RS.AN-07.327

Does your organization have documented procedures for collecting, preserving, and safeguarding incident data and metadata while maintaining chain-of-custody?

Explanation

This question assesses whether your organization has formal processes to handle digital evidence during security incidents in a way that maintains its integrity and admissibility. Proper evidence handling includes documenting when and how data was collected, securing it against tampering, and maintaining detailed records of who accessed it and when. Acceptable evidence would include documented incident response procedures that specifically address evidence collection and preservation, chain-of-custody forms, and tools/systems used for forensic data collection. For example, you might provide a redacted copy of your incident response playbook showing the evidence handling sections, screenshots of your evidence management system, or templates of chain-of-custody documentation.

Implementation Example

Collect, preserve, and safeguard the integrity of all pertinent incident data and metadata (e.g., data source, date/time of collection) based on evidence preservation and chain-of-custody procedures

ID: RS.AN-07.327

Context

Function
RS: RESPOND
Category
RS.AN: Incident Analysis
Sub-Category
Incident data and metadata are collected, and their integrity and provenance are preserved

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron