The Governance of Corporate Forensics using COBIT, NIST and Increased Automated Forensic Approaches

The Governance of Corporate Forensics using COBIT, NIST and Increased Automated Forensic Approaches Henry Nnoli, Dale Lindskog, Pavol Zavarsky, Shaun Aghili, Ron Ruhl Information Systems Security Management Concordia University College of Alberta Edmonton, Canada henrynnoli@gmail.com, {dale.lindskog, pavol.zavarsky, shaun.aghili, ron.ruhl}@concordia.ab.ca Abstract Today, the ability to investigate internal matters such as policy violations, regulatory compliance, and employee separation has become important in order for corporations to manage risk. The degree of information security threats evolving on a daily basis has increasingly raised concerns for enterprise organizations. These threats include but are not limited to fraud, insider threat and intellectual property (IP) theft. These have increased the demand for organizations to implement corporate forensics as a deterrent to illegitimate acts or for linking perpetrators to their illegitimate acts. This explains why forensic practices are expanding from the traditional role in law enforcement and becoming an essential part of business processes. However, most organizations may not be maximizing the benefits of corporate forensic capabilities because of lack of corporate forensic governance best practices, needed to ensure organizations prepare their operating environment for digital forensic investigation. Corporate forensic governance will help ensure that digital evidence is obtained in an efficient and effective way with minimal interruption to the business. This paper presents a corporate forensic governance framework intended to enhance forensic readiness, governance, and management, and increase the use of automated forensic techniques and in-house forensically sound practices in large organizations that have a need for these practices. Keywords- corporate forensic governance (CF governance); corporate forensic readiness; increased automated forensic solutions; digital forensic investigation; digital evidence I. INTRODUCTION Most organizations waste effort, time and resources in carrying out forensic investigations due to lack of corporate forensic preparedness [4]. Forensic readiness (preparedness) can be defined as the process of being prepared (having the right policies, procedures, people, techniques in place to respond professionally and timely) before an incident occurs. Rowlingson [4], in his paper, A Ten Step Process for Forensic Readiness described forensic readiness as the ability of an organization to maximize its potential to use digital evidence while minimizing the cost of an investigation. In his paper he discussed practices that, when implemented before a digital incident occurs, can help organizations to be ready to carry out forensic investigations. However, forensic readiness is one part of a comprehensive and well-structured corporate forensic governance program. Governance is the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that applicable strategies are aligned with and support business objectives, and are consistent with applicable laws and regulations through adherence to policies and internal controls, and assignment of responsibility, all in the effort to manage risk [22]. In most organizations when incidents occur, the incident response team s major concern is to contain the incident and restore operations, paying less attention to potential evidence. In most cases digital evidence is contaminated, incomplete and untrustworthy, all of which inhibits linking perpetrators to their illegitimate acts if a crime is committed [2]. This is simply because of lack of forensic readiness which is part of a good corporate forensic governance program. Grobler et al [5] stated, all disciplines need some form of policy, procedures, standards and guidelines hence necessitating the proper facilitation of governance. In their paper, entitled Managing digital evidence - The governance of digital forensics, they introduced a preliminary framework for the governance of digital forensics. According to COBIT [10], principles of governance best practices include strategic alignment, risk management, value delivery, resource optimization, and continuous performance evaluation. Board briefings on IT governance [22] stated that, governance practices have been confirmed to yield huge benefits in the field of information technology (IT) and information security (IS) due to the establishment and adoption of applicable frameworks like COBIT. In other words, top management of various organizations are realizing the significant impact information technology and information security can have on the success of their enterprise because of governance of these fields [22]. Such governance practices are lacking in the field of digital forensics [5]. For various reasons which will be highlighted later in this paper, there is a need for an effective and efficient governance practices for corporate forensic programs to ensure that value, risk and resources are optimized during forensic investigations. Most organizations are still biased about in-house forensic readiness and capability because they feel it involves complex processes but with proper best practice framework for corporate forensic governance and readiness they will

observe that in-house forensic readiness can be conducted in an efficient and effective way. In addition, the use of innovative, user friendly and increased corporate forensic automated solutions (like Encase Enterprise) reduces the amount of resources (time, effort and personnel) used for such practices. A framework for corporate forensic best practices based on increased automated forensic suites will help enhance corporate forensics in organizations. Corporate forensic governance and management oversees the processes or controls that enhance sound forensic practices, from the corporate forensic readiness (preparation) phase to the final phase of digital evidence presentation (should civil litigation arise) or if there is need to escalate to law enforcement (if a criminal case is identified). Governance will ensure proper controls are in place so that digital evidence can be identified, organized, collected, stored, handled (with proper chains of custody), analyzed, and presented in an effective way. Since senior management is accountable for all business risk (IT related and others) in their organization, good governance practices will enable them to monitor forensic practices closely to ensure mitigation of applicable potential IT related risks facing the organization s business. With the existence of COBIT [10][11] and other IT and IS governance frameworks, including research work like [1][2][3][4][5][8] it is obvious that there is a governance gap in the field of corporate forensics. In this paper, a governance framework is presented, one that will guide those large organizations who are in need of a corporate forensic program on how best governance practices can enhance corporate forensic readiness and inhouse forensically sound practices in an efficient and effective way. This paper is organized into the following sections: section II argues the need for corporate forensic readiness and governance; section III explains best practice governance principles; section IV is a brief discussion of related work; section V is a description of the proposed framework; finally, in section VI we conclude and recommend future work. II. CORPORATE FORENSIC READINESS AND GOVERNANCE According to [8], litigation is a last option for most organizations, because of concerns like negative publicity and its negative impact to the business. Therefore, corporate forensic readiness, governance and in-house forensic capability will help organizations to be prepared to gather and use digital evidence as a deterrent and for making firm conclusions during internal investigations of non criminal violations. The objective of corporate forensic readiness is to ensure digital evidence is collected using sound forensic processes and in an effective way with minimal interruption to the business. This evidence can also be used for the organizations interest and defense. Although many organizations outsource forensic activities, it is likely that most will prefer to perform them internally. The reasons for this include privacy, confidentiality of organizational and customer data, legal risk, delayed forensic results from consultants and compliance with regulations like Sarbanes Oxley, King 3 Report, the Basel Committee report on banking supervision, and FIPS PUB 200. In addition, it is costly to outsource forensic activities in those large organizations that experience recurring digital incidents. Regulations like FIPS PUB 200 (2002) mandated all federal agencies in the United States to comply with the standard s Audit and Accountability section, which states that Organizations must: 1. Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. 2. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions [12]. These considerations show that, in a great many cases, there is a clear need for corporate forensic readiness and in-house forensic capability. Rowlingson [4] articulates ten steps toward corporate forensic readiness: 1. Define the business scenarios that require digital evidence. 2. Identify available sources and different types of potential evidence. 3. Determine the evidence collection requirement. 4. Establish a capability of securely gathering admissible evidence to meet the requirement. 5. Establish a policy for secure storage and handling of potential evidence. 6. Ensure monitoring is targeted to detect and deter major incidents. 7. Specify circumstances when escalation to a full formal investigation should be launched. 8. Train staff in incident awareness so that all those involved understand their role in the digital process and the legal sensitivities of evidence. 9. Document an evidence-based case describing the incident and its impact. 10. Ensure legal review to facilitate action in response to the incident. A good governance framework consists of both governance and management processes [11]. Rowlingson s work should be incorporated into management processes and we therefore refine and used it in the development of the management processes (CFM domain) of our proposed corporate forensic governance framework. More elaboration on the need for corporate forensics can be found in [8]. 2

A. Need for Effective Governance Practice Over Corporate Forensic investments Good governance includes risk assessment, a step necessarily in order to help organizations see the threats they are exposed to and the potential impact of such threats to the business, if not mitigated. This is where the cost of implementing internal forensic capabilities and readiness can be weighed against the potential benefits of forensic investment. Some questions that can help elaborate how good governance can enhance a corporate forensic program include: How can evidence be collected and used effectively? How do you decide when to use outside forensic investigators? How do you keep your business running during investigation? What are the consequences for litigation if evidence collection is delayed? How do you ensure the collection of the appropriate evidence that a court of law might need? By addressing these questions and others, good governance will ensure a corporate forensic program is successful, effective and achieves its goals. The costs of increased automated forensic and remote forensic solutions are decreasing and the benefits are increasing. The benefits include resource optimization (reduction of time, personnel and effort put into investigation), remote forensics (reduction of travel cost) and reduction of IT related business risks like insider threat, fraud, insider collusion, intellectual property theft and staff sabotage. Considering all these potential benefits good governance will ensure corporate forensic practices are enhanced and optimized to effectively deliver them. B. The Relationship between IT Governance, IS Governance and Corporate Forensics It could be argued that corporate forensics falls, in some respects, under IT governance and IS governance. However, some important aspects of corporate forensics, like jurisprudence (legal) and forensically sound processes are not fully part of IT and IS governance [3]. According to ACPO [30], forensically sound processes mean performing forensic practices (collection, examination, analysis, documentation, preservation of evidence and chain of custody) according to applicable jurisdiction. It also means that forensic practices should be conducted in such a way that if necessary an independent third party is able to repeat the same processes and obtain the same result. This shows that the preservation of the integrity of evidence is very important during forensic investigations. Corporate forensics (CF) and digital forensics (DF) will be used interchangeably in this paper. Researchers like Von Solms [3] and Grobler [5] explains the relationship between Digital Forensic (DF), IS Governance, IT Governance and Corporate Governance. Von Solms et al states that the proactive mode of information security ensures all policies, procedures, and technical mechanisms are in place to prevent harm to the organization s information; the reactive mode ensures that if harm occur, it will be repaired (Business continuity planning, Good backup and Disaster recovery techniques are part of the reactive mode) [3]. The proactive mode of digital forensics ensures all policies, procedure, technical and automated mechanisms are in place to be able to act when required; the reactive mode ensures that the necessary actions can be performed to support specified analytical and investigative techniques required by digital forensics [3]. This shows that some components of Digital forensic, IS and IT governance overlap and are related. Therefore, the best practice governance principles used for effective IT and IS governance can also be used for corporate forensic governance. In addition, corporate forensic governance framework should have common languages used by other governance frameworks like IT governance to achieve a common objective of managing business risk in an effective way and value delivered to the business. Figure 1 below shows a holistic view of DF and its relationship with corporate governance, IS governance and IT governance. Figure 1: Relationship between corporate governance, IT governance, IS governance and Digital forensic [3]. III. BEST PRACTICE GOVERNANCE PRINCIPLES According to best practices [10][11][22] governance principles include strategic alignment with business objectives, value delivery to the business, risk management, resource optimization of available resources and continuous performance evaluation. A. Strategic Alignment Good governance of corporate forensics (CF) will ensure that the objectives of CF practices are aligned to the organization s goals. According to Board briefing on IT governance [22], the cost effectiveness of a security program is determined by how well it supports the organization s objective. Corporate forensic governance will also ensure that corporate forensic objectives are defined in business terms and all CF controls tracked to a 3

specific business requirement. The following will indicate alignment: a corporate forensic program that enhances business activities; a corporate forensic program that is responsive to defined business needs; corporate forensic program and organization objectives that are defined and clearly understood by relevant stakeholders; corporate forensic program that is mapped to organizational goals and is validated by senior management; a corporate forensic strategy and steering committee made up of key executives to ensure continuous alignment of corporate forensic objectives and business goals. B. Value Delivery Good governance of corporate forensic practices will also ensure that corporate forensic investments are optimized in support of enterprise objectives. It also ensures the organization gets benefits, from their corporate forensic investments. Governance will ensure corporate forensic investments are supporting business needs and adding expected value. For instance, in a scenario where there is no governance, there won t be monitoring and evaluation to ensure that corporate forensic investment is continuously supporting the business in achieving some of its strategic needs. Therefore, forensic investments may not add expected value to the business, since there are no metrics to measure if value is optimized. Corporate forensic governance increases the likelihood of corporate forensic program s success considering the significant cost associated with corporate forensic practices. Figure 2 shows some of the questions governance will ask to ensure value is optimized enterprise risk management program, potential evidence sources will be identified in a proactive manner. Also, CF governance will ensure legal risk involved during corporate forensic practices are fully identified, communicated, mitigated and managed. Figure 2: Val IT Framework 2.0, Value according to the Four Are s as described in the information paradox [39]. C. Risk Management For applicable IT related business risk to be mitigated using corporate forensic practices, CF governance would help ensure that corporate forensic practices are an integral part of enterprise risk assessment and management program. CF governance will also ensure that corporate forensic strategy and program will help organizations achieve acceptable level of applicable IT related business risk. A structure for risk assessment as defined by NIST 800-30 is shown in figure 3 below. If corporate forensic practices are part of Figure 3: NIST 800-30 Risk Assessment Methodology [36] Furthermore, from the risk assessment methodology shown in figure 3, step 4 requires control analysis and selection. This is where different controls are selected for all identified risks. Different controls are weighed and analyzed based on their strength and weaknesses and the best control to mitigate each risk effectively is selected. All risks that could be best mitigated with corporate forensic practices should be 4

identified, documented in a risk profile chart and rated to show their potential value impact to the business. This is one of the principles of good CF governance which will ensure that all risk that could be mitigated with corporate forensic practices are mitigated and optimized. D. Resource Optimization. This principle of good corporate forensic governance deals with planning, allocation and control of corporate forensic resources which include people, processes and technologies (Increased automated forensic suites) towards adding value to the business. CF resources need to be managed properly for its effectiveness. Proper CF resource management will ensure that corporate forensic practices are efficient, cost effective and most importantly ensure corporate forensic is effectively addressing applicable business needs. E. Performance Evaluation. Since there is a clear saying that you cannot manage what you cannot measure, the governance of corporate forensic practices will ensure measures are in place to monitor corporate forensic processes and measure its performance. This will help management to make informed decisions about the state of corporate forensic program and ascertain if they are effective or not. Methods like CF Maturity model (See Appendix), checklist and other tools could be used. Some of the indicators of effective corporate forensic program as observed from performance measurement include: the time it takes to detect and uncover potential security threats to the business; number of threats effectively traced to their sources within minimal time interval without interruption to the business; number of security breaches reported (lesser number of reported breaches means effectiveness of the control in terms of deterrent). The performance measurement module of the governance framework is represented in the corporate forensic evaluation (CFE) domain of the proposed framework. IV. RELATED WORK Researchers like [4][6][7][8] have looked into some form of forensic readiness while [2][8][9][21] have looked into some form of proactive digital forensics which are considered part but not a comprehensive representation of good governance practices. They did not comprehensively address the establishment of a good governance framework and major governance processes for corporate forensics practices which will obviously make their work more effective. In other words, they did not address in details how corporate forensic practices could be enhanced using governance best practices. Lack of CF governance practices might explain why management see digital forensic as an abstract and highly technical field and have very little interest in leveraging on its benefits to achieve some of their corporate goals. Good governance referred to in the beginning of this section means getting senior management involved in an interactive manner by using globally adopted common business languages in a governance framework for forensic practices; management taking ownership of forensic program by assuming responsibility and accountability (RACI Chart) of forensic processes; use of increased automated forensic suites with generation of user friendly executive reports, remote forensics and automated processes; use of forensic practices to minimize high IT related business risk. All these enhancements are expected to help organizations maximize the benefits of forensic practices in an efficient and effective way. Discussing proactive or corporate forensic readiness by [2][4][6][7][8][9][21] without the establishment of a governance structure, framework and obtaining management support will result in the corporate forensic readiness program not being fully effective and efficient. Furthermore, at the time this paper was written, only one researcher, Grobler et al [5], to the best of our knowledge, have researched on the governance of digital forensics. Their paper was a preliminary framework in the form of an outline for the governance of digital forensics. The scope of the paper did not comprehensively address how globally accepted governance best practices [10][11][22] can be used to enhance a corporate forensic program in enterprise organizations. V. DESCRIPTION OF THE PROPOSED FRAMEWORK According to best practice [11] a governance framework should consist of two major processes: the governance and management processes. The governance processes involve direction in strategic alignment, risk management, resource optimization, value delivery and performance evaluation. The governance field directs the management field and ensures management processes are achieving their goals. The management field is responsible for executing and implementing directions from the governance field. The management processes involved specialized and operational processes which governance uses to achieve its tactical and operational goals. The management section performs more hand-on task than the governance section. The proposed framework was developed with this principle. The framework was categorized into three domains namely Corporate Forensic Governance ((CFG) governance processes), Corporate Forensic Management ((CFM) management processes) and Corporate Forensic Evaluation (CFE). The third domain CFE maintains a life cycle model for the framework by evaluating, monitoring and continually improving forensic processes through lesson learned and evaluation using maturity model (See Appendix). Figure 4 shows the corporate forensic governance framework lifecycle. 5

IT related risk to the business. This domain was developed from process assessment best practices from all the literatures reviewed. Detailed control practices were developed under each of the control objectives (CFE 1 to CFE 3) for this domain D. Corporate Forensic Governance Structure Figure 4: The three major domains of the proposed corporate forensic governance framework lifecycle The proposed corporate forensic governance framework was developed with the common languages and best practices used in related governance models. A. Corporate Forensic Governance (CFG). Corporate Forensic Governance (CFG) was developed with the major principles of best governance practices as recommended by COBIT [10][11] and Board briefing on IT governance [22], which includes strategic alignment, risk management, resource optimization, and value delivery. These principles represent control objectives CFG 1 to CFG 4 of the corporate forensic governance domain. Detailed control practices were developed under each of these control objectives. B. Corporate Forensic Management (CFM). The second domain Corporate Forensic Management (CFM) contains functions classified as management functions in the framework. This domain was developed from best practices, Rowlingson s work [4] and all other literatures reviewed in the reference section. The control objectives in these domain (CFM 1 to CFM 10) include manage legal requirements, define policies, define procedures, manage education, training and awareness, perform pro-active evidence identification, collect evidence, examine and analyze evidence, manage evidence, manage third party, document, report and present evidence. Detailed control practices were developed under each of these control objectives C. Corporate Forensic Evaluation (CFE). The third domain Corporate Forensic Evaluation (CFE) contains processes to evaluate (maturity model (see Appendix)), monitor, assess and improve (with lesson learned and feedback) forensic practices to ensure the objective of the framework is continuously achieved. The objective of the framework includes performing corporate forensic activities in an efficient and effective way, with minimal disruption to the business; collecting evidence in a forensically sound way and reduction of applicable potential Figure 5: A hypothetical corporate forensic governance structure Figure 5 shows a high level hypothetical corporate forensic governance structure. Other Assurance functions like HR, Internal Audit, Privacy, Value Management office, Legal etc are part of the corporate forensic strategy and steering committee. To establish effective CF governance program, the first step is to establish a governance structure that will oversee the governance of corporate forensics program. This is one of the requirements for good governance as stated in CFG1.1 section of the proposed framework. According to several regulations and best practices [110][11][22], senior management is ultimately responsible for good governance to show due care in performing task involving all specialized disciplines. Corporate forensics, Information technology and Information Security are examples of those specialized disciplines in a corporate environment. Therefore the overall accountability of good governance is the responsibility of the board of directors. The Board or the CEO should set up a steering and strategy committee to oversee its corporate forensic responsibilities and report back to them since they have many commitments. This responsibility could also be taken by the CIO depending on how large the organization is or the business environment of the organization. Therefore, this is just a hypothetical structure; organizations can set up their governance structure as it suits their business environment. For instance, if an organization is experiencing various insider frauds and other negative publicity due to security breaches, the Board of directors will be interested in knowing the most effective 6

mitigation strategy to mitigate that risk. This will increase the organization s interest in implementing a corporate forensic program which the CEO or board might want to oversee. Each member of the governance and management teams in the proposed framework has assigned roles and responsibilities similar to those seen in [22]. They are either responsible, accountable, consulted and/or informed on each of the governance, management and evaluation processes of the corporate forensic governance framework. This is achieved using the RACI chart which means who is Responsible, Accountable, Consulted and/or Informed. Table I below explains the RACI chart. RACI Task TABLE I THE RACI CHART 1 R means Responsible Those responsible for performing the task or ensuring the task is done 2 A means Accountable The person who must approve or sign off before the process is effective or person accountable for the success of the process. 3 C means Consulted Those who provide input needed to complete the task 4 I means Informed Those who are regularly updated on the outcome of decisions, processes and actions taken E. Corporate Forensic Governance Framework The Framework consists of 3 domains (CFG, CFM & CFE), 17 high level control objectives (CFG1-CFG4, CFM1-CFM10, CFE1-CFE3) and 123 detailed control practices. The control practices and RACI assignment of roles and responsibilities can be adjusted to suit each organization s needs and business environment. In other words some of the control practices might not be applicable in some organizations depending on how they are structured and their business environment. In addition, some of these controls have already been implemented in some organizations (maybe for information security) enhancement is needed in such scenario to accommodate forensic practices. During implementation of the framework CFG1 CFG4 will be implemented first before CFM1 CFM10 and then CFE1 CFE3. RACI chart was used in assigning roles and responsibilities to the governance and management team according to best practices [10][22]. Refer to Section V. for more explanation on the structure of the proposed framework. Brief explanation of the scope and control objectives of the proposed framework is shown in table II. TABLE II EXPLANATION OF THE SCOPE AND CONTROL OBJECTIVE FOR THE PROPOSED FRAMEWORK The scope of the proposed corporate forensic governance framework is based on the use of increased automated forensic suites like Encase Enterprise for forensic practices. These increased automated suites are known for increased automation and provision of ease of use approach towards performing forensic practices. However, a forensic expert is needed in the forensic team for effective and efficient use of these automated suites to achieve applicable organizational goals. The framework was designed for global use and in a high level format with general requirements for performing forensic practices using automated forensic suites. Brief explanation of the control objectives are shown below. Control Objectives Brief Explanation of the controls in the proposed framework CFG1 Strategic alignment This control ensures clear goals and objectives of a corporate forensic program are defined and that these defined goals and objectives are strategically aligned to enterprise goals and objectives. In other words this control ensures that corporate forensic program is helping the organization achieve some of its goals and objectives. CFG2 Ensure risk is optimized with CF implementation This control ensures that business risk which can be mitigated with corporate forensics are identified and mitigated. To achieve this a corporate forensic program should be part of enterprise risk management program to ensure CF is effectively used as a mitigation control in managing applicable IT related business threat and risk such as insider threat, fraud, IP theft, Staff sabotage etc. CFG3 Ensure resources are optimized with CF implementation Due to the significant cost involved in establishing a CF program, this control will ensure that CF resources are managed properly and are optimized efficiently. Also this control will ensure CF resource management is aligned with enterprise resource management for efficient utilization of budget and organization finances. 7

CFG4 Ensure value is optimized with CF implementation This control ensures that CF program is adding expected value to the business. It will also ensure that forensic investments are monitored and value documented to determine if it is helping business achieve some of its goals and objectives. CFM1 Manage legal requirements This control ensures that digital evidence is obtained in accordance with applicable law, regulation and standards for digital evidence acquisition. CFM2 Define policies Grobler et al stated that policies are the building blocks for management to provide a framework to manage DF in an organization [2]. This control will ensure that the necessary policies required for a CF program are established and managed. CFM3 Define procedures This control ensures that procedures for a CF program are established and are based on standards like ACPO [30]. CFM4 Manage Education, training and awareness This control ensures that awareness is created for CF program in an organization. It also ensures that forensic resources are reputable and that forensic personnel have relevant skills to perform CF tasks CFM5 Perform pro-active evidence identification This control ensures that digital evidence is identified in a proactive manner by analysis and assessment of enterprise resources that might be potential evidence source. This is based on enterprise risk assessment. CFM6 Collect evidence This control ensures that evidence is collected in a forensically sound manner using automated forensic suites. CFM7 Examine and analyze evidence This control ensures that evidence is examined and analyzed in a forensically sound manner using automated forensic suites. CFM8 Manage evidence (chain of custody) This control ensures that evidence is managed, secured and chain of custody monitored and managed to ensure the integrity of evidence is maintained. CFM9 Manage Third party This control ensures that third party forensic consultants are managed in other not to introduce new business risk to the organization when outsourcing forensic practices. CFM10 Documentation, Report and Presentation This control ensures that forensic processes are documented in such a way that an independent forensic examiner can repeat the same process and obtain the same result. It also ensures digital evidence is presented using the right format to the applicable audience. CFE1 Monitor and evaluate forensic process compliance with regulation Without proper monitoring and evaluation of CF practices, it will be difficult to improve CF practices or make CF program effective. This control will ensure that all forensic processes conform to regulation and legal requirement of obtaining forensically sound digital evidence in an applicable jurisdiction. CFE2 Monitor, evaluate and report forensic process performance and conformance This control ensures that all forensic practices are monitored, evaluated using maturity model (see Appendix), checklist to ensure the controls are effectively achieving its objectives. CFE3 Continuously improve corporate forensic processes This control ensures that CF practices are continuously improved using lesson learned and maturity model (see Appendix) to make CF program more effective in mitigating applicable business risk. Table III below shows the proposed corporate forensic governance framework. 8

General Counsel/Legal Privacy Officer Forensic Specialist (s) Value Management Office Business Process Owners Compliance Internal Audit HR Chief Information Security Officer Chief Risk Officer Corporate Forensic Strategy & Steering Committee CIO COO CFO CEO Board Input From Domain Domain Corporate Forensic Management (CFM) Corporate Forensic Governance (CFG) TABLE III THE PROPOSED CORPORATE FORENSIC GOVERNANCE FRAMEWORK Control Objectives and Practices CFG1 Strategic alignment: C C C C R A C R C C R C R C C CFG1.1 CFG1.2 CFG1.3 CFG1.4 CFG1.5 CFG1.6 CFG1.7 CFG1.8 CFG1.9 CFG2 CFG2.1 CFG2.2 CFG2.3 CFG2.4 CFG2.5 CFG2.6 CFG2.7 CFG2.8 CFG2.9 CFG2.10 CFG3 CFG3.1 CFG3.2 CFG3.3 CFG3.4 CFG3.5 CFG3.6 Establish a governance structure with some members of senior management to lead the organizations corporate forensic investigation program Understand enterprise business strategy, culture, objectives and direction Define high level corporate forensic objectives and evaluate how it can help enterprise achieve its business objectives Align corporate forensic goals to enterprise goals to see if they are aligned Understand the enterprise architecture (business, applications, data, technology and information) and perform a corporate forensic gap analysis Identify threats and system weaknesses in the current environment and identify how corporate forensic can help reduce those threats Understand enterprise requirements and potential significance of corporate forensics for achieving its strategy Develop a corporate forensic governance and management plan and formally obtain support from the appropriate stakeholders and get approval for the implementing forensic controls and capability Review corporate forensic program objectives to ensure they are aligned with changing business goals Ensure risk is optimized with CF implementation: C R C C R A R R C C C C I C C C Ensure that corporate forensic program is part of enterprise risk assessment and management program Align corporate forensic risk governance strategy to enterprise risk governance strategy for risk optimization Evaluate and document how CF related business risk (both IT and Legal) can be managed not to exceed the board s risk appetite using corporate forensic practices Ensure continuous examination and decision making on the impact of risk on critical enterprise IT resources and how effective corporate forensic program can help mitigate identified risk Evaluate IT-related losses and how enterprise risk management using corporate forensic practices can bring benefits IT related risk which can be mitigated by corporate forensic practices should be managed using published policies and procedures and escalated to the relevant governing body if need be. Ensure risk of contaminating evidence is managed properly by using forensically sound processes, automated forensic techniques and trained forensic examiners Perform risk assessment to ensure automated forensic solution does not introduce any side effects into the existing system or corrupt existing data Ensure that legal risk involved in corporate forensic practices are properly assessed, documented, communicated and mitigated. Ensure the process of mitigating IT related risk with corporate forensic practices are constantly reviewed for effective continuous improvement Ensure resources are optimized with CF implementation: I C C C A R I R C I I C C R C C Ensure effective and efficient resource management planning for corporate forensic practices to meet enterprise needs and develop key goals and metrics for resource management Establish principles for managing the allocation of resources according to enterprise goal, agreed priorities and budgetary constraints Align CF resource management with enterprise finances and value delivery to the enterprise Ensure selected resources deliver value, mitigate risk and help the enterprise achieve its objective Ensure all resources are acquired and available for use when needed. (personnel, cost, time, automated tools) Ensure effective and efficient use of time, human and cost during corporate forensic practices (e.g. use of automated forensic suites will optimize resources used during digital evidence collection, examination and analysis. 9

Corporate Forensic Management (CFM) CFG3.7 CFG3.8 CFG3.9 CFG4 CFG4.1 CFG4.2 CFG4.3 CFG4.4 CFG4.5 CFG4.6 CFG4.7 CFG4.8 CFG4.9 All software solutions, automated forensic solutions, forensic labs, forensic examiners and tools should be certified by relevant bodies to ensure likelihood of evidence having weight in case of litigation. Also use tools that are endorsed by forensic experts. Enhance corporate forensic readiness by always preferring technologies that support forensic practices to those that does not (e.g. NTP, centralized syslog server, IDS, XFID, CCTV etc) Monitor and manage the allocation of corporate forensic resources according to enterprise current and future needs and monitor resource performance against targets Ensure value is optimized with CF implementation: C R R C R A C R I C C C R R C C Assess the potential value of establishing a corporate forensic program and the implications if not established Understand how current roles, responsibilities, decision making bodies and accountabilities can help ensure effective value creation from corporate forensic investments Monitor and manage forensic investments to deliver value at a reasonable cost Recommend corporate forensic innovations, like automated forensic suites or operational improvements that will increase forensic value to the enterprise Set outcome measures and performance indication for corporate forensic processes to ensure effective monitoring of value delivered Ensure value delivery of corporate forensic investments is well documented for management review which will help them make more informed and effective decision in further investments Ensure value is continually optimized for each corporate forensic investment Evaluate the integration of the enterprise goals with corporate forensic goals to see how forensic goals can generate value to the enterprise Perform continuous value evaluation of forensic investments to determine if enterprise goal is achieved CFM1 Manage legal requirements: I C I C C C C R I I C C I R C A/R CFM1.1 CFM1.2 CFM1.3 CFM1.4 CFM1.5 CFM1.6 CFM1.7 CFM1.8 CFM1.9 Ensure all forensic processes are performed according to applicable local and international legislation, regulation and law Procedures and requirements for collecting evidence in a forensically sound manner should be made available to the forensic team Ensure that ethical code of conducts are part of forensic practices by continuously auditing forensic processes Establish processes to ensure the integrity of evidence is strictly preserved (Chain of Custody) Legal Advisory should update their knowledge and experience on cyber-laws and admissibility of digital evidence in court. Ensure evidence collected is related to the illegitimate act and shows that illegitimate act has been committed Legal team should have good working relationship with law enforcement in case of criminal investigations like child pornography etc. Establish guidelines for using corporate forensic tools and when to use them, to prevent investigators from misusing the trust placed on them by employees. Ensure that increased automated tools purchased are certified by relevant applicable body and body recognized by applicable jurisdiction. Also ensure forensic tools are endorsed by forensic experts. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 16 5 CFM2 Define policies: C A C C R R C R C C C C C R C C CFM2.1 CFG1.4 Ensure all policies are aligned to organization goals and meet its expectations. CFM2.2 Establish and document roles and responsibilities for all forensic activities. CFM2.3 Establish a forensic readiness awareness policy approved and signed by senior management. CFM2.4 Establish a general strategic corporate forensic policy and detailed applicable corporate forensic sub-policies. CFM2.5 Define a communication policy and a need to know policy for forensic activities if a breach occurs. CFM2.6 Establish an escalation policy to state when to contact law enforcement or request for an independent forensic examiner if independent view of investigation is required. CFM2.7 Establish an acceptable use policy for monitoring all organization resources in form of system banners. CFM2.8 Define suspicion reporting policy for whistle blowers CFM2.9 Establish a secure evidence management and storage policy based on organizations data retention policy, stating segregation of duty, least privilege, need to know for chain of custody CFM3 Define procedures: C C I A/R I C C C I R C C CFM3.1 CFM1.2 Design forensically sound procedures for performing all forensic activities according to applicable legislation CFM3.2 CFM1.4 Develop a step by step guide for evidence acquisition, examination, analysis and preservation using the automated forensic techniques CFM3.3 CFM1.1 Establish a guide for first forensic responders on the dos and don ts for a proactive and reactive forensic investigation (planning the response) CFM3.4 CFM1.9 Develop a step by step guide for operation of forensic labs according to applicable legislation 10

CFM3.5 CFM1.4 Design a plan for evidence management, handling, storage and presentation (chain of evidence) CFM3.6 CFM2.9 Consider secure and effective segregation of duty during developing procedures and guidelines for all forensic practices CFM3.7 Ensure all forensic operations are constantly in a current state of readiness CFM4 Manage Education, training and awareness: I I I I A/R R C C C R C C CFM4.1 CFG3.1 According to the level of forensic needs and expertise needed, hire an experienced forensic expert to head the forensic team. Other team members can be drawn within the enterprise. (if not use in-house personnel). If need arise to consult an independent forensic examiner refer to CFM9 CFM4.2 Appoint and train a cross functional team from Incidence response, Information technology, Information Security and Internal audit as qualified forensic examiners and on the use of automated forensic suites. CFM4.3 Senior management should champion the awareness of the benefits of forensic capability and staff should follow suit CFM4.4 CFM2.5 Establish effective line of communication from Top to bottom and across employee lines of responsibilities CFM4.5 CFM1.1 Ensure corporate forensic training and investigation processes are complaint with ISO 27037 CFM4.6 CFM2.2 Ensure staff are trained and awareness created on roles, responsibilities and legal requirements for evidence preservation CFM4.7 All new and old employees should go through a mandatory evidence preservation course annually and course should be designed for its applicable audience. Like HR should have a different course format from a forensic first responder. CFM4.8 CFM2.6, CFM2.7 Ensure employees are trained and awareness created to identify suspicious event, red flags and who the first point of contact is according to the escalation policy CFM4.9 CFM2.9 Awareness should be created throughout the enterprise about evidence preservation and sensitivity of evidence (this will deter fraud and insider threat) CFM4.10 Ensure employees and customers are aware of organization s evidence collection policy CFM4.11 Ensure corporate forensic team are certified like certified forensic computer examiner (CFCE), Certified Information System Auditor (CISA), Certified cybercrime first responder (CCFR) CFM4.12 CFM1.3 Ensure people involved in forensic practices are honest and ethical in their professional life CFM4.13 Ensure personnel are routinely audited to help ensure that evidence is handled in compliance with digital evidence handling best practices. CFM4.14 Skills of forensic specialist must be monitored to ensure competency and continual improvement CFM5 Perform pro-active evidence identification: I I I C A/R C I C C C R C C CFM5.1 Identify all potential evidence sources in the enterprise including physical security and access control devices. CFM5.2 CFG2.1 Base proactive evidence identification on enterprise risk assessment outcome and Identify critical resources (systems) that organization places high value on CFM5.3 Ensure automated solution is robust enough to collect evidence from different evidence sources CFM5.4 CFG2.5 The value of evidence must be considered during identification of potential evidence source CFM6 Collect evidence: I I I C A I I C C I R C C CFM6.1 Use only automated forensic solutions that follow established digital forensic acquisition standards as stated in Association of Chief Police Officers (ACPO) digital forensic guide. CFM6.2 CFM1.4 Ensure used automated forensic suites preserves the integrity of evidence during collection, examination and analysis CFM6.3 Ensure Best evidence rule is considered before collection of evidence CFM6.4 CFM5.3 Ensure evidence is collected using a multi-tiered approach (e.g. logs, memory image etc) CFM6.5 Ensure evidence is collected in such a way that if an independent third party performs the same action, the same result will be obtained (i.e. ensure all actions can be reconstructed) CFM6.6 CFM5.3 Collect evidence from different evidence sources like IPS, Central log servers, CCTV logs, Biometric logs etc CFM7 Examine and analyze evidence: I I I A C C C R C CFM7.1 Ensure standards and best practices are followed during examination and analysis of evidence using automated forensic tools CFM7.2 CFM4.14 Examination and analysis of evidence should be handled by forensic specialist with confirmed capability of interpreting the output of the automated forensic suites used CFM7.3 CFM1.6 During examination and analysis of evidence, forensic specialist should ensure that evidence being analyzed is relevant to investigation CFM7.4 Processes performed during automated examination and analysis to arrive at a conclusion should be documented so that those actions can be reconstructed anytime to achieve the same result. CFM8 Manage evidence (chain of custody): I I I C R C C R A 11

Corporate Forensic Evaluation (CFE) CFM8.1 CFM3.3 Ensure physical environment of the Incident scene is secured immediately a digital incident is identified CFM8.2 CFM2.9 Ensure evidenced is preserved, securely stored and the integrity maintained (Chain of custody). Also ensure access to preserved evidence is based on need-to-know and least privilege. CFM8.3 CFM2.9 Ensure evidence is stored away from harsh temperatures and protect evidence from moisture, chart, magnetic sources etc CFM8.4 CFM6.4 Establish a central logging system using protocols like NTP for better evidence correlation to ensure existence of other sources of evidence apart from memory image CFM8.5 Ensure all activities that involve digital evidence handling, movement, access are documented and document secured properly. (chain of custody) CFM9 Manage Third party: C C C I C R I C C C C R C A CFM9.1 Ensure background check is performed before engaging any third party forensic investigator if need arises CFM9.2 CFG4.3 Ensure third party negotiation is done considering value, cost and effectiveness CFM9.3 Ensure Legal, compliance, privacy and information Security units are involved in signing contractual agreement with third party forensic consultant if outsourcing. CFM9.4 If outsourcing ensure third party forensic consultant signs a non-disclosure agreement before investigating systems with confidential information considering privacy or other laws. CFM10 Documentation, Report and Presentation: I I I I I I I A I I I R I C CFM10.1 Create a report for all the forensic activities in a user friendly and interactive format. CFM10.2 Use automated forensic suites that documents chain of custody and some forensic processes carried out and ensure these reports are manually reviewed for independent assurance CFM10.3 Evidence reporting and presentation should be done in a logical and understandable manner CFM10.4 Ensure reports, documentation and presentations are preserved in safe custody at the end of a case (both internal and external) as this documentation can still be useful in the future CFM10.5 Ensure no information is discarded, since even meaningless information can provide required information in future incident CFM10.6 Ensure forensic documentation are stored and secured according to retention policy and applicable jurisdiction CFM10.7 Ensure target audience for evidence presentation is considered during the selection of the report format for evidence presentation CFM10.8 CFM1.1 Ensure expert witness knows the process of expert testimony and how to present a convincing testimony in case testifying is required for civil litigation CFE1 Monitor and evaluate forensic process compliance with regulation: I I R R C R C C C I R C A CFE1.1 CFM1.1 Forensic processes should be reviewed periodically by the legal team to ensure evidence is collected and analyzed according to applicable jurisdiction CFE1.2 Legal team should ensure regular internal update of evidence acquisition, preservation regulations and applicable forensically sound processes to the forensic team CFE1.3 Legal team should ensure privacy laws and regulations (PIPA, PIPEDA, HIPAA) are considered during forensic processes using automated and remote forensic techniques. (acceptable use policy can be used to alert employees) CFE2 Monitor, evaluate and report forensic process performance and conformance: I I A R C R I C C C I R C C CFE2.1 Define key metrics for evaluating corporate forensic governance and management processes CFE2.2 Ensure compliance of all policies, procedures and report non compliance for appropriate disciplinary action CFE2.3 Regularly assess the state of all the control objectives of the framework using maturity model (see Appendix) and take appropriate action to improve processes CFE2.4 Establish an effective governance monitoring procedures for corporate forensic processes like maturity model (see Appendix) and checklist CFE2.5 CFM2.2 Ensure assigned roles and responsibilities perform their task optimally as assigned using the RACI chart CFE2.6 CFM10.1 Evaluate the reporting and documenting techniques used for corporate forensic processes CFE3 Continuously improve corporate forensic processes: I I I A R C R I C C C I R C C CFE3.1 Establish a process for regular review of policies and procedures and updating them appropriately with lesson learned CFE3.2 CFM4.14 Ensure forensic specialist skills are reviewed and if not up to standard, adequate training should be performed CFE3.3 CFG2.1 Continuously ensure forensic practices are part of enterprise risk assessment and management and improve practices 12

towards better risk mitigation CFE3.4 CFM9 Review process of engaging third party and update process from lesson learned CFE3.5 Measure forensic processes with maturity model to see where to concentrate improvement on CFE3.6 CFE3.7 Develop checklist applicable to your environment based on the framework and use it to ensure all processes are monitored, evaluated, reviewed and improved if need be Ensure all the governance and management processes are assigned maturity level (see Appendix) and continuous improvements made to ensure processes attain maturity level 5. F. Corporate Forensic Governance Flow Diagram. Figure 6 explains summarily the flow of processes explained in the corporate forensic governance framework. The flow diagram shows the processes from the establishment of a corporate forensic governance structure to the evaluation of corporate forensic processes and improvements applied to ensure the goal of the program is constantly being achieved. Start Evaluate forensic needs to determine if a CF program is required NO Use ad hoc methods (other evidence source for corporate investigations) YES Apply CFG1 to CFG4 in the framework, set up a forensic team and purchase increase automated forensic suites Ensure corporate forensic goals are strategically aligned to organization goals, adding value to the business and helping business mitigate high profile IT related risk Applying CFM1 and CFM5, based on risk assessment outcome, are there potential evidence sources in the enterprice? NO Continue monitoring enterprise IT resources using automated forensic suite Document activities CFM10 Law enforcement directs further actions and internal forensic team cooperates as directed NO YES Is illegitimate act detected or reported? YES According to the type of NO violation can it be handled internally? (Escalation policy CFM2.6) Escalate to law enforcement in consultation with relevant stakeholders like legal team(cfm2.6) YES Commence evidence collection, examination and analysis using automated forensic suite (CFM2 CFM7) Is crime detected? YES NO NO Is there need for independent analysis of evidence? YES Preserve and secure evidence (chain of custody) CFM8.Then document and present report in an acceptable format (CFM 10) Monitor, evaluate and continually improve forensic processes using maturity model and lesson learned (CFE1-CFE3) Escalate to law enforcement in consultation with relevant stakeholders like legal team(cfm2.6) Consult an independent forensic expert (CFM 9) Law enforcement directs further actions and internal forensic team cooperates as directed Figure 6: A corporate forensic program flow diagram VI. CONCLUSION AND FUTURE WORK This paper provided best practices for corporate forensic governance, and management that will help empower organizations with efficient and effective corporate forensic readiness and an in-house forensic capability using automated forensic techniques. It also showed how governance best practices can ensure organizations get benefits from forensic investments. In addition, it showed that implementation of an enterprise automated forensic suites can detect and reduce high profile business threats like insider threat, fraud and intellectual property theft since all employees are aware that illegitimate acts can be linked to the perpetrators. Thus, compliance with regulation like FIPS PUB 200 will be effectively established in such applicable organizations. Furthermore, the developed framework will enhance the way organizations perform forensic practices by reducing the rate of unsuccessful investigations and effectively using of resources (time, cost and personnel) during forensic investigations. Also the 13

forensic governance framework used common and business languages that management understands with roles and responsibilities assigned using RACI Chart. This will increase the effectiveness of the program since accountability and responsibility for each corporate forensic process is properly defined. For future research, since the framework was developed for global usage in a high level structure, the CFM domain section of the framework can be narrowed down to a specific jurisdiction (continent) with the development of a more comprehensive step-by-step details of all forensically sound processes considering legal requirements for collecting evidence applicable to the chosen jurisdiction. ACKNOWLEDGEMENT The authors are thankful to the Faculty of Graduate Studies at Concordia University College of Alberta for providing resources used in the accomplishment of this research. Special thanks go to Amer Aljaedi for his advice and discussions. REFERENCES [1] C. Grobler and C. Louwrens, Digital evidence management plan, presented at the IEEE Information Security for South Africa (ISSA) Conf., South Africa, August 2-4, 2010, pp. 1-6 [2] C. Grobler, C. Louwrens and S. Von Solms, A framework to guide the implementation of proactive digital forensics in organizations, presented at the IEEE ARES 10 Conf., Krakow, Poland, February 15-18, 2010, pp. 677-682 [3] C. Grobler, C. Louwrens and S. Von Solms A framework to guide the implementation of proactive digital forensics in organizations, presented at the IEEE ARES 10 Conf., Krakow, Poland, February 15-18, 2010, pp. 677-682 [4] R. Rowlingson. (2004). A ten step process for forensic readiness. International Journal of Digital Evidence [Online]. 2(3). Available: http://www.ijde.org [5] M. Grobler and I. Dlamini. (2010). Managing digital evidence: the governance of digital forensics. Journal of Contemporary Management. [Online]. 7. Available: http://www.researchspace.csir.co.za [6] S. Von Solms, C. Louwrens, C. Reekie and T. Grobler, A control framework for digital forensics, in Information Federation for Information Processing, 2006, vol. 222, pp. 343-355 [7] C. Grobler and C. Louwrens, Digital forensic readiness as a component of information security best practice, in Information Federation for Information Processing, 2007, vol. 233, pp. 13-24 [8] G. Pangalos, C. IIioudis and I. Pagkalos The importance of corporate forensic readiness in the information security framework, presented at the IEEE WETICE 10 Conf., Krakow, Poland, June 28-30, 2010, pp. 12-16 [9] M. Kohn, J. Eloff, M. Oliver. (2010). Framework for a Digital Forensic Investigation. Unpublished Paper [10] Information System Audit and Control Association (ISACA), (2007), COBIT 4.1 [Online]. Available: http://www.isaca.org [11] Information System Audit and Control Association (ISACA), (2011), COBIT 5.0 [Online]. Available: http://www.isaca.org [12] FIPS PUB 200 (2002) Standard for Security Categorization of Federal Information and Information Systems [13] FIPS PUB 199 (2002) Standard for Security Categorization of Federal Information and Information Systems [14] Y. Shin, New digital forensic investigation procedure model, in Proc. NCM 08 conf., 2008, vol. 1, pp 528-531 [15] C. Shields, Towards proactive forensic evidentiary collection, in Proc. HICSS 10 conf., 2010, pp 1-9 [16] C. Walker. (2010). Computer Forensics: Bringing the Evidence to Court. Unpublished Paper [Online]. Available: http://www.infosecwriters.com [17] K. Nance, B. Hay and M. Bishop, Digital forensics: defining a research agenda, in Proc. HICSS 09 conf., 2009, pp 1-6 [18] D. Barske, A. Stander and J. Jordan, A digital forensic readiness framework for south African SME s, in Proc. ISSA conf., 2010, pp 1-6 [19] CSI report. (2010/2011), Computer crime security survey, [Online]. Available: http://www.gocsi.com/survey [20] G. Mohay, Technical challenges and directions for digital forensics, in Proc. SADFE conf., 2005, pp 155-161 [21] C. Grobler, C. Louwrens and S. Von Solms, A multi-component view of digital forensics, in Proc. ARES conf., 2010, pp 647-652 [22] ISACA. (2003). Board Briefing on IT Governance. USA: [Online]. Available: http://www.isaca.org [23] B. Endicott and D. Frincke, Embedding forensic capabilities into networks: addressing inefficiencies in digital forensic investigations, in Proc. IAW conf., 2006, pp 133-139 [24] Encase Legal Journal. (2011). The Practitioner s Guide to Legal Issues Related to Digital Investigations and Electronic Discovery. [Online].Available: http://www.guidancesoftware.com/ [25] Guidance Software. (2010). The Seven Best Practices of Highly Effective ediscovery Practitioners. [Online]. Available: http://www.guidancesoftware.com/. [26] ACFE Report. (2010/2011). Report to the Nations on Occupational Fraud and Abuse. [Online]. Available: http://www.acfe.com/rttn.aspx [27] NIST SP 800-86. (2006). Guide to Integrating Forensic Techniques into Incident Response. USA: [Online]. Available: http://www.nist.gov [28] ISO/IEC FDIS 27001. (2005). Information Security Management Systems Requirements. USA: [Online]. Available: http://www.iso.org [29] ISO/IEC FDIS 27037. (2005). Guideline for Identification, Collection, Acquisition and Preservation of Digital Evidence. USA: [Online]. Available: http://www.iso.org [30] ACPO: Association of Chief Police Officers. UK: [Online]. Available: http://www.acpo.police.uk [31] NIST SP 800-92. (2006). Guide to Computer Security Log Management. USA: [Online]. Available: http://www.nist.gov. [32] NIST SP 800-137. (2011). Information Security Continuous Monitoring (ISCM). USA: [Online]. Available: http://www.nist.gov [33] NIST SP 800-70. (2011). National Checklist Program. USA: [Online]. Available: http://www.nist.gov [34] NIST SP 800-64. (2008). Security Consideration in System Development Life Cycle. USA: [Online]. Available: http://www.nist.gov [35] NIST SP 800-37. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems. USA: [Online]. Available: http://www.nist.gov [36] NIST SP 800-30. (2010). Risk Management Guide for Information Technology Systems. USA: [Online]. Available: http://www.nist.gov [37] ISACA. (2009). The Risk IT Practitioner Guide. USA: [Online]. Available: http://www.isaca.org [38] ISACA. (2009). The Risk IT Framework. USA: [Online]. Available: http://www.isaca.org 14

[39] ITGI. (2008). The VAL IT Framework 2.0. USA: [Online]. Available: http://www.isaca.org [40] ISACA. (2009). Implementing and Continuing Improving IT Governance. USA: [Online]. Available: http://www.isaca.org [41] ISACA. (2010). Business Model for Information Security (BMIS). USA: [Online]. Available: http://www.isaca.org APPENDIX Maturity Model The maturity model will help organizations rank their corporate forensic program or individual CF processes from the framework to see what maturity level it falls under. Continuous improvement will be performed to ensure that CF processes or program ranks maturity level 5 which shows that the CF processes or program follow good practices and are optimized. According to best practice [10], legend for maturity model ranking is explained in the table below Maturity Model level Level 0 (Non Existence) Level 1 (Initial/Adhoc) Level 2 (Repeatable) Level 3 (Repeatable but intuitive) Level 4 (Managed and Measurable) Level 5 (Optimized) Explanations Corporate forensic practices are not applied at all Processes are ad hoc and disorganized Lack of management commitment to CF process ownership and governance Critical decisions on CF processes are made without considering the business Roles and responsibilities for governance and management of CF processes are not defined CF Process metrics for evaluation are not defined CF program investment are not tracked for value delivery to the business Processes follow a regular pattern Senior management is not fully in support of CF program CF program have informally defined business and technical goals There is limited stakeholder involvement in CF process governance and management Initial guidelines have been developed for CF processes Application of CF process guidelines is left to the decision of individual forensic examiners. No governance monitoring. Process are documented and communicated Best practice CF process guideline have been developed and communicated CF program have defined appropriate business and technical goals Senior Management is beginning to be committed and involved in CF governance Appropriate roles and responsibilities are defined CF processes are monitored with defined and updated metrics. CF process training is available CF program is managed as a portfolio that adds great value to the business Processes are monitored and measured Management requires formal and standardized CF process metrics and lesson learned for CF process monitoring. Enhancement to CF processes are formalized and communicated with Forensic team members trained on enhancements CF governance have implemented a CF program organization structure with documented roles, responsibilities and staff performance criteria Criteria for evaluating success of each CF process has been established Value and risk are measured and managed prior to, during use of CF processes for corporate investigations CF program increasingly address business goals Senior management and stakeholder strongly sponsor CF program Relevant Forensic investigation training is planned for CF staff Good practices are followed and automated A proven and accepted CF program is implemented, enforced and integrated into the culture of the enterprise Enterprise wide planning of CF program which will ensure that users and CF resources are best utilized to support strategic business initiatives. 15