University of Twente Student Theses


Continuous forensic readiness

Wit, Jeroen de (2013) Continuous forensic readiness.

[img] PDF
Abstract:For years information security has focused on implementing preventive measures to avoid IT incidents. In recent years the realization has struck that only trying to prevent IT incidents is insufficient, as examples have shown that a determined attacker with sufficient resources will eventually be successful in breaking or circumventing any preventive measures taken. As such, organizations are now taking a more holistic approach to information security, implementing preventive, detective and responsive measures. Depending on the organization and the nature of the IT incident, response to an incident can contain a forensic analysis. Upon successful completion, such an analysis reveals exactly how the incident occurred, which systems and data have been affected and potentially who is responsible. Upcoming legislation will force organizations to disclose such detailed information on IT incidents to supervisory authorities, in case of data breaches. Being prepared for forensic analysis is known as a state of forensic readiness. Currently there is no generally acknowledged model available on how organizations can achieve that state within the academic literature, nor in the professional market. Furthermore, the limited amount of available guidelines which describe how to (partly) achieve a state of forensic readiness do not describe how organizations can maintain it. This research proposes the Continuous Forensic Readiness Framework (CFRF), based on literature studies and interviews, which allows organizations to reach and maintain a state of forensic readiness. The basis for the CFRF are 44 aspects and corresponding illustrative controls for achieving forensic readiness. These aspects are derived from academic literature and experts on forensic analysis. To allow a state of continuous forensic readiness to be reached, for each aspect the CFRF describes actions to be performed in a Plan-Do-Check-Act (PDCA) cycle, on the different management levels Strategic, Tactical and Operational. For each of these actions responsibilities are assigned to stakeholders, differentiating between Responsible, Accountable, Supportive, Consulted and Informed (RASCI). The aspects within the CFRF are categorized in People, Process and Technology, and furthermore divided into three levels of importance. This allows the framework to be implemented in a layered manner starting on controls with the highest importance, as well as for each organization to determine on which level they are currently acting. Furthermore, the division in categories allows implementation and maintenance to be delegated within the organization while progress and status can be monitored by assessing the controls. By implementing the CRFR organizations are able to achieve a state of continuous forensic readiness, and are thus prepared to perform forensic analyses at all times.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page