Forensic Capability Maturity Assessment:
The Business Issue:
To counter the risks of today's "open" and inter-connected environments, organizations must have a program established to identify, assess, and respond to computer-based attacks and employee mis-conduct. A properly defined, implemented, and managed Incident Response Program is a mandatory, extremely cost effective risk mitigation technique. The trend toward greater business involvement in incident response primarily exists due to customer expectations, public relations, legal, regulatory compliance issues, and recognition that an impact on a given system or application will impact customers (internal or external) - How an organization determines, resolves and communicates an incident to the community will directly determine the extent of any reputation or service commitment damage.
A key component of an Incident Response Program is an effective and efficient forensic capability. Forensics basically is the processing of electronically-based evidence to determine the who, what, where, when, and how. As a result, computer and network forensics must mature to the level in which proper discovery, determination, analysis, protection and presentation of electronic crime evidentiary data must meet our legal system's requirements.
Establishing a center of excellence computer forensics capability is a part of making organizations a resilient business. An internal, centralized capability is the most business economical and prudent means of handling incidents. However, should an incident become a lawsuit or if criminal intent is discovered (potentially requiring the involvement of law enforcement), then corporate forensic processes, staff training, tools and capabilities will certainly be scrutinized. Litigators and law enforcement will press the following types of questions (but not limited too):
- Are organizations forensic staff properly trained in evidence processing procedures?
- Are you analyzing all potential avenues and repositories of electronic data which could be involved in the flow of an attack or incident thus the extent of the attack or incident?
- Are you using forensic analysis and subsequent prevention efforts to limit potential damage to your other business units, partners and customers (due-diligence)?
- Are proper computer forensics software tools used to preserve, process, document and protect the evidence? Is a proper chain of custody established in the processing of the evidence?
- Does organizations staff have sufficient depth to deal with more than one computer incident at a time?
- Are organizations forensic staff qualified to testify as experts in electronic evidence processing?
This level of forensic service capability is broader than most organizations currently have. This subject and definition is important for business unit and service level managers who need to understand how computer forensics fits as a strategic element in overall organizational computer security. Network and system administrators and other computer security staff need to understand issues associated with computer forensics. Those who work in corporate governance, legal departments, or IT require this to operate.
Many organizations have a computer forensics capability but lack a formal/standardized methodology for assessing the maturity of that capability.
As the core of the program analysis, KoreLogic compares an organizations forensics program to our observed best practices. It is important to understand that best practices for various industries are not necessarily well-defined and are sometimes more a reflection of what companies should be doing, rather than what the best in their industry actually are doing. As a whole, many Fortune 500 firms are not on the cutting edge of technology and security "best practice" and are still having to come up to speed as the focus of their business shifts more toward real-time Internet-based transactions.
KoreLogic, at a program level, will target a number of areas where organizations can take action to improve its forensics program. The assessments goal is to provide a roadmap in which to better prepare organizations to meet current and upcoming business, regulatory and legal challenges.
The recommendations generate are necessary for an organization to meet these challenges, but the process must be managed carefully. In particular, transitional periods pose security issues - Responsibilities shift, staff changes, staff capabilities and new processes must be implemented to meet business requirements. KoreLogic analysis focuses on what is best for the organization (establishing and enhancing forensic capabilities) rather than recommending allocation of responsibilities to given groups.
KoreLogic developed a model for assessing an organization's computer forensic capability. Since the computer forensics field has not yet defined a consistent, documented, and broadly accepted standard, KoreLogic developed its own Forensic Capability Maturity Model (FCMM), which is an adaptation of the Capability Maturity Model Integration (CMMI) version 1.1. In its development of FCMM, KoreLogic reviewed related published documentation and national standards, conducted interviews with fortune 100 forensic groups, and analyzed required program capabilities. KoreLogic's FCMM goals were to:
- Utilize known methods for evaluation, ported to non-standard forensics arena
- Remove bias from the evaluation process
- Create a model which is transient across industry sectors
The model consists of the FCMM and forensic program elements (business and technical). Business elements involve the overall management and support of the forensic operation (e.g., training employees) and technical elements involve actions directly related to performing forensics work (e.g., imaging a disk drive).
For each primary forensic program element, an analysis is performed to determine current capabilities by reviewing documentation, conducting interviews, and analyzing current program capabilities against baseline forensic requirements, industry best practices, similar industry peers, and KoreLogic's observed best practices. Each element is then scored in accordance with KoreLogic's FCMM as shown below.
The model has been field tested with fortune 100 firms and allows a company to conduct an overall discovery and capabilities assessment to identify risk areas and facilitate the creation of a workable, time-phased, prioritized plan to address gaps.