Chain of custody

A documented, unbroken record of who had possession of evidence, when, and what was done with it. Starts at the moment of collection and continues through analysis, storage, and disposition. Any gap or undocumented handoff breaks the chain — potentially rendering evidence inadmissible in court.

Order of volatility

Evidence must be collected from most to least volatile. CPU registers and cache → RAM → swap/pagefile → running processes → network connections → disk storage → removable media → backups. Volatile data is lost when a system is powered off — collection sequence is critical. Never power off a running system before collecting RAM.

Integrity verification

Every piece of digital evidence must be hashed (SHA-256 or better) at the point of collection and again before analysis. If the hashes match, the evidence is demonstrably unmodified. Forensic disk images are verified with both MD5 and SHA-1/SHA-256. Write blockers prevent accidental modification during imaging.

Forensic imaging

Analysis is conducted on a forensic copy — never on the original evidence. Bit-for-bit disk images (dd, FTK Imager, Guymager) preserve every sector, including deleted files and unallocated space. The original disk is sealed, logged, and stored as evidence. Modifications to the image do not affect the original.

Computer artifacts

Registry hives (Windows), prefetch files, browser history, event logs, $MFT (Master File Table), LNK files, shellbags, NTFS timestamps (created/modified/accessed/MFT changed — all four can indicate tampering). Each artifact type has specific forensic tools and interpretation methods.

Network artifacts

PCAP (packet capture) files, NetFlow records, firewall logs, DNS query logs, proxy logs, DHCP logs. Network artifacts provide evidence of communication — who connected to what, when, for how long, and how much data was transferred. Essential for exfiltration investigation.

Mobile device artifacts

Call records, SMS/message data, location history, app data, cloud sync records. Mobile forensics requires specialized tools (Cellebrite UFED, Oxygen Forensic) and may require legal process (warrant) to compel unlocking. Encryption and iCloud/Google account backups may contain more data than the device itself.

Cloud artifacts

Audit logs (CloudTrail, Azure Monitor), access logs, API call history, identity provider logs. Cloud artifacts are ephemeral — log retention periods are finite and must be configured before an incident, not after. Many cloud artifacts are only available at higher logging tiers (the Microsoft Storm-0558 case).

Need-to-know / least privilege

Access to information is granted only when there is a documented operational need, to the minimum extent necessary. Operational implementation: access requests require business justification, approvals expire, and access is revoked when the need ends. A database administrator does not need access to all customer records — only the schemas they administer.

Separation of duties

No single person or process can carry out a sensitive operation end-to-end without oversight. The person who initiates a wire transfer cannot also approve it. The developer who writes code cannot also deploy it to production. The person who requests access cannot also approve it. SoD is enforced in system controls, not just policy.

Privileged account management

Privileged accounts (domain admin, root, cloud admin) are managed in a PAM system, require MFA, have no persistent standing access (JIT), and all sessions are recorded. Privileged account credentials are never shared and are rotated after each use or on a defined schedule.

Job rotation

Regularly rotating staff through different roles serves two security functions: it detects fraud and errors that a permanent occupant might conceal (the temporary replacement notices anomalies), and it prevents over-dependence on a single individual with irreplaceable knowledge of a critical system.

Service Level Agreements (SLA)

SLAs define contractual performance commitments between service providers and customers — including security-relevant commitments: incident notification timelines, uptime guarantees, patch application timelines, and audit rights. SLAs are the operational mechanism for enforcing third-party security obligations.

Media management

All removable media (USB drives, backup tapes, optical disks) must be inventoried, labeled with the highest classification of data they contain, and handled according to that classification level. Uncontrolled removable media is both a data exfiltration vector and a malware delivery mechanism — USB drives remain among the most effective physical attack vectors.

Media protection

Media containing sensitive data must be encrypted at rest. Backup tapes leaving the facility must be encrypted and tracked with chain of custody. Media awaiting disposal must be secured from the moment of decommissioning until verified destruction — not left in a pile in the server room for months awaiting a vendor visit.

Data at rest

AES-256 encryption for stored data. Key management separate from data (encrypted data and its encryption key should not be stored together — if they are, the encryption provides no protection). Full-disk encryption for all endpoint devices. Database-level and file-level encryption for sensitive data in applications.

Data in transit

TLS 1.2+ for all application traffic. IPSec or TLS for internal network traffic where data sensitivity warrants it. Encrypted VPN or ZTNA for remote access. No unencrypted transmission of sensitive data — not over the internet, not on internal networks, not via email without encryption.

Change Advisory Board (CAB)

The governance body that reviews and approves changes to production systems. Security must have representation on the CAB — or at minimum, a defined escalation path for changes that introduce security risk. Security review of changes is not optional for changes touching authentication, encryption, network configuration, or access control.

Change types

Standard: pre-approved low-risk changes (applying a routine patch, restarting a service). Normal: requires full CAB review and approval. Emergency: expedited process for urgent changes (security incident response, critical vulnerability patch). Emergency changes still require retrospective documentation and review.

Rollback planning

Every change must have a documented rollback plan — specific steps to revert the change if it causes unexpected problems. A change without a rollback plan is a gamble on success. For security changes (firewall rule modifications, authentication system changes), the rollback plan must also account for the security implications of reverting.

3-2-1 backup rule

3 copies of data, on 2 different media types, with 1 offsite. The classic minimum standard. Extended for ransomware: 3-2-1-1-0 — 3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors verified by restore testing.

Immutable backups

Backups that cannot be modified or deleted — not even by the administrator account. WORM (Write Once Read Many) storage, S3 Object Lock, Azure Immutable Blob Storage. Ransomware cannot encrypt what it cannot write. Immutable backups are the most effective ransomware recovery control.

Backup encryption

Backups must be encrypted — both in transit and at rest. A backup that contains the same data as production is a backup breach risk as well as a data protection risk. Encryption keys must be stored separately from the backups they protect.

Restore testing

A backup that has never been successfully restored is an untested hypothesis. Restore tests must be performed on a documented schedule, with results recorded. Recovery time actually achieved in the test is compared to the RTO target. Discrepancies drive architecture improvements before an incident demands them.

Response

Immediate actions after a disaster is declared: activating the DR plan, convening the DR team, initiating communication with stakeholders, and beginning damage assessment. Response must be practiced — teams under pressure revert to training, not to documentation they’ve never read.

Personnel

DR plans must identify who does what during recovery — by role, not by individual name. Individuals may be unavailable during an actual disaster. Backups for every DR role must be identified and trained. Contact information maintained out-of-band — if the internal directory is unavailable, how do team members reach each other?

Communications

Internal communications (team coordination), external communications (customers, regulators, media), and stakeholder communications (board, investors) each require separate plans and pre-approved messaging. If primary communication systems are unavailable (email server down, Slack inaccessible), what is the out-of-band communication channel?

Restoration

Specific, step-by-step procedures for restoring each critical system in priority order. Restoration procedures must be updated whenever the underlying systems change — a procedure for restoring a system that was decommissioned 18 months ago provides no value during an incident.

Perimeter controls

Fencing, bollards (vehicle barriers), security lighting, perimeter cameras, guard posts, and controlled vehicle entry points. CPTED (Crime Prevention Through Environmental Design) principles shape the physical environment to deter, detect, and delay unauthorized access. Natural barriers and clear sightlines reduce attack opportunities.

Access control vestibules (mantraps)

A double-door entry point where the first door must close and lock before the second door can open. Prevents tailgating (one person using another’s badge access). The space between the two doors is under camera surveillance and may have additional authentication requirements (biometric, two-person rule for highest-security areas).

Visitor management

Visitors signed in, issued temporary credentials, escorted at all times in secure areas, and signed out with credential return. Visitor logs are evidence in security incidents — an unauthorized person in a data center during a breach investigation changes the scope and severity of the response. Unescorted visitors in secure areas are a high-risk anomaly.

Security cameras (CCTV)

Both deterrent (visible cameras deter opportunistic crime) and forensic (recorded footage supports incident investigation). Camera placement must cover all entry/exit points, high-security areas, and blind spots. Footage retention must be long enough to cover delayed-discovery incidents — 30–90 days for security areas.

Travel security

Employees traveling to high-risk countries face threats including device seizure at borders (customs inspection authority), hotel room compromise, public Wi-Fi interception, and physical surveillance. Mitigation: travel-specific “clean” devices with minimum data, VPN for all internet access, encrypted communications, pre-travel security briefing, and in-country emergency contacts.

Insider threat

Employees, contractors, and former staff with authorized access who misuse it — either maliciously or negligently. Detection signals: excessive data access or downloading, access outside normal hours or from unusual locations, policy violations, behavioral changes (financial stress, grievance), and access to systems unrelated to current role. UEBA and DLP are primary technical controls.

MFA / 2FA fatigue

Social engineering technique where attackers send repeated MFA push notifications until the fatigued user approves one. Training must address: how to recognize fatigue attacks, to never approve an unexpected MFA push, to immediately report unexpected MFA notifications, and how to use number matching and additional context features that defeat fatigue attacks.

Emergency management

Personnel safety protocols for physical emergencies — fire evacuation, active threat response, medical emergencies. Security operations must integrate with physical safety: an active shooter scenario requires immediate lockdown of physical access systems; a fire evacuation must include secure laptop removal procedures for sensitive data environments.

Duress procedures

A duress code or duress PIN allows a person being coerced (forced at gunpoint to unlock a system or grant physical access) to signal silently that they are under duress — triggering a security response while appearing to comply. Duress codes must be trained, maintained, and tested — an untrained employee under duress cannot improvise.