Businesses urged to devise digital-forensics plans

A report from the Information Assurance Advisory Council says businesses need to have a forensics strategy to support their position in legal proceedings

Firms should put in place forensics plans for incidents that may require computer evidence to be handed over, according to an influential security body.

The Information Assurance Advisory Council (IAAC) published a report on Tuesday that aims to provide organisations with guidance on retaining computer forensics evidence.

Evidence of disputed transactions, suspected fraud, complaints of negligence, cyberattacks and theft of data is required to support an organisation's position in legal proceedings, according to the Directors' and Corporate Advisors' Guide to Digital Investigations and Evidence.

Formulating a "forensics readiness plan" would enable organisations to be prepared for high-frequency, low-impact situations, and should go hand in hand with a disaster-recovery plan, according to the report's author, professor Peter Sommer.

"Unless the organisation has developed a detailed planned response to typical risk scenarios, much potential evidence will never be collected or will become worthless as a result of contamination," wrote Sommer, a visiting professor for the London School of Economics. "What is needed is a forensic readiness plan."

Businesses should first identify the threats faced by their organisation that may require digital forensic evidence. Firms should then identify to what extent they can already collect that evidence, and what remains to be done. Once organisations have familiarised themselves with potential legal issues — including admissibility, data protection and limits to surveillance — an action plan should be produced, wrote Sommer.

An IAAC guide to digital forensics was first made available in 2005. The present guide was written from scratch by Sommer, in response to changes in technology and the law since 2005.