October 2015 Issue No: 1.2

Good Practice Guide

Forensic Readiness

Good Practice Guide No. 18

Forensic Readiness

Issue No: 1.2 October 2015

The copyright of this document is reserved and vested in the Crown.

Document History

Version Date Comment

1.0 October 2009 First issue

1.1 September 2012 Update of Mandatory Requirements

1.2 October 2015 First public release

Page 1

Forensic Readiness

Intended Readership Her Majesty's Government (HMG) Information Assurance (IA) practitioners can use this Good Practice Guide (GPG) directly in conjunction with the risk management methodology defined in HMG IA Standard No. 1 & 2, Information Risk Management (IS1 & 2) and HMG IA Standard No. 1 & 2 Supplement (IS1 & 2 Supplement) Technical Risk Assessment and Risk Treatment (references [a] and [b]). It will specifically assist organisations to meet the Forensic Readiness policy formulation requirements included in the HMG Security Policy Framework (SPF: reference [c]).

This GPG is intended to be used by people in senior IA roles including Information Asset Owners and Accreditors and IA Practitioners involved in formulating and policing Forensic Readiness Policy. A separate IA Implementation Guide (IG) covers the more detailed planning activities (IG18: reference [d]). For other business professionals and executives a separate Busy Readers Guide (BRG: reference [e]) is provided that gives a high level view of the guidance on Forensic Readiness.

Executive Summary Forensic Readiness is the achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse Digital Evidence so that this evidence can be effectively used in any legal matters, in security investigations, in disciplinary matters,

in an employment tribunal or in a court of law.

Digital Evidence is any information that can be secured from an information system and used during the course of any civil or criminal legal procedure. This extends to internal disciplinary hearings, employment tribunals, arbitration panels and all courts of law.

What Forensic Readiness is not is undue investment in high value "digital forensic software", expensive service provision contracts or diversion of staff to randomly snooping into users' information on hard drives (which if done incorrectly would actually be illegal). The need to deploy digital forensics, for many organisations, will be infrequent, but it is a contingency that should be planned for.

It is important for each organisation to develop a Forensic Readiness of sufficient capability and that it is matched to its business need. Forensic Readiness involves specification of a policy that lays down a consistent approach, detailed planning against typical (and actual) case scenarios that an organisation faces, identification of (internal or external) resources that can be deployed as part of those plans, identification of where and how the associated Digital Evidence can be gathered that will support case investigation and a process of continuous improvement that learns from experience.

Production of a Forensic Readiness Policy is a mandatory requirement of the SPF. This GPG provides advice on implementation of that requirement.

Page 2

Forensic Readiness

Aims and Purpose The aim of this GPG is to provide advice on good practice that can help to define and implement an approach to the development of Forensic Readiness Policy and associated planning and practice activities. The guidance provided is generic and includes information on how it can be applied to suit the requirements of individual organisations.

This GPG is primarily aimed at HMG Departments and Agencies that have little or no Forensic Readiness capability and have a need for assistance in developing or acquiring an appropriate level of capability in order to comply with SPF Mandatory Requirement No. 9. The GPG is also presented as recommended best practice for consideration of adoption by the wider public sector, including local government, any other public organisations, commercial organisations that supply ICT services to HMG, and particularly those organisations involved in supporting the Critical National Infrastructure (CNI).

It is expected that the larger Departments, and those organisations directly involved in law enforcement, will already have extensive and specialised capability that is beyond the scope of the generic guidance given in this GPG. Such organisations may find the information in this GPG to be of limited relevance, but nevertheless will find it provides a useful checklist against which to compare their current practices. Those organisations may also use this GPG as a means to propagate awareness of Forensic Readiness Policy requirements to partner organisations.

The purpose of this GPG includes the following objectives:

a. Enable HMG organisations and commercial organisations that provide services to HMG or the UK CNI to understand the requirement and business drivers for Forensic Readiness;

b. Assist organisations in the development of a Forensic Readiness Policy and encourage the adoption of common principles that promote its aims.

A complete approach to Forensic Readiness is provided by IA practitioners following the further guidance on implementation of a Forensic Readiness Planning function informed by the corresponding IG (reference [d]).

Page 3

Forensic Readiness

Contents:

Chapter 1 - Introduction ................... 4

Background ..................................... 4

Relationship to National IA Policy .... 4 Recommendations ........................... 5 Supercession ................................... 5 Adoption .......................................... 5 Structure .......................................... 5

Chapter 2 - Concepts and Overview7

Concepts ......................................... 7 Forensic Science ............................. 7

Digital Forensics .............................. 7 Digital Evidence ............................... 7 Digital Investigation ......................... 7

Continuity of Evidence ..................... 8 Forensic Readiness ......................... 8 Forensic Readiness Policy .............. 8

Forensic Readiness Planning .......... 8 Forensic Readiness Capability ........ 8

Overview .......................................... 8 Actions Required ............................. 8 Oversight ......................................... 9

Chapter 3 - Business Drivers ......... 11

Introduction .................................... 11

Risks without Forensic Readiness . 11 Benefits of adopting Forensic Readiness ...................................... 12 Costs associated with Forensic Readiness ...................................... 13 Summary ....................................... 16

Chapter 4 - Common Principles .... 17

Introduction .................................... 17 Forensic Readiness Policy ............ 17

Business Ownership ...................... 18 Single Point of Contact (SPOC) ..... 19 Definition of Capability and Requirements ................................ 19 Scenario based Planning Activities 19 Information Security Incident Management .................................. 20

Investigation Standards ................. 20 Quality Assurance and Competence ...................................................... 21 Business Records Management .... 22 Access to Information .................... 23 Gaining Consensus ....................... 24

Continuous Improvement .............. 25

Appendix A – Capability Factors .. 28

Appendix B – Forensic Readiness Policy Content ................................ 31

References ..................................... 36

Glossary ......................................... 37

Page 4

Forensic Readiness

Chapter 1 - Introduction

Key Principles

Forensic Readiness Policy and Planning is required to meet Mandatory Requirement No. 8 of the HM Government (HMG) Security Policy Framework (SPF)

This Good Practice Guide (GPG) assists those organisations which currently have insufficient Forensic Readiness to develop an associated Policy and adequate level of supporting capability

The GPG is further supported by a corresponding IA Implementation Guide (IG) to assist with Forensic Readiness Planning activities

Background

1. This Good Practice Guide (GPG) has been developed to complement other GPGs and Information Assurance (IA) standards within the CESG National IA Policy Portfolio. Together these provide a range of guidance and countermeasures that can be applied to protect against risks to the confidentiality, integrity and availability of information assets.

2. This GPG provides guidance to organisations on an appropriate approach to the formulation of Forensic Readiness Policy. This GPG is further supported by a detailed IA Implementation Guide (IG: reference [d]), which provides guidance on associated Forensic Readiness Planning activities.

Relationship to National IA Policy

3. This GPG supports National IA Policy. It provides advice on good practice that can help to meet the obligation under Mandatory Requirement No. 9 of the SPF (reference [c]).

MANDATORY REQUIREMENT 8

All ICT systems that handle, store and process protectively marked information or business critical data, or that are interconnected to cross-government networks or services (e.g. the Government Secure Intranet, GSI), must undergo a formal risk assessment to identify and understand relevant technical risks; and must undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed.

MANDATORY REQUIREMENT 9

Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems, proportionate to the value, importance and sensitivity of the information held and the requirements of any interconnected systems.

[the need for a forensic readiness policy is detailed in the explanatory text of MR9]

4. Use of the MUST imperative within this GPG will always be accompanied by a reference to the IA policy direction to which such a clause relates. In general, advice and guidelines are introduced by the should imperative, which means

Page 5

Forensic Readiness

that it is recommended that they are implemented, but that each organisation may select alternative approaches, according to their exact needs.

5. In using this GPG organisations should document their reasons for choosing alternatives, in order to provide evidence that can be later provided as justification for such decisions. This GPG is consistent with the relevant requirements and controls set out in ISO/IEC 27001 (reference [f]) and ISO/IEC 27002 (reference [g]) standards relating to Information Security Management requirements.

6. HMG Departments MUST report their status against all SPF MRs, including MR 9, in their annual return to Cabinet Office and Statement of Internal Control (as required by SPF MR 5). Other organisations within the wider public sector, including Agencies, local government, CNI organisations and supply chain partners, are also recommended to adopt an internal or external Forensic Readiness Capability status control, tracking, reporting and audit functions.

MANDATORY REQUIREMENT 5

Departments and Agencies must have an effective system of assurance in place to satisfy their Accounting Officer / Head of Department and Management Board that the organisation’s security arrangements are fit for purpose, that information risks are appropriately managed, and that any significant control weaknesses are explicitly acknowledged and regularly reviewed.

Recommendations

7. This GPG and its corresponding IG (reference [d]) should be used by all HM Government Departments, Agencies and the Wider Public Sector to support the Forensic Readiness obligations set out in the SPF.

Supercession

8. This is the first publication within the CESG IA Policy Portfolio on this topic; however, previously the Cabinet Office provided a memorandum as interim guidance (reference [h]). This also referred out to National Infrastructure Security Co-ordination Centre 1 (NISCC) Technical Note 01/2005 - An Introduction to Forensic Readiness Planning (reference [i]). These sources should no longer be regarded as current, although the latter can still be regarded as useful background reading material.

Adoption

9. This GPG is effective as of the date of issue.

Structure

10. The remainder of this GPG is provided as a series of structured Chapters and Appendices:

a. Chapter 2 - Concepts and Overview. An introduction to significant

concepts relating to Forensic Readiness and overview information on the steps required to implement and govern Forensic Readiness Policy;

1 Now known as the Centre for the Protection of the National Infrastructure (CPNI).

Page 6

Forensic Readiness

b. Chapter 3 - Business Drivers. A discussion on why Forensic Readiness is an essential part of IA Policy. It also discusses the business benefits and associated costs which can help construct a business case for investment in Forensic Readiness capability;

c. Chapter 4 - Common Principles. A series of recommended principles that should be universally adopted in order to achieve the aims and objectives of Forensic Readiness;

d. Appendix A - Capability Factors. A tabular presentation of the important factors that provide a scaled approach to the adoption of a Forensic Planning capability that is developed according to an organisation's risk environment;

e. Appendix B - Forensic Readiness Policy Content. An outline of the recommended contents of a Forensic Readiness Policy.

Page 7

Forensic Readiness

Chapter 2 - Concepts and Overview

Key Principles

There are a number of actions organisations should undertake in order to develop and implement a Forensic Readiness Policy

An oversight process needs to be put into place to ensure that an organisation's Forensic Readiness status can be monitored and reported

Concepts

11. This Chapter introduces and defines the key terms associated with Forensic Readiness and gives an overview of how these should be adopted by an organisation. This is recommended reading for senior management and Accreditors.

Forensic Science

12. The application of scientific techniques to assist in the finding of facts in regard to any legal matter.

Digital Forensics

13. Part of Forensic Science relating to the production of legal evidence found in computers and storage media. This specifically includes examination of computer storage for remaining artefacts that enable deduction of past usage of that storage.

14. Digital Forensic techniques are essentially reactive measures used to investigate an incident "after the fact"; however, Forensic Readiness is a proactive process of attempting to plan before such events. As such it shares much in common with business continuity and contingency planning. Forensic Readiness also provides a measure of deterrence to potential attackers by provision of an effective investigation capability.

Digital Evidence

15. Digital Evidence is any information that can be secured from an information system and used during the course of any civil or criminal legal procedure. This extends to internal disciplinary hearings, employment tribunals, arbitration plans and all courts of law. Digital Evidence will also have to sit alongside other forms of evidence (witness testimonies, paper documents and other kinds of forensic evidence).

Digital Investigation

16. A Digital Investigation is any test or live investigation involving Digital Evidence and exercise of Forensic Readiness plans. Each investigation should also have a formal case file. Certain investigations and those involving criminal matters, MUST be referred to the appropriate law enforcement authority or regulator, Other investigations may be undertaken privately, either internally by in-house investigation team or outsourced to a Digital Forensic Service Provider. Most

Page 8

Forensic Readiness

investigations follow a formal five-step process involving recovery, collection, examination, analysis and reporting.

Continuity of Evidence

17. Continuity of Evidence is the formal process of comprehensively recording each action taken with each and every item of evidence that can subsequently be relied upon in any legal proceedings. This process commences with the original identification and recovery of those items of evidence during any investigation.

Forensic Readiness

18. Forensic Readiness is the achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse Digital Evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters, in an employment tribunal or in a court of law.

Forensic Readiness Policy

19. Forensic Readiness Policy is a formal commitment given by an organisation to adopt and implement the principles of Forensic Readiness, adapted to be relevant within the business context of that organisation.

Forensic Readiness Planning

20. Forensic Readiness Planning is the contingency planning and capability building activities associated with implementation of Forensic Readiness Policy.

Forensic Readiness Capability

21. Forensic Readiness Capability is a state of Forensic Readiness that is expressed in terms of an organisation's internal level of capability. This also determines to what extent an organisation will depend upon external capability for the conduct of Digital Forensic investigations (e.g. the services of Digital Forensic Service Providers). Capability is measured on a 1 to 5 scale, which are fully defined in Appendix A.

Overview

22. The remainder of this Chapter provides an high level view of Forensic Readiness that need to be met in order to comply with SPF mandatory requirements.

Actions Required

23. Organisations should put into effect the following steps in order to put into place a Forensic Readiness Policy and satisfy SPF MR 9.

STEP 1

24. Organisations should appoint a director level role as having ownership of Forensic Readiness Policy. In common with other aspects of IA, this can be the organisation's Senior Information Risk Owner (SIRO), but additional notes are provided under Principle 2 in Chapter 4, paragraph 52 on page 18 of this GPG.

Page 9

Forensic Readiness

STEP 2

25. Organisations should apply the twelve Forensic Readiness principles given in Chapter 4 to the context of their business. A copy of Table 1 on page 27 of this GPG can also be taken and used to record key facts with regard to adoption of these principles.

STEP 3

26. Organisations should choose an appropriate internal target capability from Appendix A. Organisations should also identify and engage appropriate external resources. There should be a reporting mechanism that monitors status of the current target capability level.

STEP 4

27. HMG Departments and Agencies MUST formally document, issue and maintain a Forensic Readiness Policy statement in accordance with SPF MR 9. This is also strongly recommended best practice for all organisations within the wider public sector, including local government, CNI organisations and supply chain partners. Appendix B provides a guide to the recommended content of a Forensic Readiness Policy.

STEP 5

28. Organisations should appoint appropriate management resources and a point of contact for the operational management of planning and digital investigation functions. Recommended planning methodology is covered in the corresponding IA Implementation Guide (IG18: reference [d]).

STEP 6

29. Organisations should institute and oversee relevant business processes to support Forensic Readiness planning, competence, exercise and investigation functions, including an overall process of review and continuous improvement to those processes. This includes integration with wider business processes, including information security incident management and business continuity planning.

Oversight

30. An organisation's IA accreditation and internal audit functions should maintain an interest in their organisation's Forensic Readiness status. Measurable aims and objectives should be set and defined as Key Performance Indicators (KPIs) as part of policy formulation, and these attributed to relevant process owners. The following should be included:

Status of Forensic Readiness Policy in terms of production and implementation

Current and target capability levels

Forensic Readiness Policy compliance reporting

Disposition of ownership and resources applied to Forensic Readiness

Page 10

Forensic Readiness

Status of plans and scenarios

Status of exercise functions and feedback from exercises

Status of quality assurance systems, and staff or external provider current and target competency levels (including register of formal certifications)

Current and past investigation knowledgebase (anonymised) and active issues

Supporting business process compliance reporting (including escalation of serious or persistent non-compliances)

Prioritisation, conflict resolution and decision making record (e.g. deciding priority between evidence gathering and business continuity requirements)

Service level reporting

Status of the overall review cycle

31. All KPIs and other relevant records should be documented and auditable. For HMG Departments summary status of compliance with Forensic Readiness Policy MUST be reported in annual returns and Statement on Internal Control in accordance with SPF MR 5. Other organisations should have appropriate means of tracking compliance status and issues. Accreditors may step in or provide remedial advice in regard of any significant non-compliances. Audits and compliance checks should independently review the status of business processes and records and raise any non-compliances, as necessary. The maximum review cycle should be annual.

Page 11

Forensic Readiness

Chapter 3 - Business Drivers

Key Principles

Forensic Readiness needs to be adopted to comply with the SPF but also avoids a substantive set of business risks and provides several additional business benefits

Cost wise, an appropriate level of investment in Forensic Readiness is likely to be more than balanced by the avoidance of cost liability associated with an unorganised approach to investigation and the other potential penalties when incidents occur

Introduction

32. This chapter provides an outline on the business drivers for the adoption of sound Forensic Readiness Policy. This includes discussion on the risks of not implementing it, the benefits of adoption and the associated costs.

Risks without Forensic Readiness

33. If an organisation does not have a Forensic Readiness capability, then it is at risk of all of the following:

a. If there is an incident it is likely any digital evidence would either be un-recoverable or lost. It is almost certain it would not be gathered in a manner that would support its future production as evidence in court. This may leave an organisation's position severely restricted (e.g. unable to defend claims of unfair dismissal, unable seek legal remedy to any commercial transaction disputes, inability to make an insurance claim, etc.);

b. Investigation of the incidents would be more difficult and it would not be possible to investigate root causes. Nothing would be done to reduce re-occurrences and the organisation would not be able to explain its position to stakeholders, with consequent adverse reputational impact;

c. Incidents requiring a forensic response would likely be handled in a calamitous and disorganised manner, because no points of contact would have been established, management responsibilities would not have been identified and the organisation would not know where to seek advice or assistance;

d. If the incident involves seizure of a business critical component (e.g. an email server) by law enforcement it could escalate into a major business continuity issue;

e. An organisation's Information and Communications Technology (ICT) systems could in the worst case be abused for various criminal or wholly inappropriate purposes by outsiders or insiders with reduced threat of discovery or sanction (see f., g. and paragraph 34 following);

f. Lack of Forensic Readiness contributes to poor governance that could lead to liability to others for compensation of consequential losses;

Page 12

Forensic Readiness

g. Economic losses which may result from a result of failure to detect fraud, failed legal action, award of damages or costs against the organisation, or penalties received due to non-compliance with legal requirements (the latter may also include other sanctions against the business). This may also extend to inability to make insurance claims or even undermine an organisation's ability to obtain insurance cover.

34. All of the above risks would apply to any organisation in the public or private sector; however, a major reason that Forensic Readiness is embraced as a mandatory requirement under the SPF is that absence of planning increases the risk of compromise of protectively marked information, makes an organisation more vulnerable to ongoing terrorist or criminal infiltration and increases the likelihood of data handling issues arising.

Benefits of adopting Forensic Readiness

35. The obvious first benefit is to counter all of the generic risks stated in paragraph 33:

a. Digital evidence can be collected to a standard required by the law;

b. The depth of investigation that digital forensics allows will support root cause analysis. It also acts as a feedback loop of continuous improvement

that tends to reduce incident re-occurrence (Plan Do Check Act);

c. Responses will be to a large extent pre-planned and organised, avoiding nugatory effort when an incident occurs;

d. Forensic Readiness reduces business disruption during incidents, as it:

both meshes with business recovery plans to minimise any effect on the business during an ongoing investigation, and

establishes relationships with law enforcement and other authorities (e.g. by prior negotiation it is likely seizure of a vital server could be avoided and a live forensic capture take place instead, leaving the business to continue with minimal disruption)

e. Internal policing of systems is legitimately established which can both detect and deter nefarious activities (by insiders or outsiders);

f. The policy and plans, plus track record of implementation forms a contribution of the organisation's position on corporate governance (such a position can also expect to be viewed favourably by the courts);

g. Claims of civil or criminal liability against the organisation relating to illicit use of ICT can be defended (especially if the organisation proactively detected and immediately reported any illegality found to law enforcement);

h. The costs associated with Forensic Readiness are likely to be outweighed by avoidance of even one significant instance of litigation or fraud.

36. Forensic Readiness also defends against the risks relating to SPF compliance (paragraph 34):

a. Detects and deters abuse of protectively marked information;

Page 13

Forensic Readiness

b. Is an essential countermeasure against the activities of terrorists and criminals alike and will provide an invaluable contribution to fighting cyber-crime. To business this provides a "good citizenship" credential;

c. It is an important control assisting in the information risk management and the protection of personal information.

37. Finally, Forensic Readiness provides some additional benefits. Forensic Readiness can:

a. Support in-depth system investigation to allow remedy of system and business performance issues;

b. Provide an effective means of investigating malicious software incidents. This includes: determining how infection occurred, measuring the extent of damage and assist in identification of effective recovery strategies (e.g. allowing analysis and removal of "rootkits" that have become embedded within an organisation's ICT);

c. Provide intelligence, tracing and characterisation of attackers even when there is little prospect of them being called to account. This information may be used to improve defences and intrusion detection mechanisms (e.g. as the attackers are located in foreign jurisdictions);

d. Promote a positive workplace culture, helps to police anti-harassment policies and encourages responsible use of ICT facilities;

e. Help to allay any fears that monitoring is intrusive and demonstrate that staff privacy is being respected. This is achieved via implemented transparent implementation, staff consultation and application within the constraints of the law (i.e. compliant with the Regulation of Investigatory Powers Act);

f. Result in business records that will directly assist investigations and that can be presented as evidence in court. This is enabled by integration of planning with other ICT design, protective monitoring and information risk management activities and by tuning the electronic audit trail to match the kind of activity which will be the subject of forensic examination;

g. Augment an organisation's records management function to allow disclosure requests to be efficiently dealt with and facilitate compliance audits and reporting (e.g. to recover accidentally deleted files or track down "gaps in the record").

Costs associated with Forensic Readiness

38. One of the objectives of Forensic Readiness is to ensure cost optimisation of Digital Forensic investigations. That is, lack of preparedness would lead, in the event of an incident to unnecessary, uncontrolled and inefficient expenditure. With forethought, appropriate organisation of information and resources, and contingency planning, the evidence can be affordably obtained.

39. For many organisations this will not require direct investment in acquiring sophisticated digital forensic technology or even establishing formal contractual arrangements with digital forensic service providers. There may be scope for

Page 14

Forensic Readiness

cost sharing with collaborative and federated approaches, where small to medium organisations (e.g. local government) club together to establish a shared digital forensic service provision under a framework agreement, or for Agencies to take advantage of facilities put in place by their parent Departments. But all organisations will need to formulate Forensic Readiness policy requirements and include these within their planning functions.

40. The level of investment required will depend on the degree of likelihood (or frequency) that organisations would need to deploy the capability. This has some relationship with the outputs of information risk management exercises, although some additional factors also come into play. For instance, any organisation involved in law enforcement that has a regulatory role or where fraud is of particular concern, may need greater investment as the need for digital forensics is not just a contingency but part of day-to-day business processes; however, it is expected that such organisations will already have a mature approach: this GPG is focused more upon those organisations in which this need is not an everyday requirement.

41. This GPG introduces the concept of a Capability level (in the range 1 to 5) that reflects the sophistication of planning and Digital Forensic resources required. There is a direct correlation between the Capability level and the degree of investment required. Further details on the Capability level and its associated cost factors are provided in Appendix A.

42. Some of the important cost elements can be summarised as:

a. Policy - There is a need to develop and implement Forensic Readiness Policy and provide this with senior executive support and ownership. For smaller organisations this is unlikely to be a separate function, and it can be adopted by an existing position (typically by the Senior Information Risk Owner (SIRO));

b. Knowledge, people and processes - There is a need to define roles and responsibilities associated with planning and exercising and invoking those plans, this can be either dedicated or an extension of the existing contingency planning functions. Role holders will require a suitable level of training. Some basic awareness of Digital Forensic issues will also need to be created across the organisation. Digital Forensic investigation processes need to be integrated with the information security incident management process, and cycles of performance feedback and improvement. Related planning activities will cross into other parts of the business, for instance the planning process can inform Human Resources of the likely welfare requirements for staff exposed to extortion, harassment or obscene images via ICT facilities;

c. Information organisation - The most cost effective form of planning is to arrange information within the organisation so that it can readily be produced in the event of any investigations or disputes. This is better than relying on digital forensic techniques to uncover that information at a later date: Digital Forensic techniques should mostly be reserved for cases of data recovery or uncovering the attempts of an attacker attempting to

Page 15

Forensic Readiness

cover their tracks. Provided appropriate records management practices are followed, much evidence will be admissible as business records in court. On the other hand, any laxity or other limitations as to how an organisation manages its records may have the opposite effect. Therefore planning should also review the organisation's (electronic and physical) records management function. There is also a direct link here to requirements for Protective Monitoring of ICT facilities (which is dealt with in GPG 13 (reference [j]). Protective Monitoring identifies what alerts and records are generated by ICT systems, these should also be treated and protected as business records and will be an essential to support information security incident investigations. Invariably organisation and maintaining business records has a cost; however, this is balanced by the uncontrolled costs that might be incurred by data mining of disparate and disorganised records necessitated by any investigation;

d. Relationship building - Planning needs to include outreach to stakeholders and, specifically, building relationship and points of contact that will be useful during an investigation. There needs to be strong internal relationships (with legal and commercial functions) and external relationships (with law enforcement, customers, service providers and regulators). There needs to be a consistent point of focus for matters concerned with digital forensic investigations: a Single Point of Contact (SPOC). In some organisations this may be subsumed into another security responsibility (e.g. Security Officer or IT Security Officer), other organisations may have a dedicated post or even team;

e. External support - Organisations are likely to need some form of support from external digital forensic service providers. For some it would be uneconomic to build their own tools and capability due to the infrequency with which they would need to be deployed. At the other extreme, external support can top up internal facilities, as workload demands. The nature of the commercial relationship can extend from informal arrangements through to outsourcing contracts with formal Service Level Agreements (SLAs). At the minimum organisations should establish some form of prior arrangement and agreed points of contact with identified suppliers, they should not rely upon finding support at the time of an incident.

f. Technology support - For organisations that only need to deal with digital forensics provision as a contingency there should be no need for direct investment of in-house technology capability (these organisations form the target readership of this GPG); however, it can be prudent to develop some internal capability when it is found that there are frequent incidents of which the detection or investigation are assisted by digital forensic technology. The in-house capability may not just be used to support an evidence gathering function but also to undertake an intelligence function or root cause analysis. There will be direct costs with the need to acquire and maintain any in-house capability. Requirements may range from a single laptop to a laboratory facility. Costs will also be incurred in essential training of staff and maintenance of their competence (especially if they are to appear in court as witnesses). Appendix B of the corresponding IA

Page 16

Forensic Readiness

Implementation Guide (IG: reference [d]) provides some insight into the forms of technology current available.

43. The exact nature and scale of the costs will be specific to each organisation. As with any enterprise the implementation of Forensic Readiness should be treated as a significant project (perhaps instituted under a PRINCE2 framework) and needs to commence with an initiation phase that establishes a formal business case for adoption. This will assist in accurately identifying the costs and ensure that the organisation selects an appropriate Capability target.

Summary

44. There is a large array of risks to the business from not implementing a Forensic Readiness regime. This is in addition to it being specified as a mandatory requirement in the SPF in order to provide information risk management for both protectively marked assets and personal information.

45. There are costs associated with the implementation of Forensic Readiness policy and planning, but these are likely to be outweighed by benefits received and the potential financial penalties of an unplanned approach.

46. It is possible to scale the Capability of an organisation to the risk or degree of frequency which it undertakes information security incident investigations that require digital forensic support.

47. The GPG moves on in the following Chapter to present a common set of principles that can be applied by all organisations in the application of Forensic Readiness.

Page 17

Forensic Readiness

Chapter 4 - Common Principles

Key Principles

There are twelve significant principles that organisations should observe as part of adoption of Forensic Readiness Policy

Some elements of these principles relate to mandatory SPF requirements or compliance with legislation and regulations and therefore MUST be complied with

Organisations should consider the extent of applicability of each principle and document how they implement conformance with each principle

Introduction

48. This Chapter outlines the key principles, and hence direction and recommendations for formulation and implementation of Forensic Readiness Policy and associated planning activities.

Forensic Readiness Policy

Principle 1 - HMG Departments and Agencies MUST develop and implement a Forensic Readiness Policy in order to comply with SPF MR 9. It is also strongly recommended that all other organisations within the wider public sector either develop or adopt, and implement such a policy.

49. Regardless of the positive factors presented in Chapter 3 Departments and Agencies are reminded that the establishment of a Forensic Readiness Policy is mandated by the SPF MR 9 and, for Departments, its compliance status MUST be reported in the annual return to the Cabinet Office and the Statement on Internal Control (SPF MR 5).

50. It is essential to have a documented approach to Forensic Readiness in order that it can be demonstrated as formally adopted by the organisation and allow its effective practice to be demonstrated during internal or external compliance reviews. This GPG defines different levels of capability that can be adopted in Forensic Readiness Policy. The degree of capability adopted can be scaled according to defined IA information risk management principles and other environmental factors.

51. CESG recommends that a Forensic Readiness Policy should:

a. Include a statement of an organisation's commitment to implementation of Forensic Readiness principles and acceptance of ownership achievement of the implementation by the board of the organisation;

b. Establish a management framework terms of reference for Forensic Readiness Planning and oversight including definition of related roles, responsibilities, schedules and procedures;

c. Define relationships within the business and ensure there are mutual support arrangements between the information security management, contingency planning, legal, commercial/contract, human resource (etc.) functions;

Page 18

Forensic Readiness

d. Lay down rules of engagement for establishing relationships with external parties including law enforcement, courts, suppliers, adversaries and communications with customers, the media and the members of public;

e. Specify related Key Performance Indicators (KPIs) and associated ownership, measurement and reporting framework;

Identify the Capability level that will be sought by the organisation and specific Forensic Readiness requirements and resources (KPIs should include coverage of the level of attainment of capability targets)

Integrate Forensic Readiness requirements with information security incident management business processes, including management reporting, escalation and service level arrangements

Cover security aspects of the conduct of investigations and evidence handling, especially in cases where Digital Evidence may be sourced from information bearing a protective marking or handling caveats. This includes both requirements for investigations conducted internally or externally (e.g. investigator security clearance requirements should be defined and investigations involving material protectively marked CONFIDENTIAL or above, that are conducted at an external commercial facility, would require that facility to be List-X registered)

f. Align Forensic Readiness planning functions with business continuity and disaster recovery functions to ensure that adequate consideration is given to the development of plans to cope with incident scenarios that the business is likely to face;

g. Recognise the important dependencies with business records management and access to information requirements, and integrate associated management and policy activities;

h. Ensure that Forensic Readiness is included in the overall cycle of management review and improvement. Requirements and plans should be maintained and adjusted in the light of experience and changes to either the business or information risk environments;

i. Indicate how awareness of the relevant issues will be disseminated throughout the organisation and include communication plans to enable effective management of internal and external relationships.

Business Ownership

Principle 2 - Forensic Readiness Policy should be owned at a director level within the organisation.

52. The following options should be considered for allocation of ownership:

a. Forensic Readiness can be treated as part of IA and information security and can have the same owner (i.e. the Senior Information Risk Owner (SIRO));

b. Certain investigations may trigger crisis management activities: in this case it is essential to have access to a director level role that can take the important decisions, when consulted by the Crisis Management Team

Page 19

Forensic Readiness

(CMT). Hence some organisations may separate out the SIRO and CMT ownership and could legitimately choose to lodge Forensic Readiness ownership with the CMT chain of command.

Single Point of Contact (SPOC)

Principle 3 - Organisations should have a recognised and consistent point of contact for establishing and maintaining relationships during planning and exercises, and to act as a focal point during investigations or crisis management. The point of contact should work closely with the organisation's legal department and other relevant stakeholders during every stage of each investigation.

53. This is a common requirement within both information security incident management and crisis management. It is important for Forensic Readiness concerns that there is a knowledgeable point of focus acting as the facilitator. Note that for some organisations this can legitimately be a business group rather than an individual but there must be a single means of access (e.g. help desk) and a consistent manner of co-ordination. Note that if this function comes within the remit of the Regulation of Investigatory Powers Act (RIPA) then the SPOC is a legally defined entity and MUST be one and the same.

54. The SPOC may also undertake the day-to-day planning and management activities associated with Forensic Readiness Policy. Some organisations may also combine these duties with other management functions, other organisations may spread these responsibilities among a team or even outsource certain activities.

Definition of Capability and Requirements

Principle 4 - Forensic Readiness Policy requirements and the supporting capability should be defined with regard for the level of information risk exposure and actual business need to undertake digital forensic investigations.

55. This means an organisation should choose its target Capability level in response to defined need. This Capability level can then be used to choose generic policy requirements and then adapt these more closely to local requirements. This is an essential part of ensuring that an economical approach is adopted. This is not a one-time decision, but is the subject of continuous review to enable the Capability level and requirements to change to match shifting risk and environmental factors. Appendix A of this GPG provides further information on Capability targets.

Scenario based Planning Activities

Principle 5 - Organisations should adopt a scenario based Forensic Readiness Planning approach that learns from experience gained within the business.

56. It is difficult to envisage exactly what sort of incidents and investigations can lead to the requirement to apply digital forensics. This GPG provides a starting point by presenting several generic scenarios and a classification system along with some typical requirements. These can then be tailored to individual

Page 20

Forensic Readiness

organisations based upon local knowledge and/or experience. This approach has the advantage that realistic situations can be created that can then be played through during planning exercises, advanced plans can then be drawn and refined as they are applied via real life incidents. This planning approach is covered in depth in the corresponding IA Implementation Guide (reference [d]).

Information Security Incident Management

Principle 6 - Organisations should closely integrate Forensic Readiness plans with incident management and other related business planning activities.

57. It is important that Forensic Readiness is not treated as an isolated discipline as this would lead to both inefficiencies and inevitable conflict. Consider a situation where a digital forensic investigation is launched only to find the ICT target of interest has been rebuilt to apply a software upgrade: the evidence would have been destroyed.

58. The Forensic Readiness function should be an integral part of the business. The key relationship will typically be with the information security incident management function because most digital forensic investigations will be launched in response to an information security incident. As the incident response and investigation proceeds, extension to the same investigation, or additional investigations or incidents, may be identified. The lifecycle of the digital forensic investigation may persist well beyond the lifetime of the associated ICT incident (once the evidence is captured then there may be a lengthy process until it is presented, along with witnesses, in court). Digital forensic investigations may also arise in their own right, without any accompanying incident (e.g. as part of a compliance audit or training exercise). The relationship between incidents and investigations can be two-way and many-to-many.

59. Similarly, much of Forensic Readiness Planning shares elements of Business Continuity and Disaster Recovery Planning. Where an incident is likely to mean disruption of critical ICT services this is a direct business continuity issue. Similarly the business recovery plans needs to factor in an allowance to permit evidence to be gathered to assist investigation or root cause analysis. The Forensics Readiness function needs to work with contingency planning and crisis management teams to help to minimise any disruption to the business by either hypothetical or actual courses of events.

Investigation Standards

Principle 7 - Investigations should seek to produce the best standard of digital forensic evidence. Practitioners should adopt the principles published by the Association of Chief Police Officers (ACPO).

60. ACPO has published detailed guidance within its Good Practice Guide on Computer-based Electronic Evidence (reference [k]). This provides very detailed information on how to conduct investigations that involve capture of digital evidence and the use of digital forensic techniques to a standard required by criminal law.

Page 21

Forensic Readiness

61. The standards of evidence handling during investigations should seek to comply with the ACPO guidance as far as it is reasonably practical and economic to do so. Most importantly, four key principles cited by the guidance should be adopted and observed:

a. Principle 7.1 - "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently relied upon in court" [ACPO Principle 1];

b. Principle 7.2 - "In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions" [ACPO Principle 2];

c. Principle 7.3 - "An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result" [ACPO Principle 3];

d. Principle 7.4 - "The person in charge of the investigation (the case officer2) has overall responsibility for ensuring that the law and these principles are adhered to" [ACPO Principle 4].

62. It should be noted that the ACPO guidelines are updated from time to time. Organisations should always adopt the current published versions of the principles. The principles reproduced above are from Version 4 of the guidance.

63. The rationale for adopting these principles is that no matter what turns an investigation takes the evidence collected will be in good condition to be applied as needed (be it to standards applied in internal disciplinary matters, the civil tribunals or, ultimately, passing over to law enforcement for taking matters to criminal courts). It has also been suggested by the Home Office Forensic Science Regulator that the same standards for forensic evidence that apply to criminal proceedings should also apply to civil cases3.

Quality Assurance and Competence

Principle 8 - Any internal or external digital forensic capability employed by an organisation should apply formal quality assurance processes and all staff involved in handling evidence during investigations should have an appropriate degree of competence.

64. The level of competence with which digital evidence has been created and handled should be always attestable in order to support its later use in support of any legal matter.

65. It is understood that part of the remit of the Home Office Forensic Science Regulator, advised by the Forensic Science Advisory Council (FSAC), is to

2 For an internal investigation this would be the senior member of staff involved in that

investigation (e.g. SPOC). For an outsourced investigation the SPOC would maintain the organisation's interest in seeing that the service provider was observing these principles.

3 Paragraph 7.5. of Manual of Regulation - Part One - Policy and Principles - Forensic Science Regulator - Version 1 - September 2008 (reference [m]).

Page 22

Forensic Readiness

identify suitable regimes for the registration of digital forensic service providers, practitioners and expert witnesses. There is a public consultation underway at the time of issue of this GPG. There is no current mandatory registration scheme or mandated set of qualifications expected from digital forensic practitioners or agencies.

66. In the absence of a current scheme, organisations should consider what credentials they would expect from any digital forensic service provider and to consider whether these should be stated as formal qualification criteria when procuring such services. Suggested credentials include:

a. Quality management systems (ISO 9001:2008: reference [l]);

b. Competence for testing laboratories (ISO/IEC 17025:2005: reference [n], this includes a. above);

c. Information security management systems (ISO/IEC 27001:2005: reference [f]);

d. Bodies performing inspections (ISO/IEC 17020:1998: reference [o]);

e. US National Institute of Standards and Technology (NIST) Computer Forensic Tool Testing programme (http://www.cftt.nist.gov/).

67. Some reputable UK MSc courses also include detailed modules on digital forensics. Information should also be sought from prospective service providers as to how they maintain staff skills and if they have a Continuous Professional Development (CPD) scheme.

68. There are also existing commercial expert witness registration schemes and directories, some of which undertake vetting checks prior to inclusion in their registry, although there is no obligatory requirement for experts called as witnesses to be registered at this time. There are also training courses and specialist consultancies available to train witnesses.

69. Organisations having an internal capability should also consider seeking certification to the standards given in paragraph 66 if they expect to have to present evidence in court. They should also ensure all investigative staff are appropriately trained and have their levels of competence maintained.

Business Records Management

Principle 9 - Organisations should maintain the quality and effectiveness of their records management systems in order that specific business records can be produced as evidence in court or to address any legal or regulatory requirement.

70. As covered in Chapter 3, good quality business records management can often obviate the need for detailed and expensive digital forensic work (which when used in this mode also goes under the title "data recovery"). Also, if the outputs of ICT protective monitoring systems are also included as part of business records then they can support the investigations by allowing reconstructions of "time-lines" and sequences of events.

Page 23

Forensic Readiness

71. Having an effective records management system is a matter of good housekeeping, due diligence and corporate governance. Such a system is necessary to address access to information requirements (Principle 10) and furnish documentary evidence that is to be relied upon to support any form of legal proceedings.

72. What applies to paper documents also applies to electronic records. Organisations with extensive electronic records management should also be aware of standard BS 10008:2008 - Legal Admissibility and Evidential Weight of Information Stored Electronically (reference [p]). This standard should be implemented on electronic record systems where it is likely that copies of electronic documents will be required as evidence in court. This is especially the case when those records exist only in electronic format.

73. Another aspect of this principle that needs to be considered is that all presentation of business records as evidence may need to be accompanied by appropriate certifications by senior managers and, backed up by witness evidence, as to the nature of the management of those records (including both operational and technical aspects). Organisations need to consider which posts would be best placed to provide witnesses and also any requirement to train those posts for appearing in court.

Access to Information

Principle 10 - Organisations should provide appropriate records retrieval processes and mechanisms in order that any requirement to disclose information can be efficiently and securely dealt with. Such disclosures MUST be handled in accordance with all relevant legislation and regulations.

74. Effective records management is a key control in meeting any disclosure requirements, court ordered or otherwise, and meeting regulatory provisions including:

a. Data Protection Act 1998, including the processing of Subject Access Requests and appropriate management of personal information;

b. Freedom of Information Act 2000 (also Freedom of Information (Scotland) Act 2002), which can require detailed disclosure of information from all UK public bodies;

c. Public Records Act 1958 to 1967, otherwise sets out obligations regarding the maintenance and archiving of records by public bodies.

75. Records may need to be retrieved as evidence to support these disclosures or may also be required to defend the position of an organisation during any type of dispute with other parties. It is important that the retrieval process is effective, efficient and secure. It should be supported both by the technology and backed up by a management decision making process to check carefully what information is exchanged with outside parties. This includes consultation with Information Asset Owners and security authorities to assess the sensitivity of the information, any impact of disclosures and required protective measures.

Page 24

Forensic Readiness

76. The technology and methods used should support the selective release of information so that the appropriate information can be retrieved and isolated for release. Any material contained within the information that is subject to any exemptions, including national security implications, or personal information relating to other parties, that cannot be released should be edited or redacted to exclude the non-releasable material. Information to be handled as evidence, especially electronic information, should be handled in accordance with the ACPO principles (Principle 7).

77. Legal advice should also be sought for all disclosures associated with legal proceedings. Information regarding any civil proceedings should only be released via the organisation's legal department or representatives. Information concerning criminal matters should normally be released to the appropriate law enforcement agency via the SPOC (this excludes cases where a lawfully issued warrant needs to be complied with).

78. All extracted information transferred to external parties MUST be appropriately handled and handling MUST comply with the requirements of IA Standard No. 6 - Protecting Personal Data and Managing Information Risk (reference [q]). Information that still bears a protective marking or handling caveat prior to release MUST be handled in accordance with SPF requirements. An audit trail of any downgrade operations used during information retrieval from protectively marked sources should also be maintained and available for IA compliance review.

Gaining Consensus

Principle 11 - An open and collaborative approach should be adopted within organisations, wherever possible, to gain acceptance of methods used to support investigations and incident handling. All methods of investigation and detection of information security incidents MUST be lawful.

79. It is important that all investigations are conducted on an ethical basis. There needs to be an accountable management process to allow the "stepping up" of collection of information to assist any investigations that require it.

80. The routine collection and monitoring of information should be proportionate to business need and information risk. An effective means of specification of what information is gathered from ICT facilities for IA purposes is given in GPG13 (reference [j]).

81. It is beneficial to obtain a degree of consensus of the general extent of collection and monitoring that is undertaken from the subjects of the monitoring (i.e. ICT users). In some circumstances this can be a legal requirement, and obtaining a formal record of consent from the subjects may also be required. Creating awareness of the degree of monitoring and policing is also an effective deterrent to potential attackers (even to outsiders). Wherever possible, ICT "log on" and connection screens should make reference to the fact that systems are monitored, and for what purposes they are monitored.

Page 25

Forensic Readiness

82. All monitoring on an organisation's ICT MUST comply with The Telecommunication (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBPR). These refer to interception of telecommunications (including voice, email, instant messaging, video conferencing, etc.) made on a telecommunication system controlled by the organisation. Interception specifically refers to recording in transit (i.e. before the intended recipient(s) of the communication have accessed it). It allows certain exceptions to the prohibition on unauthorised interception, but subject to certain conditions. One of these conditions makes it obligatory to take reasonable efforts to inform all parties involved that interception is taking place; however, this also affects third parties and therefore organisations should consider including information on any interception done, and its purposes, in standard email footers.

83. Information gathered from interceptions conducted unlawfully will not be admissible as evidence. Unlawful interceptions may also render the organisation, or its staff, liable to prosecution or regulatory sanction.

84. The regulations only provide exceptions for telecommunications controlled by the organisation. It can be particularly complicated in situations in which ICT is partly or wholly outsourced (especially to public ICT service providers). Organisations cannot instruct a telecommunications provider or other operative to conduct interception on their behalf: any interception of public telecommunications systems comes directly under the Regulation of Investigatory Powers Act 2000 (RIPA) and can only be dealt with by referral to law enforcement agencies. Organisations should always seek legal advice on the interception or recording of telecommunications.

85. Nevertheless, the Regulations do make specific provision for interception in cases that are especially relevant to digital investigations. When the conditions of the Regulations are met the purposes allowed include:

a. In the interests of national security;

b. To prevent and detect crime;

c. To investigate or detect the unauthorised use of telecommunications systems.

86. Whenever there is any doubt about the legitimacy of the level of monitoring, recording, interception, intelligence gathering, use of digital forensics and other investigation methods that an organisation is considering deploying it is strongly recommended that the opinion of the Information Commissioner be sought (www.ico.gov.uk).

Continuous Improvement

Principle 12 - Organisations should have a management review process that improves plans in accordance with experience and new knowledge.

87. In the life history of Forensic Readiness plans it is likely that they will start in a fairly immature state. They may be based upon guesswork, or seeded from historic events, for which much information is incomplete. To a limited extent it

Page 26

Forensic Readiness

is possible to pro-actively identify the likely course of events of a particular scenario; however, it will not be until an actual instance of a scenario occurs that its associated plan will be exercised. Just like battlefield plans, it will not predict the actual course of events: there are bound to be surprises and the outcomes may look a lot different from the first guess. Nor will two investigations play out in the precisely same manner, no matter how close to the same scenario they seem.

88. Consequently, the feedback element of planning: gathering information from actual investigations, step-by-step, as they occur, is vital (this is also essential from an evidential point of view: all those involved in the event should be keeping detailed notes). Every investigation should have a "lessons learnt" phase that is then used to improve the plans exercised during the incident. There should also be a higher-level management review of all plans on at least an annual basis.

89. Organisations that rarely, if ever, experience incidents that require a digital forensic investigation, should consider a regular (at least annual) exercise of plans. This can be either a purely desk based exercise or something more practical. For instance, to put a random selection of decommissioned hard drives through digital forensic analysis prior to disposal. The latter approach should only be done in accordance with Principle 11, as it has significant ethical and privacy issues that needs to be addressed and adoption of it also needs to consider the fact that either misconduct or crime could be uncovered during such an exercise.

Summary

90. This Chapter outlines the key principles, and hence direction and recommendations for implementation of a Forensic Readiness Policy within each organisation. Organisations should document the extent of applicability of each principle and also track the degree to which the principles are complied with. Table 1 on page 27 provides a useful form for recording this status information.

91. As well as adoption and appropriate application of the principles it is also necessary to implement Forensic Readiness Planning practices. These are covered in detail in the corresponding IG (reference [d]).

Page 27

Forensic Readiness

Principle Notes

Principle 1 - HMG Departments and Agencies MUST develop and implement a

Forensic Readiness Policy in order to comply with SPF MR 9. It is also strongly recommended that all other organisations within the wider public sector either develop or adopt, and implement such a policy.

Organisation: Reference:

Principle 2 - Forensic Readiness Policy should be owned at a director level within

the organisation.

Owned by:

Principle 3 - Organisations should have a recognised and consistent point of

contact for establishing and maintaining relationships during planning and exercises, and to act as a focal point during investigations or crisis management. The point of contact should work closely with the organisation's legal department and other relevant stakeholders during every stage of each investigation.

SPOC:

Principle 4 - Forensic Readiness Policy requirements and the supporting

capability should be defined with regard for the level of information risk or actual business need to undertake digital forensic investigations.

Capability level:

target

current (Refer to Appendix A)

Principle 5 - Organisations should adopt a scenario based Forensic Readiness

Planning approach that learns from experience gained within the business.

(Plans are developed by reference to IG18 (reference [d]))

Principle 6 - Organisations should closely integrate Forensic Readiness plans

with incident management and other related business planning activities.

Incident management: Contingency planning:

Principle 7 - Investigations should seek to produce the best standard of digital

forensic evidence. Practitioners should adopt the principles published by ACPO.

Principle 8 - Any internal or external digital forensic capability employed by an

organisation should apply formal quality assurance processes and all staff involved in handling evidence during investigations should have an appropriate degree of competence.

Internal QA: External QA:

Principle 9 - Organisations should maintain the quality and effectiveness of their

records management systems in order that specific business records can be produced as evidence in court or to address any legal or regulatory requirement.

Records management:

Principle 10 - Organisations should provide appropriate records retrieval

processes and mechanisms in order that any requirement to disclose information can be efficiently and securely dealt with. Such disclosures MUST be handled in

accordance with all relevant legislation and regulations.

Access to information:

Principle 11 - An open and collaborative approach should be adopted within

organisations, wherever possible, to gain acceptance of methods used to support investigations and incident handling. All methods of investigation and detection of information security incidents MUST be lawful.

Monitoring policy:

Principle 12 - Organisations should have a management review process that

improves plans in accordance with experience and new knowledge.

Management reviews:

Table 1 – Forensic Readiness Principles

Page 28

Forensic Readiness

Appendix A – Capability Factors

Key Principles

Organisations should select a target Forensic Readiness capability level and policy requirements according to a number of different factors applicable to their ICT environment

Introduction

92. Table A-1 presents the Capability Factors table. This table presents an approach that can be scaled according to a number of factors, given below. The table is presented with Capability levels 1 to 5 (columns) representing an increasing scale.

93. The factors (rows) are:

a. Segmentation model target - This row indicates the appropriate segment of the IS1 & 2 Sup (reference [b]) Segmentation Model (e.g. to apply more resources in this area as a risk management control);

b. Impact levels of target for Confidentiality (C), Integrity (I) or Availability (A) - This row indicates the default business impact levels, which is identical to the IS1 & 2 supplement mapping. From the perspective of this GPG, this applies to the impact level upon assets for which Forensic Readiness is the most effective control. For instance, if the asset is a financial system for which fraud has to be policed then the overriding business impact level will be that for the Integrity property;

c. Equivalent IS1 & 2 Threat Actor Capability level - This row indicates the equivalent Threat Actor Capability level which is defined in IS1 & 2 supplement. The view can be taken that a particular Forensic Readiness capability level is effective for deterring Threat Actors of that same level of Capability or lower, and may be inadequate for those of a higher capability;

d. Forensic readiness policy recommendations - This row indicates the specific forensic readiness policy recommendations at each capability level. These are hierarchical in that each column to the right imports all recommendations from the columns to the left;

e. Typical internal capabilities - This row indicates the internal capabilities an organisation would retain in order to satisfy the forensic readiness policy recommendations at a given capability level;

f. Typical technical infrastructure capability - This row indicates the infrastructure an organisation would typically require in order to support its intrinsic capability at a given level;

g. Typical external capabilities - This row indicates the outside (i.e. outsourced) support capabilities an organisation would call upon in order to satisfy the balance of forensic readiness policy recommendations at a given capability level that cannot be met by the organisation's internal capability.

Page 29

Forensic Readiness

Factor

Increasing Capability

Level 1 Level 2 Level 3 Level 4[4] Level 5[4]

Segmentation model target Aware Deter Detect & Resist Defend

Impact levels of target for C, I or A

IL0/IL1 IL2 IL3 IL4 IL5/IL6

Equivalent IS1 & 2 Threat Actor Capability level

1 - VERY LITTLE 2 - LITTLE 3 - LIMITED 4 - SIGNIFICANT 5 - FORMIDABLE

Forensic readiness policy recommendations

Awareness of the benefits of forensic readiness.

Capability constructed reactively in response to events.

Sources of extrinsic capability are identified proactively.

Active WARP membership.

Compliance with Lawful Business Practice Regulations (including informing staff of monitoring).

Capable of responding to FOIA, DPA and disclosure requests.

As Level 1 plus:

Forensic readiness ownership formally established.

Plan documented and subject of annual desk exercise.

Formal service level agreement with extrinsic service providers in place.

Trained first responders.

Business continuity planning function present.

Able to institute RIPA requests.

As Level 2 plus:

Limited intrinsic capability to support internal investigations.

Regular live audits (e.g. upon decommissioning of equipment).

Electronic records management in place and self-audited.

Training for staff in response team and those who may need to present business records in court.

Incident response team and GovCERTUK enrolment.

As Level 3 plus:

Formal case and evidence handling.

Competent practitioners (investigators and experts).

Electronic records management audited annually to BS 10008:2008.

Police:

Applications and orders under PACE and SOCPA.

Search and seizure.

Criminal Justice:

Criminal prosecutions.

As Level 4 plus:

Cross-border (anti-cyber-crime) collaboration.

Covert operations and intelligence support.

4 At Level 4 and Level 5 it is expected that organisations will undertake substantive and sophisticated planning activities, some examples of which are cited, that are in

excess of the recommendations given in this GPG. The GPG is mainly targeted at providing generic capability recommendations at Level 3 and below.

Page 30

Forensic Readiness

Factor

Increasing Capability

Level 1 Level 2 Level 3 Level 4[4] Level 5[4]

Typical internal capabilities None First responders. Internal incident response team with limited digital forensics capability.

Comprehensive digital forensics capability.

Police only:

Additional capability for all kinds of forensics and scenes of crime investigations.

Extensive capability to support major investigations and intelligence gathering.

Typical technical infrastructure capability

None None Digital forensics toolkit.

Log capture.

Escalate monitoring for investigation support.

Enterprise electronic communications archive.

Automated digital forensics agents on servers.

Research laboratories.

Intercepts.

Typical external capabilities Identified suppliers.

Referral of suspected criminal matters to law enforcement (universal to all levels).

Retained suppliers and help-line.

Contracted suppliers with experts on-call.

Suppliers top-up intrinsic capability.

Independent expert witnesses.

Reliance upon foreign law enforcement for cross-border cases.

Table A-1 – Capability Factors Table

Page 31

Forensic Readiness

Appendix B – Forensic Readiness Policy Content

Key Principles

This Appendix can be used as a starting point for development of a Forensic Readiness Policy

This needs to be tailored according the target organisation's exact requirements and capability targets

Forensic Readiness Policy

[Organisation Name]

The Forensic Readiness Policy should include:

a) Unique document reference number and date of issue;

b) Identification of the author and owner

c) Version control information

d) Include history information and policy it supersedes.

Reference: [Document Reference Number] Date: [Document Issue Date] Author: [Name and Position / Title] Owner: [Name and Position / Title]

Contents List:

Table of contents of the policy document.

Statement of Commitment Ownership Links and Dependencies Business Requirements Capability Management Framework Relationship Management Business Records Management Awareness Security Aspects Quality Assurance Performance Monitoring Review

Statement of Commitment

Message from senior management underpinning the commitment to adoption of policy.

Ownership

Identification of the ownership of the policy.

Owner: [Name and Position / Title] Contact: [Contact information]

Page 32

Forensic Readiness

Links and Dependencies

Provide linkage to organisational security policies, business continuity and disaster recovery planning, information security incident management, protective monitoring and external service provider contract management (including service level reporting and escalation management).

[Table of references]

Business Requirements

Document the local business drivers for undertaking digital forensic investigations or for the capture of digital information as evidence. Many organisations will face a common series of scenarios, as presented in IA Implementation Guide No. 18 (reference [d])). It is important to capture any unique local requirements. These typically occur when organisations have a specific regulatory role and conduct certain digital investigations as a matter of course and those investigations require evidence to be produced as evidence in legal proceedings or are used to prepare official notices.

[Describe unique local business drivers]

Capability

Include derivation of capability requirements including target internal capability and sources of external resources. This can also include milestones or reference to implementation project plans. Completing this section can be assisted by reference to Table A-1 in Appendix A.

[Internal Capability Level target statement, including rationale]

[Adaptation of relevant Appendix A policy recommendations as requirements]

[Internal facilities and infrastructure provision and current disposition]

[External resources to be relied upon and current disposition]

[Implementation milestones]

Management Framework

Define the management framework and terms of reference for each supporting Forensic Readiness business process. This should include:

a) Single Point of Contact (SPOC);

b) Planning and training function;

c) Investigation team and/or external resources.

Define roles and responsibilities for each, including planning, exercises and investigations proper.

Role: [Role name] Roster: [Name(s) and Position(s) / Title(s)] Contact: [Contact information]

Page 33

Forensic Readiness

Responsibilities

[List of role responsibilities]

Repeat the above for each Role.

Schedules

Include schedules of pre-planned activities, including calendars of:

a) Training activities and competence tests;

b) Exercises (including related business continuity exercises);

c) Reporting schedules;

d) Internal quality assurance reviews and scheduled audits;

e) Certification and scheduled external supplier audits;

f) Include information on inspection rights (including "no notice").

[Table of schedules]

Procedures

Include a list of related procedural documentation (assuming these are external documents), including:

a) Planning procedure;

b) Exercise procedure;

c) First response procedure;

d) Investigation procedure;

e) Review procedure;

f) Evidence management procedures;

g) Legal proceedings procedures;

i) Retention and disposal procedures.

[Table of procedures]

Relationship Management

Include policy statements on management of internal and external relationships. This should include:

a) Internal liaison with contracts and commercial functions;

b) Internal liaison with legal function;

c) Internal liaison with human resources and staff communications function;

d) Internal (or external) liaison with ICT services and facilities management functions;

e) Internal liaison with crisis management function;

f) Internal liaison with corporate communications (for external communications with customers, general public and the press);

g) External liaison with related contracted service providers;

Page 34

Forensic Readiness

h) External liaison with law enforcement, regulatory agencies and other emergency services;

i) External liaison with other external stakeholders.

[Relationship management policy statements]

[Stakeholder contact table]

Business Records Management

Outline the organisational approaches to records management, data protection, freedom of information and access to information. Include information on standards adhered to and how records can be produced as evidence in legal proceedings (along with supporting witnesses).

[Records management approach]

[Access to information]

[Producing documentation as evidence and witnesses]

Awareness

Detail the approach to informing all users of the relevant aspects of the Forensic Readiness policy. This should include:

a) Obtaining awareness and consent for use of ICT systems in support of investigations and any other aspects required by law;

b) Encourage crime involving ICT systems or misuse of ICT systems to be reported;

c) Ensuring there are adequate sanctions to ensure that users are deterred from illicit use of ICT facilities.

[Awareness requirements]

Security Aspects

Digital evidence handled during investigations should be treated as sensitive information. If it is extracted from systems that process protectively marked data, or data with special handling caveats, it should have at least the same applied. This also has implications for security clearance requirements for investigators (in-house or external) and data handling requirements. Digital evidence also attracts its own sensitivities, as unauthorised release may prove prejudicial to legal proceedings. Consideration may also need to be given as to how information with national security implications is presented as evidence.

[Marking requirements]

[Handling requirements]

[Investigator security clearances]

Page 35

Forensic Readiness

Quality Assurance

Outline the Quality Assurance regimes that regulate the conduct of investigations, evidence and document management for both internal and externally supported investigations. Also outline the minimum competence requirements for internal and external investigators, facilities (laboratories) and inspections.

[Organisation QA]

[Partner QA]

[Minimum competence requirements]

Performance Monitoring

Specify the compliance requirements, Key Performance Indicator (KPI) and Service Level Agreement (SLA) metrics for the policy. Include:

a) Status of Forensic Readiness Policy in terms of production;

b) Current and target capability levels;

c) Forensic Readiness Policy level compliance reporting;

d) Disposition of ownership and resources applied to Forensic Readiness;

e) Status of plans and scenarios;

f) Status of exercise functions and feedback from exercises;

g) Status of staff or external current and target competency levels (including register of formal certifications);

h) Current and past investigation knowledgebase (anonymised) and active issues;

i) Supporting business process compliance reporting (including escalation of serious or persistent non-compliances);

j) Prioritisation, conflict resolution and decision making record (e.g. between evidence gathering and business continuity requirements);

k) Service level reporting;

l) Status of the current review cycle.

[List of compliance criteria]

[KPI and SLA tables]

Reviews

Outline requirements for policy and investigation case reviews. This should include details of maintenance of a sanitised investigation knowledgebase that is referred to during reviews and planning exercises.

[Policy and management review cycles]

[Post-case reviews]

[Investigation knowledgebase requirements]

Page 36

Forensic Readiness

References

[a] HMG IA Standard No. 1 & 2, Information Risk Management (UNCLASSIFIED) – latest issue available from the CESG website.

[b] HMG IA Standard No. 1 & 2 Supplement, Technical Risk Assessment and Risk Treatment (UNCLASSIFIED) – latest issue available from the CESG website.

[c] HMG Security Policy Framework (SPF), Tiers 1-3 (UNCLASSIFIED) are available at: http://www.cabinetoffice.gov.uk

[d] CESG IA Implementation Guide No. 18 - Forensic Readiness Planning (UNCLASSIFIED) – latest issue available from the CESG website.

[e] CESG Busy Reader Guide - Forensic Readiness (UNCLASSIFIED) – latest issue available from the CESG website.

[f] ISO/IEC 27001:2005, Information technology - Security techniques - Information security management systems - Requirements.

[g] ISO/IEC 27002:2005 Code of Practice for Information Security Management.

[h] Cabinet Office, Guidance on the Forensic Readiness Policy (PROTECT DRAFT), May 2008.

[i] NISCC Technical Note 01/2005, An Introduction to Forensic Readiness Planning (Not Protectively Marked), May 2005.

[j] CESG Good Practice Guide No. 13, Protective Monitoring for HMG ICT Systems (UNCLASSIFIED) – latest issue available from the CESG website.

[k] ACPO, Guidance the Good Practice Guide on Computer-based Electronic Evidence, Version 3.0, September 2003.

[l] BS EN ISO 9001:2008, Quality management systems - Requirements.

[m] Home Office Forensic Science Regulator, Manual of Regulation - Part One: Policy and Principles, Version 1.0, September 2008.

[n] ISO/IEC 17025:2005, General requirements for the competence of testing and calibration laboratories.

[o] ISO/IEC 17020:1998, General criteria for the operation of various types of bodies performing inspection.

[p] BS 10008:2008, Evidential weight and legal admissibility of electronic information - Specification, November 2008.

[q] HMG IA Standard No. 6, Protecting Personal Data and Managing Information Risk (UNCLASSIFIED) – latest issue available from the CESG website.

Page 37

Forensic Readiness

Glossary

ACPO - Association of Chief Police Officers.

BRG - CESG Busy Reader Guide.

BS - British Standard - Standard published by the BSI.

BSI - British Standards Institute.

CMT - Crisis Management Team - Emergency Response Team - Team led by senior management to handling crises, emergencies, disaster recovery and other contingencies that require invocation of business continuity plans.

CNI - Critical National Infrastructure - Systems, networks, sites and facilities that support essential services throughout the country.

CPD - Continuous Professional Development - Scheme that involves continuous monitoring and maintenance of competence levels of professionals to ensure continuation and improvement of knowledge, skills and experience within their areas of specialism.

CPNI - Centre for the Protection of the National Infrastructure - Agency associated with promotion of good practice in the Critical National Infrastructure community, with the responsibility for ensuring availability of critical services in the event of UK national emergencies and implementation of UK national civil contingency plans (previously known as NISCC).

Digital Evidence - Any information that can be secured from an information system and used during the course of any civil or criminal legal procedure. This extends to internal disciplinary hearings, employment tribunals, arbitration panels and all courts of law.

Digital Forensics - Part of forensic science relating to the production of legal evidence found in computers and storage media.

DPA - Data Protection Act.

EN - European standards maintained by the European Committee for Standardization (CEN) and European Committee for Electrotechnical Standardization (CENELEC).

FOIA - Freedom of Information Act.

Forensic Readiness - The achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse Digital Evidence so that this evidence can be effectively used in any legal matters, in security investigations, in disciplinary matters, in an employment tribunal or in a court of law.

FSAC - Forensic Science Advisory Council.

Page 38

Forensic Readiness

GovCERTUK - The HMG Computer Emergency Response Team.

GPG - CESG Good Practice Guide.

IA - Information Assurance - The confidence that information systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users.

ICT - Information and Communications Technology - Collective term for describing information systems and communications technology.

IEC - International Electrotechnical Commission.

IG - CESG IA Implementation Guide.

IL - Impact Level - Business impact level as defined in Appendix A of IS1 Part 1 (ranging from IL0 through to IL6).

ISO - International Standards Organization.

ITSO - IT Security Officer.

KPI - Key Performance Indicator.

LBPR - Telecommunication (Lawful Business Practice) (Interception of Communications) Regulations 2000.

Monitoring - The provision of a business process that provides the necessary resources to pro-actively monitor a system for information security incidents.

MR - Mandatory Requirement (of SPF, reference [c]).

NISCC - National Infrastructure Security Co-ordination Centre - This organisation is now known as CPNI.

NIST - US National Institute of Standards and Technology.

PRINCE - Projects Running in a Controlled Environment - Formal methodology for project and programme management and delivery.

Protective Monitoring - The whole process of recording information, subsequently analysing it and comparing it to an accepted security policy, and corrective actions that may follow.

RIPA - Regulation of Investigatory Powers Act.

Risk - The potential that a given threat will exploit vulnerabilities of an asset and thereby cause harm to the organisation.

RMADS - Risk Management and Accreditation Documentation Set - System risk management and accreditation documentation.

Page 39

Forensic Readiness

Segmentation Model - Concept introduced in IS1 & 2 Sup (reference [b]) as a means for focussing technical treatment of information security risks.

SIRO - Senior Information Risk Owner.

SLA - Service Level Agreement.

SOCPA - Serious Organised Crime and Police Act.

SPF - Security Policy Framework (reference [c]).

SPOC - Single Point of Contact - An organisation's focal point for dealing with significant incidents and investigations that is used for co-ordination with external authorities (including law enforcement). It is also a legally defined entity within RIPA regulations.

WARP - Warning, Alerting and Reporting Point - Local organisational information security incident handling resources recommended to HMG and Critical National Infrastructure organisations by CPNI.

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice. CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: enquiries@cesg.gsi.gov.uk © Crown Copyright 2015.