6.3 Differentiate between and execute appropriate incident response procedures.
Forensics – Forensics involves the legal collection, protection, and proper analysis of evidence from a crime scene so that facts can be used and presented in court. The most important part of forensics is ensuring that evidence is properly gathered and is protected. With forensics, the chain of custody may not be broken or else the evidence cannot be used in court.
Chain of custody – The chain of custody is used and needed to account for every person who had access to or handled crime scene evidence as well as to ensure that proper steps were taken during evidence storage. It’s the basic who, what, when, where, why, and how. Anyone who sees or touched the evidence must be documented as to prevent any type of tampering. The chain of custody must be followed or else evidence cannot be used legally in court.
First responders – When a breach or incident is reported or detected, incident response must begin with the first responders. These responders are the first to arrive at a crime scene and are needed to ensure that damage can be limited and so that needed information can be gathered properly and in a timely manner in the incident that a court hearing or trial is sought. Those designated as the first responders should be well aware of the incident response procedure in place. The plan should include proper documenting, backing up and copying any files that are affected, collecting audit logs, and many other procedures.
The first responders are entirely in charge of ensuring that the crime scene and any volatile evidence are properly protected. The responder can be a police officer, an IT staff member, or someone from a set team.
Damage and loss control – A first responder is the main person involved in damage and loss control. The first responder should work very closely to ensure that not damage is done to any potential evidence and that no evidence is lost in the investigation process. Because evidence can be destroyed and tampered with, a first responder needs to be well trained and aware of the situation at hand. Any evidence that is damaged or tampered with may not be usable in court.
Damage and loss control is also important when attempting to minimize and reduce the impact of an incident. The incident response team should know what to do in the case of all sorts problems, such as a virus attack. Damage and loss control can involve knowing what servers need to be turned off or taken off the network and how business can continue while attempting to keep the problem at bay. Start up and shut down procedures should be in place as to prevent any further damage or loss.
Reporting – disclosure of – In an incident response policy, proper reporting and disclosure procedures should be in place and well mapped out. Whenever an incident occurs, it is up to a specific group of people to not only report the incident but to decide if the incident should be disclosed to the media and other related companies such as equipment, operating system, and application manufacturers. Legal authorities may also be needed to be told of the incident.
Visit GetCertify4Less or our new site GetCertified4Less to save on your ITcertification
Visit GetCertify4Less or our new site GetCertified4Less to save on your ITcertification