Forensic Readiness Plans
Issue 18, July 2014
This article introduces the concept of Forensic Readiness Plans, and explains why every organisation should have one.
- What is a Forensic Readiness Plan (FRP)?
- Who is it for
- How will it help?
- What kinds of electronic evidence should be covered by an FRP?
- Isn’t this what the IT department is for?
- Can I relax when the plan is completed?
- Risk enquiry form
- Subscribe to Forensic Foresight
- Related topics
An FRP is a policy document that sets out exactly what to do when electronic evidence is required, either as part of legal action, regulatory response, internal investigations or disciplinary procedures. Its purpose is to maximise the amount of data that is readily available and to minimise the time and money needed to secure required data.
What is a Forensic Readiness Plan (FRP)?
Company directors and incident management teams can use an FRP as a single point of reference during an incident. Information in the FRP will draw on their firm’s IT, HR, legal, security and business continuity policies.
Who is it for?
Identifying the types of electronic evidence you may need to produce or preserve in your business is a great way to identify gaps in current procedures. For example, you may realise that:
- There is no procedure in place to retrieve copies of mailboxes from an outsourced email provider
- Your company no longer maintains the correct software to read all documents from the last seven years
- Existing backups have never been tested and do not restore successfully.
An FRP will also provide an invaluable head start in a time critical situation. For example, does a person in an organisation know how to preserve each form of electronic evidence in the work environment? For items that can be dealt with internally, key stakeholders should be named in the plan. For everything else, contact details of a forensic provider that can support this process should be listed, along with what they will need from the client organisation.
How will it help?
- Computers, email servers and file shares are the traditional sources of electronic evidence in the office environment. The rise in popularity of Bring Your Own Device (BYOD) policies can frustrate any data collection from computers, both technically and legally
- Logs from web servers, internet gateways, and internal services
- Structured data such as databases for CRM, finance applications, etc.
- Smart phones and tablets have added a further layer of complexity, with many employees in some sectors doing the majority of their work on a mobile device
- Removable media is everywhere, and with ever increasing capacities. The cost of these devices continues to fall, making them more prevalent in the workplace
- Social media, whether for personal use, work use, or a mix of the two. Facebook, Twitter and LinkedIn can each fall under any of these categories
- Web services like Dropbox for storage and Office 365 for software
- Volatile data such as the memory from running computers is not always necessary but in some cases can be extremely useful if captured correctly.
What kinds of electronic evidence should be covered by an FRP?
An IT team will play a major part in any forensic response. However, it’s often important to clearly define their responsibilities so that any data is not only preserved, but done so in a manner that ensures it is admissible in court. These procedures are referred to as ‘forensically sound’.
A good Computer Forensic provider will work closely with a client’s IT staff to tailor a proportional response to a number of situations, from Freedom of Information requests to action taken by the police and/or a regulator.
Isn’t this what the IT department is for?
Anyone with an FRP is ahead of the game, but this shouldn’t be mistaken for a quick fix or an easy answer. An outdated plan is of little use, so internal ownership of the plan is essential to ensure it is kept current. To paraphrase Computer Security expert Bruce Schneier, ‘Forensic readiness is a process, not a product’.
Can I relax when the plan is completed?