| This content is a version of the Forensic Readiness Policy, September 2015. This is Legacy IA Policy. It is under review and likely to be withdrawn or substantially revised soon. Please contact us before using this on a new project: itpolicycontent@digital.justice.gov.uk. |
The HMG Security Policy Framework has this mandatory requirement:
Departments and Agencies must put in place an appropriate range of technical controls for all ICT systems, proportionate to the value, importance and sensitivity of the information held and the requirements of any interconnected systems.
The requirement means that the MOJ must:
Have a forensic readiness policy that will maximise the ability to preserve and analyse data generated by an ICT system that may be required for legal and management purposes.
The ICT Security Policy – Forensic Readiness Standard [link to follow] provides help on making an MOJ ICT system comply with the policy.
Note: Forensic readiness might affect handling of an IT security incident. Make sure you apply the IT Security - IT Incident Management Policy.
The policy statements are as follows:
| Each ICT system or ICT domain must have (or be explicitly covered by) a Forensic Readiness Plan which implements this policy. |
| The MOJ must have the capacity to conduct a forensic investigation (as required), whether it involves the use of internal or external capability and resource. |
| All users of an ICT system must be made aware that their access is monitored and that as part of an investigation into a security incident, IT forensic techniques may be used to capture evidence. |
| Each IT security incident management plan must outline the criteria for initiating a forensic investigation. |
| A Forensic Readiness Plan must contain a defined set of procedures and methods for conducting a forensic investigation. |
| The procedures and methods outlined in a Forensic Readiness Plan must consider the business continuity arrangements required to support the restoration of IT services. |
| For all stages of a forensic investigation, there must be a clearly documented chain of custody for all evidential items captured. |
| Each forensic investigation must have a named forensic investigation owner who is responsible for conducting the investigation and the integrity of any evidence captured. |
| Any investigative action taken on an evidential item (e.g. an analysis of a hard drive) must be captured and recorded. This record must include details of the action taken and the person responsible for undertaking that action. |
| Admissibility of evidence in a court of law varies with the method of capture. Advice must be sought from the MOJ legal team and forensic investigation provider prior to capture if required. |
| Each Forensic Readiness Plan must include details of how any ICT assets used or captured as part of a forensic investigation are securely disposed when they are no longer required. This must be in line with ICT Security – ICT Asset Disposal Guide. |
| Each Forensic Readiness Plan must have an escalation path to raise issues identified as part of an investigation as required. |
| All investigations must be conducted in line with MOJ ICT Security Policies, specifically IT Security - Acceptable Use Policy [link to follow]. |
| The capture of evidence during a forensic investigation must be in accordance to BS 10008. |
| All IT systems must consider, in their design, the need to capture evidence in an evidential way following BS 10008. |
| Unless required by UK law or requested by UK law enforcement, a cost benefit analysis must be undertaken before a forensic investigation is launched. |
Each Forensic Readiness Plan must include, in the criteria for conducting an investigation:
|
| Where a forensic investigation has been requested in response to a leak investigation. This investigation must be requested by the DSO where the DSO is responsible for that investigation. Note – this may fall outside of the IT security incident management process. |
Each forensic investigation must be guided by the following principles:
|
| Each Forensic Readiness Plan must include a process for the collection and storage of digital evidence (including provision for where this task is conducted by an external organisation). |
| Each Forensic Readiness Plan must include the reporting structure and escalation path which outlines the roles involved and what communications is passed. This must be consistent with reporting structure in the corresponding IT Security Incident Management Plan. |
| Each Forensic Readiness Plan must name a single point of contact that is responsible to co-ordinating any stakeholders involved in a forensic investigation they may be the Forensic Investigation Owner. |
| Each Forensic Readiness Plan must include details of any external (non MOJ) entities which form part of the reporting structure and escalation path. |
| This policy is dated October 2017, and is an update to the Forensic Readiness Policy, v0.03, May 2013. |