![]() Complete: It must tell the whole story and not just a Authentic: It must be possible to positively tie evidentiary Admissible: It must conform to certain legal rules before it I would like to call out section 2.4 of RFC 3227 and show this as some basic things to think about when doing incident handling: RFC 3227 outlines some guidelines for Evidence collection and archiving. Interesting that there is also an RFC you can follow in this regard. One rule that we adhered to, even when we were sure that an incident was downgraded to an “Event”, is treat it as if it was going to be reviewed in a court of law. It is important to understand that during an incident that evidence collection is just as critical as getting to the bottom of what happened. The quick win list provides a great initial roadmap to success for this control some of which I would like to call out but first, evidence handling procedures.Ī couple of employers ago, I was tasked, along with a couple of other talented Security Engineers, with updating the evidence handling procedures for the company. Fortunately, or unfortunately depending on perspective, there is a large body of both experience and material that exists. In CC 18 we discussed incident handling that encompasses planning for and implementing Incident Response procedures.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |