Abstract

With the increasing number of threats involving organization's today, i.e., identity theft, fraud, and embezzlement, it's imperative that companies have an incident response/forensic policy in place in order to successfully retain and preserve potential evidence. Organizations need to not only combat current problems, but to prevent them from reoccurring. Organizations should not feel alone in this battle. The federal government along with state governments have passed legislation that mandates an incident response/forensic policy be implemented in order to comply with the newly passed regulations, such has Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach Bliley (GLBA). Also taken into account are guidances, frameworks, and standards that are the building blocks that many organizations have used to create their incident response/forensic policies and procedures. But how do organizations know what to document in these policies? How do they know if their policies comply with the ever growing number of regulations? How do they know that the information they are retrieving is not considered personally identifiable information that may have not been obtained legally? They do so by complying with the redundant, common criterion that is found in these regulations, standards, frameworks, and guidances.

Before creating an incident response/forensic policy, organizations need to identify privacy provisions as well as pertinent regulations, standards, frameworks, and guidances. After the latter have been identified, the incident response/forensics requirements need to be identified as well. Many organizations are now realizing the commonality/redundancies when reviewing these regulations, standards, frameworks, and guidances. By identifying these requirements and eliminating the redundancy, organizations can create and maintain a doctrine of documents that ensure that they are in compliance. When new regulations, standards, frameworks, and/or guidances are drafted and released, organizations are inconsistent when trying to comply with the specified timelines instead of integrating them or identifying how they already fit with the current environment.

Understanding the current computer incident state and federal laws is equally important, but this expertise is expected of the legal department and law enforcement. Such laws include The Compute Fraud and Abuse Act, The Computer Security Act of 1987, The US Privacy Act of 1974, The Electronic Communication Privacy Act of 1986, the Economic Espionage Act of 1996, The National Information Infrastructure Protection Act of 1996, USA PATRIOT Act of 2001, and the Homeland Security Act of 2002. Only law enforcement, legal departments, and state and federal district attorneys can determine whether or not the incident has the acceptable amount of evidence to prosecute at the state or federal level. For the purposes of this paper, the proceeding laws will not be analyzed.

This paper will give a high level overview of the regulations, standards, frameworks, and guidances chosen for an incident response/forensics cross-mapping matrix. In addition, once the appropriate requirements have been identified, new common language requirements will be created, and the identified regulations, standards, frameworks, and guidances will be mapped to them. Once the mapping is complete, the requirements will be written as policy statements, which will create a high level policy that is in compliance with the noted regulations, standards, frameworks, and guidances.

Although redundant requirements will have been eliminated, there is still not a standardize computer forensics/incidents handling policy, procedure or process for commercial organizations. When trying to establish a standardized process, circumstances that need to be taken into account are the size of the organization: people, resources, and budget. The latter are the three biggest restraints for organizations to move forward with an incident management program, so creating a standard will only force companies to either not have a process or have to expend above and beyond the resources they have to offer.

Although there are many regulations, standards, frameworks, guidances, and requirements mandated and implemented by organizations today, the following standards (ISO 17799:2005, FFIEC Information Security Handbook, Basel II), regulations (HIPAA, Privacy and Security Rule, GLBA Privacy and Safeguard Rule, California Information Practice Act (CA SB 1386), NY State Security Breach and Notification Act (NY AB 4254), and Sarbanes-Oxley (SOX) Section 301, 302, 404, 409, and 806), frameworks and guidances (Control Objectives for Information and related Technology (COBIT), The Committee of Sponsoring Organizations of the Treadway Commission (COSO), The Information Security Forum (ISF March 2005), and VISA/MC Payment Card Industry (PCI) requirements will be the focus for this research. All requirements associated with the latter will be listed and then common language will be extracted to and mapped within a matrix.

Library of Congress Subject Headings

Industrial policy; Computer security--Management; Computer security--Standards; Industrial management; Forensic accounting; Data protection

Publication Date

2006

Document Type

Thesis

Advisor

Bill Stackpole

Advisor/Committee Member

Luther Troell

Advisor/Committee Member

Yin Pan

Comments

Physical copy available from RIT's Wallace Library at HD3611 .D45 2006

Campus

RIT – Main Campus

Share

COinS