Forensic Evident
Failure #3: Not properly collecting and maintaining forensic evidence during an incident.
Properly collecting and maintaining the right information and evidence needed to determine the size and scope of a security issue is a major challenge for many organizations. Unfortunately, many companies fail to preserve copies of the systems that were targeted during an attack. Whether this evidence is lost due to an effort to quickly stop the bleeding or because it is overwritten with new information, it can make it much more difficult to understand the severity of an issue. It can also lead to scrutiny by regulators when reviewing the effectiveness of a company’s response.
Companies must incorporate procedures for securing forensic evidence in their response plans. Taking this step will help ensure IT professionals are equipped to preserve the valuable chain of evidence.