORS
SCOTTISH
GOV
COSLA
SOLAS
SG CYBER
LEADERS BOARD
SCOTTISH GOVERNMENT
CYBER RESILIENCE TEAM
SCOTTISH GOVT
RESILIENCE ROOM
SGoRR
SCOTTISH
ENTERPRISE
HIGHLANDS
AND ISLANDS
SKILLS DEVELOPMENT
SCOTLAND
HMICS
SKILLS
COMMITTEE
COMMS
COMMITTEE
RESEARCH &
INNOVATION
COMMITTEE
PUBLIC SECTOR
COMMITTEE
BUSINESS
COMMITTEE
(HMIC)
HER MAJESTY’S INSPECTORATE
OF CONSTABULARY
ACTION FRAUD CISP
NATIONAL CYBERCRIME UNIT
CITY OF
LONDON POLICE
NATIONAL BUSINESS
CRIME CENTRE
NATIONAL CYBER
SECURITY CENTRE (NCSC)
NATIONAL POLICE
CHIEF’S COUNCIL NPCC
FBI
UK ROCU’s
INVESTIGATIONS & PROTECT
POLICE
SCOTLAND
PS TRAINING,
LEARNING
& DEVELOPMENT
NATIONAL INTELLIGENCE
BUREAU
COVERT INTERNET
INVESTIGATIONS
MAJOR CRIME
DIGITAL MEDIA
INVESTIGATION
INTELLIGENCE SUPPORT,
DEVELOPMENT & ANALYTICS
PUBLIC PROTECTION
C3 ACR
LOCAL CRIME &
LOCAL POLICING
SAFER COMMUNITIES
PROTECT OFFICERS &
WEB CONSTABLES
OCCTU – TSU, SOU
CTSA, CT & PREVENT
POLICE SCOTLAND
NATIONAL CYBER
CRIME UNIT & FORENSICS
2026, DEPP, CAM &
TRANSFORMATION
PROJECTS
SCOTTISH SECURITY
INSTITUTE
ACADEMIA
NAPIER UNIVERSITY
SCOTTISH CENTRE
FOR POLICING RESEARCH
APPRENTICESHIPS
GRADUATE SKILLS
AND RECRUITMENT
GLASGOW
CALEDONIAN
UNIVERSITY COURSE
DEVELOPMENT
DEPT OF FORENSIC SCIENCE
DUNDEE UNIVERSITY
UNIVERSITY OF EDINBURGH
ABERTAY UNIVERSITY
SCOTTISH INFORMATICS AND
COMPUTER SCIENCE ALLIANCE
FINTECH &
FINANCIAL SERVICES
FSB
SIDI
TRADE ASSOCIATIONS
CYBER SECURITY
INDUSTRY
DEFENCE
OIL & GAS
SCOTLAND IS
3RD SECTOR
CYBER
INCIDENT
RESPONSE
EDUCATION
SCOTLAND
People /
Organisations
Functions/
Initiatives Committees Vision/Strategy
TRAINING
121 PUBLIC SECTOR
BODIES
SERVICE INDUSTRY
CivTech
SG INITIATIVE
HALO PROJECT
26. OFFICIAL: NONE
OFFICIAL: NONE
Thank you for listening
Any Questions?
Nicola.Burnett@scotland.pnn.police.uk
DigitalTechReview@scotland.pnn.police.uk
33. THE CURRENT LANDSCAPE
• Attacks are on an exponential rise
• Attackers are getting more and more sophisticated
• Nation States / APT
• Zero days galore
• It is a matter of WHEN not IF
35. BUT IS IT REALLY?
• 99.9% of attacks are not super sophisticated nation state zero day
mega attacks
• Most attacks are generic, not targeted
• Most attacks are avoidable, and easily defensible
• You don’t need to purchase next, next, next generation magic
beans!
36. SO WHAT IS THE TRUTH?
• Most organisations are really bad at the basics
• Most foundations are weak, leading to easy compromise
• Attackers, believe it or not, like the easy route. It is the path of
least resistance, the most cost effective, and hey it works!
• Because, most organisations are rubbish at the basics
37. WHAT DO I MEAN?
• Policies, written in the ivory tower, with no business or customer empathy,
that frankly nobody reads, let alone adheres to
• What does my network look like? Which one?
• Firewalls with so many rules there almost no point having them
• Completely flat architectures, putting data at risk
• Admins with internet access
• Unknown number assets and people vs reality
• Once a year Security Awareness CBT nonsense
• Maybe some monitoring, maybe some of the right things, maybe some actual
logs. Doubt it though
• It’s an open door to an attacker! Of any kind!
38. SO WHAT’S THE ANSWER?
• Back to basics, the stuff you’ve been saying you’ve been doing for
years. Probably badly.
• Its time to do things differently.
• Recognising that controls are only effective when business focused
and within business operation.
• Give yourself breathing space, start with external firewalls.
• Come down from the ivory tower and into the customer base.
• Encryption isn’t the only answer! And sometimes not a good one!
IT IS HARD THOUGH. IF IT WAS EASY WE’D ALL BE BETTER AT IT!
39. MOST OF ALL
• Don’t believe the hype of the industry!
• It is predicated on FEAR, because FEAR sells. FEAR = MONEY
• Basic security foundations
• It’s not all zero day and super sophisticated nonsense!
• It is basics! Basics done badly leaves gaping holes. I don’t need to be
super sophisticated to go through an open door.
• Stop chasing buzzwords, like AI, BigData, IoT, whatever!
40. NOW?
• Check the rules on your external firewalls.
• 80 / 443 / 25 / 53 / DONE!
• Find if your admins have internet access!
• Use things like GDPR to help you. TOMS anyone?
• Security is a business wide responsibility, starting with the board.
• Use your inevitable ‘Digital Transformation’.
• Most of all, be honest with yourselves!
44. LISA FORTE
UK Counter Terrorism Intelligence Services
South West Police Cyber Crime Unit
Red Goat Cyber Security, Partner
Social Engineering Training
Cyber Attack Response Simulation
Social Engineering Pen Test
Enhanced Vulnerability Assessments
Penetration Testing
45. S O C I A L E N G I N E E R I N G
V E C TO R S
Phishing
Vishing
Impersonation
Smishing
49. L e s s o n s t o L e a r n
Have a plan and test it
Review online information
Share Intelligence
Stop social media access on
work devices
Test your staff & security
Invest in good training
50. C O N TA C T U S
R e d - G o a t . c o m @ R e d G o a t C y b e r
i n f o @ r e d -
g o a t . c o m
l i n k e d i n . c o m / i n / l i s a - f o r t e /
77. Success in the digital era is
dependent on an organisation’s
ability to simultaneously create
and protect competitive advantage.
78.
79. Your cybersecurity strategy
needs to be:
- holistic across this new ecosystem
- integrated with business strategy
- culturally-relevant
- agile
80.
81.
82. 1. Companies are leaving value on the
table as well as putting operations at
risk by treating cybersecurity as an
add on, as opposed to central tenant
and integrating at every level.
2. Competitive advantage comes from the
unique layering of your business
strategy with Cyber Security,
underpinned by IT Best practice, a
primed culture, and operational
efficiency.
83. The breadth and depth of the
challenge calls for leaders in
Cyber, in IT overall, who can
operate as master change agents.
They will need to drive the creation
of a cohesive set of new business-
relevant capabilities. Cyber is the
nervous system running through all
of it.
84.
85. 1. Correct Assessment of the
Threat Environment
Knowing and surveying your unique
place in the continually evolving
allows you to adapt, change, and
react at speed.
86.
87. 2. Full Visibility of the
Digital Ecosystem
True digital situation awareness
is becoming more achievable with:
• Internal Cybersecurity
approaches using the newer ‘next
generation’ technologies
• E2e visibility across your value
chain
88.
89. 3. Converge IT/Business/Cyber
Strategy
The convergence of the Business,
Digital, and Cyber Strategy requires
all business functions working
together in new ways. A continual
and agile approach to strategy and
business planning, that is
integrated and holistic.
90.
91. 4. Engagement and Partnering
Capability
Cybersecurity can no longer be the
concern of IT; it needs to be
everyone’s business. Connecting
with, working in, and developing
trusted relationships across your
organisational ecosystem is
critical.
92.
93. 5. Team Culture Primed for
Change
Culture eats strategy for
breakfast… even your cybersecurity
strategy.
Harness culture for change, for
security, and for growth.
94.
95. Additional
Questions
– How well do you include cybersecurity planning in your overall
organizational strategic planning process?
– How well do you ensure alignment between your cybersecurity planning
and your organization’s overall strategic planning?
– How does your strategy development process stimulate and incorporate
innovation in cybersecurity policies and operations?
– How well and often do you collect and analyze relevant data and develop
information on cybersecurity for your strategic planning process?
– How do you decide which key cybersecurity processes will be accomplished
by your workforce and which by external suppliers and partners?
– What are your organization’s key cybersecurity-related strategic objectives
and timetable for achieving them?
– How do your organization’s key cybersecurity-related strategic objectives
align with your organization’s overall strategic objectives?
– How well do your strategic objectives achieve appropriate balance among
varying and potentially competing cybersecurity needs, customer and
stakeholder requirements, and business objectives?
98. Agenda
> About me
> About easyJet
> Challenges for information security
> So how did we do it?
> Success factors
> Closing
99. About me
> Background in Internal Audit and Risk Management
> Specialising in Information Security since 2013
> Currently at easyJet in the Information Security Governance, Risk and Compliance team
@magsdj
100. About easyJet
Vision:
to be Europe’s leading short-haul airline,
making travel easy and affordable for both
leisure and business travellers.
104. Information Security for all functions
> Training and awareness requirements:
▪ Training tailored to job function
▪ Delivery method relevant to job function
▪ Timing – all at the same time? In phases?
▪ Employee stakeholder requirements (workers councils, unions)
> Understanding the business
▪ What does each function need from InfoSec?
▪ Unique requirements? Communication, sharing data with partners
▪ Where are the risks?
> Challenges
▪ Diverse workforce
▪ Diverse working patterns & schedules
▪ Diverse employee contracts
▪ Third party partners – Ground operations, Call centres
▪ Regulatory obligations
105. So how did we do it?
> Representative in each team / function who acts as an InfoSec Champion
> Our Champion to the business
▪ encouraging training
▪ contact person for queries
▪ Help with our communication strategy
> Business team’s Champion to InfoSec
▪ Come with questions
▪ Identify new requirements where InfoSec can help
▪ Reporting problems / incidents
106. Success factors (1)
> Identify key stakeholders, and get their buy in first
> AMB was asked to nominate champions
> Clear charter / roles and responsibilities for champions – what’s in it for you?
> Monthly meetings, structured format
> Use of technology to include geographically diverse Champions
> Resource website for Champions to use including FAQ’s, example goals for performance management; hints &
tips; contact details
107. Success factors (2)
> Measuring success:
▪ Successful projects e.g. annual awareness drive; November InfoSafe month; GDPR; Personal drive clean up
▪ KPIs for InfoSec team
▪ 2 way communication with champions – we continually ask how to improve the programme and implement their ideas
▪ InfoSec attending business team meetings and stand-ups
> Plans for the future:
▪ More champions!
▪ Additional training and opportunities for Champions
▪ Champions to help deliver new technology projects
108. Summary
> In a complex environment, a traditional approach if doomed to fail
> Engage the right stakeholders from the start
> Don’t just transfer work; make it worth it for the Champions
> This is our approach – but will it work for you?
113. The views and opinions expressed in this presentation and on the following slides are solely
those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
machinery within 200m of this talk. Please direct all complaints and legal queries to:
Donald Trump, The White House, 1600 Pennsylvania Avenue NW, Washington DC 20500, United States
of America The views and opinions expressed in this presentation and on the following slides are
solely those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
machinery within 200m of this talk. Please direct all complaints and legal queries to:
Donald Trump, The White House, 1600 Pennsylvania Avenue NW, Washington DC 20500, United States
of America The views and opinions expressed in this presentation and on the following slides are
solely those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
machinery within 200m of this talk. Please direct all complaints and legal queries to:
Donald Trump, The White House, 1600 Pennsylvania Avenue NW, Washington DC 20500, United States
of America The views and opinions expressed in this presentation and on the following slides are
solely those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
machinery within 200m of this talk. Please direct all complaints and legal queries to:
Donald Trump, The White House, 1600 Pennsylvania Avenue NW, Washington DC 20500, United States
of America The views and opinions expressed in this presentation and on the following slides are
solely those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
machinery within 200m of this talk. Please direct all complaints and legal queries to:
Donald Trump, The White House, 1600 Pennsylvania Avenue NW, Washington DC 20500, United States
of America
142. ACTION ITEMS
1.Add 1 business leadership source to your news feed
2.Take a manager out for coffee
3.Drop “should” from your vocabulary
4.Start a Risk Metrics menu
143. JORDAN M. SCHROEDER, CISSP, CISM
•Managing CISO, UCSS
•Security.StackExchange.com
Moderator
•Author of Advanced
Persistent Training
174. EXPLOITING TRUST-HUMAN
• PeopleshareWAY too much
• Sometimes it’s too easy,
people circumvent the rules
• What hasn’tbeendone?
• Tenders,job adverts etc
• Trust but verify
178. BLACKHAT
REPORT-2017
• 81%of hackers could identify andexfiltrate data in lessthan 12
hours
• 75%of the time organisationsonly focus on critical andhigh
vulnerabilities after apen test
• 64%of hackers frustrated that organisationsdon’t fix the things
they knew were broken
• 84%of hackers usedsocialengineeringaspart of their attack
strategy
179.
180. THE EASY
• Google researchshowed
48%pluggedin
• Firstone took 6 minutes
• 68%wanted to return the
USBto the rightful owner
• Someof them just wanted a
new USBstick
182. Who are Sapphire
GDPR
Insider Threat
Risk Management
Forensic Readiness
ISO27001 Fundamentals
ISO27001 Internal Auditors
Cyber Security for Executives
Cyber Security Fundamentals
Business Continuity Planning Exercises
Business Continuity Planning Fundamentals
Certified Information Security Managers (CISM)
Certified in Risk & Information Systems Controls (CRISC)
184. Proactive planning for a digital investigation of admissible
evidence; related monitoring processes, collection processes
and capabilities; storage requirements and costs.
Digital Forensic Readiness Planning
The goal of computer forensics Investigation and Examination is to
examine digital media in a forensically sound manner with the aim of
identifying, preserving, recovering, analysing and presenting facts and
opinions about the digital information
Digital Forensic Investigation and Examination
Digital Forensic Readiness Planning
185. Evan Dooley Nick Leeson John Rusnack
History
Following some of the major financial scandals of the late 1990s and
early 2000s, new strands of legislation and regulation impose on
businesses the requirement to produce and preserve a wide variety of
business records.
Digital Forensic Readiness Planning
Security Breaches
189. Investigation of major incident
Defence against lawsuits
Evidence to resolve a commercial dispute
Deterrent to insider threat attacks
Digital Forensic Readiness Planning
Example of Benefits:
Prove violation of a Corporate Policy
Demonstrate regulatory requirements have been met
Reduce the time and costs of an investigation
Demonstrates corporate governance of information assets
190. 1. To gather admissible evidence legally
2. To gather evidence targeting the potential crimes and disputes that may adversely impact on the
organisation.
3. To allow investigations to proceed at a cost in proportion to the incident
4. To minimise interruption to the business from any investigations
5. To ensure that the evidence makes a positive impact on the outcome of any legal actions
Objectives:
Digital Forensic Readiness Planning
191. Digital Forensic Readiness Planning
Scenari
o
Driven
Identify
Sources
Collection
Requirements
Legally
Admissible
Forensic
Readines
s Policy
Documenting
Case
Legal
Review
Monitorin
g
10
STEPS
Escalation
Process
Staff
Training
192. • Threats and extortion
• Information compromise
• Accidents and negligence
• Stalking and harassment
• Commercial disputes
• Intellectual Property rights infringement
• Economic crime
• Email, internet or social media abuse
`
Step 1: Define the Business Scenarios that require Digital Evidence
• Employee disciplinary issues
• Contractual disputes
• Unauthorized access by employees
• Malware
• Hacking
• Theft of computer resources
• Failure of computer systems
• Privacy invasion and identity theft
`
Digital Forensic Readiness - Examples
Identify
Sources
Scenari
o
Driven
193. Step 1: Define the Business Scenarios that require Digital Evidence
Digital Forensic Readiness - Examples
• Threats and extortion
• Information compromise
• Accidents and negligence
• Stalking and harassment
• Commercial disputes
• Intellectual Property rights infringement
• Economic crime
• Email, internet or social media abuse
• Employee disciplinary issues
• Contractual disputes
• Unauthorized access by employees
• Malware
• Hacking
• Theft of computer resources
• Failure of computer systems
• Privacy invasion and identity theft
`
Business Scenarios Threats What do they want
Money
Information
Disruption
Fun
Competitive advantage
Revenge
Discredit the brand
`
Risk Assessment
Scenari
o
Driven
194. Digital Forensic Readiness Planning Identify
Sources
Identify available sources and different type of potential evidence
STEP 2
• Email, Instant messaging, web-based email, chat rooms. newsgroup, social media etc .
• System and management files
• Equipment such as routers, firewalls, servers and workstations.
• Monitoring software such as intrusion detection software, packet sniffers, keyboard loggers
• CCTV, door access records, phone logs
• General logs such as access logs, printer logs, web traffic, internal network logs, internet traffic,
database transactions, commercial transactions etc.
• Portable devices
• Application software
• Back-ups and archives.
195. • BYOD (PC’s, Phones, Tablets etc)
• Social Media
• CCTV
• VOIP
• Cloud
• IOT
Technology Challenges
Digital Forensic Readiness Identify
Sources
196. Step 3
Determine the evidence collection requirement
Digital Forensic Readiness
• Where is data generated?
• What format is it in?
• How long is it stored for?
• How is it currently controlled, secured and managed?
• Who has access to the data?
• How much is produced?
• Is it archived? If so where and for how long?
• How much is reviewed?
• What additional evidence sources could be enabled?
• Who is responsible for this data?
• Who is the formal owner of the data?
• How could it be made available to an investigation?
• What business processes does it relate to?
• Does it contain personal information?
Scenarios Available sources
Evidence Collection
Requirement
COST BENEFITS ANALYSIS
197. Step 4
Establish a capability for securely gathering legally admissible evidence to meet the
requirement
Digital Forensic Readiness
Legally
Admissible
Evidence being gathered Legal Advice
Business Personal
Email
Log
Files
Social
media
STOP
Possible Evidence
198. Step 4
Establish a capability for securely gathering legally admissible evidence to meet the
requirement
Digital Forensic Readiness
• Monitoring should be targeted at specific problems
• It should only be gathered for defined purposes and
nothing more
• Staff should be told what monitoring is happening
except in exceptional circumstances.
Legally
Admissible
199. Step 4
Establish a capability for securely gathering legally admissible evidence to meet the
requirement
Digital Forensic Readiness
Legislation
Telecommunications (Lawful Business
Practice) (Interception of Communications)
Regulations 2000
Legally
Admissible
200. Digital Forensic Readiness
Lawful Business Practice Regulation
Lawful Business Practice Regulations are designed to meet the legitimate
needs of businesses to manage their information systems, making use of
the capabilities of modern communications technology, but in a way that is
consistent with high standards of privacy.
Please Note: These are not exemptions from the Data Protection Act.
Legally
Admissible
201. Digital Forensic Readiness
Everyone has the right to respect for their private and family life, their
home and their correspondence.
Legally
Admissible
Article 8: Right to Respect for Private and Family Life
202. Step 5
Establish a Forensic Readiness Policy including the secure storage and handling of potential
evidence
Digital Forensic Readiness
Forensic
Readines
s Policy
Policy Structure
• Senior Management Commitment
• Standards & legislation to comply with (e.g. ISO 27037:2012 Guidelines for identification, collection,
acquisition, and preservation of digital evidence)
• Process for instigating an investigation
• Who can conduct investigations (competence levels)
• Resources required
• Examination locations
• Evidence Storage
• Equipment and software tools required
• Use of external resources
• Requirements for building evidence based cases
• Training and Development
203. Digital Forensic Readiness
Monitorin
g
Step 6
Ensure monitoring is targeted to detect and deter major incidents
Escalation
Process
Step 7
Specify circumstances when escalation to a full investigation should be launched
Staff
Training
Step 8
Train staff in incident awareness and understanding of their role the evidence
processes and the legal aspects of evidence
Documentin
g Case
Step 9
Document and evidence based case describing the incident and the impacts.
WHO, WHAT, WHY, WHEN, WHERE AND HOW
204. Step 10
Ensure legal review to facilitate action in response to the incident.
Digital Forensic Readiness Legal
Review
At key times during the collating of the digital forensics it is good practice to review the case from a legal standpoint to advise
on the strength of the case and suggest whether additional measures should be taken.
Legal Advisors should be trained and experienced in the appropriate cyber laws and evidence admissibility.
Advice may include:
• Any liabilities from the incident and how they can be managed
• Findings and prosecuting/punishing of culprits
• Legal and regulatory constraints on what can be taken
• Reputation protection and PR issues
• When/if to advise partners, customers and investors
• How to deal with employees
• Resolving commercial disputes
205. Key Points
Digital Forensic Readiness
• Forensic Readiness is an organisations ability to use digital evidence when required
• Its aim is to maximise an organisation’s ability to gather and use digital evidence whilst minimising the
costs of related investigations.
• Forensic Readiness is an integral part of Information Security
• Forensic Readiness should be part of an information security risk assessment
• It is closely related to Incident Response and Business Continuity
• Requires the secure preservation and continuity of evidenced maintained.
• Links to security monitoring to detect and deter issues that may have a major business impact
• Forensic Readiness should be part of an organisation's security training programme.
• Develop and implement a Forensic Readiness Policy