بررسی وضعیت آمادگی مدیریت فناوری اطلاعات در نیوزیلند برای رویدادی که ممکن است تجزیه و تحلیل قانونی نیاز داشته باشد

Computer security is of concern to those in IT (Information Technology) and forensic readiness (being prepared to deal effectively with events that may require forensic investigation) is a growing issue. Data held only on magnetic or other transient media require expert knowledge and special procedures to preserve and present it as valid in a criminal or employment court. Staff required to handle possible forensic evidence should be forensically knowledgeable. Having policies and procedures in place is one inexpensive way to protect the forensic data and can mean the difference between a valid case and no case. This paper presents the results of a survey of IT managers in New Zealand (NZ) examining the state of awareness of IT management in NZ regarding the field of digital forensics in general and their state of preparation for protection of forensic data in the case of an event requiring forensic analysis.

Computer security is of concern to those in IT (Information Technology) and forensic readiness (cost effectively maximising the potential to use digital evidence when required) is a growing issue (Rowlingson, 2003). Electronic evidence is easily overwritten and lost. Data held only on magnetic or other transient media require expert knowledge and special procedures to preserve and present it as valid in a criminal or employment court. Anyone expected to handle digital data that may be required as evidence should be experienced and qualified (Rowlingson, 2003). One inexpensive way to protect forensic data that may be required as evidence is to have policies and procedures in place. This can mean the difference between a valid case and no case (Wolfe, 2004). The survey detailed in this paper examined the state of awareness of IT management in NZ regarding the field of digital forensics in general and their state of preparation for protection of forensic data in the case of an event requiring forensic analysis. The study was limited to NZ organisations employing an IT manager, functional equivalent, or other informed decision maker in an IT management role. Managing a security budget is a constant juggle between known and developing security issues. IT management has to balance known issues such as virus protection with developing issues such as training IT staff in computer forensics. Security is a holistic process and the chain is only as strong as the weakest link. IT managers may have the best virus and firewall protection available but unless they have planned for forensic readiness their organisation could well find itself threatened if forensic evidence fails the admissibility test in court. In attempting to examine the level of preparedness of IT management for forensic investigation, three hypotheses were developed. The first of these was that with regard to events requiring forensic investigation, internal policy and procedures for dealing with evidence recovery are most often insufficient to ensure admissibility of forensic evidence in court. Second, where IT management are expected to plan for events that may require forensic investigation, they most often will not sufficiently comprehend the admissibility of forensic evidence issue. Third, where management expect operational IT staff to deal with events that may require forensic investigation, most often management of forensic training would not ensure admissibility of forensic evidence in court. In order to test these hypotheses, a survey was developed and mailed to a selection of NZ IT managers.

The results of this survey of NZ IT managers supported all three hypotheses. First, survey results showed that 25% of organisations had no formal information security policy and only 21% of those required staff to keep up-to-date with its content. In addition, 85% of respondents had no forensic policy, suggesting that policy and procedures are inadequate to ensure admissibility of forensic evidence. Second, less than a third of respondents' organisations were found to have any forensic capability at all, with only 8% having internal capability. These figures strongly suggest that IT management does not sufficiently comprehend the issue of admissibility of forensic evidence. Third, 15 respondents' organisations had prepared forensic evidence for use in court. Almost half was prepared by untrained staff. IT management expect operational IT staff to protect forensic data for possible use in court but the majority do not supply forensic training, so the evidence cannot be guaranteed admissible in court. A large number of companies are not appropriately prepared in the area of forensic readiness. This survey focused on large New Zealand organisations with an IT manager or functional equivalent, yet a far greater number of organisations are too small to have an IT manager and may therefore be at even greater risk from being unaware of forensic readiness.