IRO-08: Chain of Custody & Forensics
Mechanisms exist to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Control Question: Does the organization perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices?
General (19)
| Framework | Mapping Values |
|---|---|
| CSA IoT SCF 2 | IMT-01 |
| IMO Maritime Cyber Risk Management | 3.5.5.2 |
| ISO 27002 2022 | 5.26 5.28 |
| ISO 27017 2015 | 16.1.7 |
| MPA Content Security Program 5.1 | OR-4.0 |
| NIST 800-53 R4 | AU-10(3) |
| NIST 800-53 R5 (source) | AU-10(3) IR-4(12) |
| NIST 800-53 R5 (NOC) (source) | AU-10(3) IR-4(12) |
| NIST 800-161 R1 | AU-10(3) |
| NIST 800-161 R1 Level 2 | AU-10(3) |
| NIST 800-161 R1 Level 3 | AU-10(3) |
| NIST CSF 2.0 (source) | RS.AN RS.AN-06 RS.AN-07 |
| SWIFT CSF 2023 | 7.1 |
| UN R155 | 7.3.7(c) |
| UN ECE WP.29 | 7.3.7(c) |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | IRO-08 |
| SCF CORE ESP Level 1 Foundational | IRO-08 |
| SCF CORE ESP Level 2 Critical Infrastructure | IRO-08 |
| SCF CORE ESP Level 3 Advanced Threats | IRO-08 |
US (6)
| Framework | Mapping Values |
|---|---|
| US DFARS Cybersecurity 252.204-70xx | 252.204-7018(e) |
| US DHS ZTCF | SEC-02 |
| US FFIEC | D3.CC.Re.Int.3 D3.CC.Re.Int.4 |
| US HIPAA HICP Medium Practice | 8.M.A 8.M.B |
| US HIPAA HICP Large Practice | 8.M.A 8.M.B |
| US NERC CIP 2024 (source) | CIP-008-6 2.3 CIP-009-6 1.5 |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | SIM-03 |
| EMEA Saudi Arabia SACS-002 | TPC-89 |
| EMEA UK DEFSTAN 05-138 | 3104 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0137 ISM-0138 ISM-1609 ISM-1731 ISM-1732 |
| APAC India SEBI CSCRF | RS.AN.S3 |
| APAC Japan ISMAP | 16.1.7 16.1.7.13.PB |
| APAC New Zealand HISF 2022 | HHSP74 HML74 HSUP66 |
| APAC New Zealand HISF Suppliers 2023 | HSUP66 |
| APAC New Zealand NZISM 3.6 | 7.3.11.C.01 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 3.4.5 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Level 2 — Planned & Tracked
Incident Response (IRO) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for incident response operations. o Implement and maintain an incident response capability using a documented and tested Incident Response Plan (IRP) to facilitate incident management operations that cover preparation, detection and analysis, containment, eradication and recovery.
- Incident response operations are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel:
Level 3 — Well Defined
Incident Response (IR) processes are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, scalable and integrated team of formally-assigned cybersecurity, IT, data privacy and business function representatives that can perform coordinated incident response.
- The ISIRT, or similar function, develops and maintains a documented, program-level Integrated Incident Response Program (IIRP) that provides operational and tactical-level guidance for cybersecurity and data privacy response operations.
- A Security Operations Center (SOC), or similar function, facilitates incident management operations that includes preparation, detection and analysis, containment, eradication and recovery.
- Business Process Owners (BPOs), in conjunction with the SOC and ISIRT functions, develop and maintain a documented Incident Response Plan (IRP) specific to the business process / business unit but inclusive of the organization's larger approach to incident response operations.
- An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and provides that information to the SOC for Incident Response Operations (IRO).
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Assessment Objectives
- IRO-08_A01 reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.
Evidence Requirements
- E-IRO-01 Incident Response Program (IRP)
-
Documented evidence of a Incident Response Plan (IRP). This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on organizational practices that support existing policies and standards.
Incident Response - E-IRO-10 Chain of Custody
-
Documented evidence of an in-house, or externally contracted, capability to perform digital forensics and maintain the integrity of the chain of custody, in accordance with applicable laws, regulations and industry-recognized secure practices.
Incident Response
Technology Recommendations
Micro/Small
- Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)
Small
- Third-party advisors (e.g., virtual CISO, Managed Security Services Provider (MSSP), etc.)
Medium
- Chain of custody procedures
- OpenText Encase (https://opentext.com)
- AccessData Forensic Toolkit (FTK) (https://pluralsight.com)
- Extero (https://exterro.com)
Large
- Chain of custody procedures
- OpenText Encase (https://opentext.com)
- AccessData Forensic Toolkit (FTK) (https://pluralsight.com)
- Extero (https://exterro.com)
Enterprise
- Chain of custody procedures
- OpenText Encase (https://opentext.com)
- AccessData Forensic Toolkit (FTK) (https://pluralsight.com)
- Extero (https://exterro.com)