• Skip to main content
  • Skip to primary sidebar

Information Security Management ResourceKit

A Public Service of SecureTheVillage

  • Home
  • Return to SecureTheVillage

Initial Emergency Actions to Assure Preservation of Evidence

Should the event have information security implications, care must be taken to ensure that available evidence is preserved.

This requires leaving the computing device in the same state as it was when the event was observed. In particular it means that, as a general rule:

  • Leave the computing device powered on [1]
  • Leave the computing device connected to the network [2]

Depending on specific circumstances, the ISM and IRT may decide that the danger from an ongoing incident is sufficient to risk the destruction of evidence. Options include, as appropriate,

  • Capturing volatile memory before powering a device down
  • Segmenting a device to block its access to other parts of the corporate network while leaving it connected to the Internet

[1] Modern malware often stores valuable information in volatile RAM. This information disappears when a computing device is powered down.

[2] Some malware continuously monitors for an Internet connection. If it discovers that the Internet has become unavailable, it destroys all evidence of its activity.

 

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Filed Under: Getting Cyber-Prepared

Primary Sidebar

Resources Areas

  • Cyber Threats
    • Ransomware
    • Online Bank Fraud
  • Information Security Management / Leadership
  • Information Security Policies and Standards
  • Information Security Risk Assessment
  • Information Classification and Control
  • Securing the Human
  • Third-Party Security Management
  • Managing Security of the IT Infrastructure
  • Legal & Related
    • Basic Cyber Laws
    • Payment Card Industry Data Security Standard (PCI DSS)
    • General Data Protection Regulation (GDPR)
    • California Consumer Privacy Act (CCPA)
    • Cybersecurity Maturity Model Certification (CMMC)
  • Getting Cyber-Prepared: Incident Response & Business Continuity
  • Managing Cyber-Risk and Insurance
  • Personal Cybersecurity
  • Cyber Freedom

Copyright © 2023 · SecureTheVillage