Forensic Readiness Plans are a crucial element in assessing your organisation’s readiness to respond to a compliance requirement, a digital forensic investigation, or as part of an internal investigation.

In 2014-15, the UK Government breached personal data security 9,000 times in a year. The National Audit Office revealed the 17 largest departments recorded 8,995 data breaches but that only 14 were reported to the Information Commissioner.

The knock-on effects on citizens can be enormously serious, such as identity theft, fraud, and confidentiality infringement. It is a shameful record and a frightening indictment of data handling practices in the public sector. The first duty of the public sector should be to serve the public, but the careless practices and inefficient procedures exposed by these security breaches indicate that the safeguarding of confidential personal information is not being treated with the priority the law – and the public – demand.

The sheer scale of these types of data losses is a serious warning to all organisations that it is time to put their houses in order – or face the consequences. Clear rules and guidelines are already in place regarding the gathering and stewardship of data in both the public and private sectors; some are long-established and some are a response to recent high-profile security breaches. There are also clear and increasingly tougher penalties for breaching regulations and increasing awareness regarding the consequences of poor practice in this area.

The Cross Government Actions Minimum Mandatory Measures from the Cabinet Office go one step further in placing stringent requirements on government departments and agencies to have Forensic Readiness Plans in place. The new measures are designed to better manage information risk, protect the personal information of citizens and minimise risk surrounding authorised access to protectively marked information.

How exactly does a business achieve forensic readiness?

The term ‘forensically ready’ relates to the ability to forensically examine your data so that you know;

• Where it actually resides.
• Who has accessed, copied or moved individual files.
• That you are capable of conducting a forensic data audit in the event of a breach.

This level of security can’t be handled with simple intrusion detection tools. What’s needed is a comprehensive cybersecurity platform to deliver the Privacy Impact Assessments as required by the Cabinet Office’s new measures.

A simple litmus test can help you understand whether you’ve made your business forensically ready and compliant with these new measures. Ask yourself these three simple questions:

• Do you know where all your data resides?
• In the event of a breach, can you prove that all the correct processes and procedures are in place?
• Does your agency/department fully understand and follow the elements of good data handling practices?

The ability to audit your data will enable you to track the flow of sensitive data within your organisation and ensure that only authorised movement occurs. For example, employees are going to move around an organisation internally.

• Are you able to assess whether they have taken data with them when they move?
• Are they authorised to do so?
• Is data where it is supposed to be or allowed to be?

When the unauthorised movement takes place, this can be flagged and corrective action can be taken. Have you costed out the financial price of non-compliance with data reporting requirements, e.g. increased legal fees related to the disclosure of an increased number of custodians? Investment in an effective data audit solution can reduce long-term spending by eliminating the need for expensive third-party consultants.

Are you able to manage the risk to your reputation if a data breach occurs on your watch? Public sector organisations handling data relating to the most vulnerable in society carry a burden of trust. Private-sector organisations that suffer a data loss are likely to pay the price in loss of customers and a falling share price; public-sector organisations may not suffer such tangible consequences directly, but the risk to their reputation and governance is as real.

Forensic Readiness Plans – Five Key Guidelines

To have a robust Forensic Readiness Plan in place, organisations and departments need to be able to gather evidence on potential criminal activity or disputes legally and without causing disruption to day-to-day business.

This must also be done cost-effectively and in proportion to the incident – don’t go spending millions of pounds of taxpayers’ money on a simple data access request. On the other hand, don’t scrimp on spending if it’s a major criminal investigation.

Key elements of forensic readiness:

1. Define the business scenarios that require digital evidence. When is it appropriate to gather evidence and when is it not?
2. Identify sources of evidence and what sort of evidence it is. Make sure you have the resources to hand to look for it. 
3. Know what you’re looking for before you go and look for it. Don’t gather too much or too little. Have a clear idea of what circumstances need to be in place to trigger a fuller investigation.
4. Establish security and storage rules for the handling of evidence.  Keep an eye on the evidence once you have it – and make sure staff understand the consequences of not following these procedures.
5. Provide a documented real-world example that everyone can run through in advance.  Ensure that all parties, including legal, are confident that the processes in place are correct.