Educause Security Discussion mailing list archives
Re: Outsourcing Forensics
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Tue, 29 Aug 2006 09:22:54 -0600
Gary, That (your comment below) is exactly the reason I tend to discourage Audit Departments and Security Depts from taking on Forensics roles - Most will encounter the following: 1. Not enough funding to remain current. 2. Not enough work to keep skills intact. 3. Not enough training to maintain skills through change. 4. Not enough resources to properly handle the variety of equipment and situations they encounter. 5. Not enough credibility to stand up in court despite the skills. I am of course using FORENSICS to mean the more complete, thorough, preparatory steps taken to investigate in a way that would pass scrutiny in a court of law and provide sufficiency in the most sensitive event. I am not at all opposed to the local IT or Security shops developing the skills to seek out information on deleted tracks, to examine a drive's contents, to do secure copies with the proper equipment to do duplication. There are many cases where we (Auditors/Fraud Investigators/Security Staff) can use "Forensic" type information where we never intend to use it in a court of law, or have already written off that option. We get numerous requests from our legal staff and HR folks concerning drive contents and internal policy/disciplinary action that do not require a completely court-worthy forensic process. There is much that can be done under internal policy that is eliminated as an option once the option is made to involve law enforcement, as their hands are tied when it comes their scope of work. Under policy you can declare a machine and all data the property of the institution, and deny its use for personal ends. Then during investigation, anything out of sorts can be pursued per policy in any imaginable way. Under a legal review, you will be restricted to the particular scope of the charges and the restrictions provided by both state and federal law as to what you may do with the data you find. Policy is far less limited in terms of discovery. The exception to this rule is if you are willing to create a forensic function that can be hired out by the state or that will support other institutions so that a continual workload/professional experience can be pursued. If your forensics function is available to your state government and potentially even private parties, then you can maintain the skills and fund the process as well as a private company, perhaps even with some advantage given the internal opportunities for practice and the captive source for a young, skilled workforce. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Monday, August 28, 2006 8:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Outsourcing Forensics We have not yet had an incident where we outsourced it though in a complicated, critical case we might. We have a forensics lab and myself and another person have been through training but we don't do it often enough to be any good at it. :( Clip...
Current thread:
- Re: Outsourcing Forensics, (continued)
- Re: Outsourcing Forensics Mclaughlin, Kevin L (mclaugkl) (Aug 28)
- Re: Outsourcing Forensics Jay Tumas (Aug 28)
- Re: Outsourcing Forensics Drews, Jane E (Aug 28)
- Re: Outsourcing Forensics Delaney, Cherry L. (Aug 28)
- Re: Outsourcing Forensics Gary Flynn (Aug 28)
- Re: Outsourcing Forensics Russell Fulton (Aug 29)
- Re: Outsourcing Forensics Cam Beasley (Aug 29)
- Re: Outsourcing Forensics Samuel Liles (Aug 29)
- Re: Outsourcing Forensics Ken Connelly (Aug 29)
- Re: Outsourcing Forensics Daniel R Jones (Aug 29)
- Re: Outsourcing Forensics Jim Dillon (Aug 29)
- Re: Outsourcing Forensics Gary Flynn (Aug 29)
- Re: Outsourcing Forensics Mclaughlin, Kevin L (mclaugkl) (Aug 29)
- Re: Outsourcing Forensics Jim Dillon (Aug 29)