An organization that has suffered a cyber attack is performing a forensic analysis of the affected users' computers.
Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
In this scenario, an organization is performing a forensic analysis of the affected users' computers after a cyber attack. The IS auditor's role is to review this process and identify any concerns or areas that require attention. Out of the given options, the one that should be of the greatest concern for the IS auditor is:
A. The chain of custody has not been documented.
The chain of custody refers to the chronological documentation or paper trail that records the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. The chain of custody is essential to maintain the integrity of evidence, ensure it is not tampered with, and enable it to be admissible in legal proceedings.
Without proper documentation of the chain of custody, it is difficult to prove that the evidence was collected, stored, and analyzed under appropriate conditions, and that it has not been tampered with or altered in any way. Therefore, the IS auditor should ensure that the chain of custody has been properly documented to maintain the integrity and admissibility of the evidence.
B. The legal department has not been engaged.
While engaging the legal department may not be necessary in all cases, it is important to involve them in situations where the evidence obtained may be used in legal proceedings. Engaging the legal department can ensure that the investigation and evidence collection are conducted in a manner that adheres to legal requirements, protects the rights of individuals, and supports the organization's legal position.
C. An imaging process was used to obtain a copy of the data from each computer.
Using an imaging process to obtain a copy of the data from each computer is a standard procedure for preserving the evidence and ensuring that the original data is not modified or destroyed. Therefore, this should not be a major concern for the IS auditor.
D. Audit was only involved during extraction of the information.
While it is ideal for the audit department to be involved in the entire investigation process, including evidence collection, their involvement may not always be necessary or feasible. Therefore, this should not be a major concern for the IS auditor.
In summary, the IS auditor should be most concerned about the lack of documentation of the chain of custody, as this can undermine the integrity and admissibility of the evidence obtained from the affected users' computers.