Does your organization have documented procedures for collecting, preserving, and safeguarding incident data and metadata while maintaining chain-of-custody?
Explanation
Sound evidence handling is the focus here: whether you have documented procedures for collecting, preserving, and protecting incident data and metadata while maintaining chain-of-custody. Proper evidence handling includes documenting when and how data was collected, securing it against tampering, and maintaining detailed records of who accessed it and when.
Acceptable evidence would include documented incident response procedures that specifically address evidence collection and preservation, chain-of-custody forms, and tools/systems used for forensic data collection. For example, you might provide a redacted copy of your incident response playbook showing the evidence handling sections, screenshots of your evidence management system, or templates of chain-of-custody documentation.
Implementation Example
Collect, preserve, and safeguard the integrity of all pertinent incident data and metadata (e.g., data source, date/time of collection) based on evidence preservation and chain-of-custody procedures
ID: RS.AN-07.327
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Incident data and metadata are collected, and their integrity and provenance are preserved
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?

