• Requirements for maintaining an accurate record, made at the time, or as soon after the
incident as possible.
• Retaining snapshots of the system.
• Requirements for the recording of all findings and considering how reliable the evidence is.
• Requirements for the recording of any alterations that have been intentionally and
unintentionally imposed by the investigator.
• Requirements for the creation of visual evidence of findings.
• Ensuring the evidence is relevant and not a false positive.
• Evaluation of the findings to determine whether or not they:
o provide evidence of a crime and/or an incident
o show that the system has been externally and/or internally compromised
o strongly support one possible cause more than other possible causes.
• Make recommendations to prevent security incidents from reoccurring in the future,
including improvement(s) to the:
o content of cyber security documentation (policies and/or agreements)
o adherence of cyber security documentation (policies and/or agreements)
o security protection measures (physical, software and/or hardware).
Links to Learning Outcomes |
Links to Assessment criteria |
|
|---|---|---|
Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.