Computer Service and Repair, 5th Edition page 867

Copyright Goodheart-Willcox Co., Inc. 849 Chapter 24 Customer Support, Communication, and Professionalism Documentation You should write a complete detailed description of the incident and the procedures you followed. Most companies and large organizations have established policies and procedures for reporting an incident, as well as forms to be completed by the tech- nician or person reporting the incident. For example, when an incident occurs, such as when a technician discovers the presence of malware on an employee workstation or an employee reports a company laptop missing, the company has established procedures to follow. A security event form, like that shown in Figure 24-11, is used to record information directly related to the security event. Th e collection of all security events can be reviewed later and serve as the basis for making decisions aff ecting security, such as a change in established policies and procedures. Chain of Custody A chain of custody is a method of preserving, tracking, and ensuring the integrity of evidence. You cannot simply collect evidence and leave it on your desk or in some other unsecured area where anyone can tamper with it. A chain of custody includes documentation of the chronological order of the handling of evidence from the time it is fi rst discovered until it reaches trial or a conclusion. Th e chain of custody ensures that the evidence is as close as possible to its original condition when it was fi rst discovered and secured. Th e chain of custody form, Figure 24-12, tracks the evidence, such as listing every person who took possession of it, the time and date it was taken, and the method used to store it securely. Th e evidence collected can be in diff erent forms. For example, the evidence of a security breach may be simply a copy of the event captured by a software application, such as Microsoft Event Viewer or by a commercial product. In the case of a software application, a copy can be made to a fl ash drive or disc. Th e fl ash drive or disc is then sealed in a labeled evidence bag and secured in a locked fi le drawer or cabinet to which only you have access. Another example is the unauthorized use of a company cell phone or tablet. Th e device can be confi scated and secured until it is needed as evidence of the incident. Security Training It is important that all members of an organization, not just the security team and technicians, be trained as to how to respond to a security incident. All members of the organization must be made aware of what is considered unacceptable activity when using the organization’s devices and network. Th e most common response from members of an organization when questioned about an unauthorized activity is, “I did not know that I was not allowed to do that,” or simply “I did not know.” 1002: 4.6 1002: 4.6 A+ NOTE The CompTIA A+ Exams require knowledge of how to respond to a security incident. Questions may require knowledge of the chain of custody, how to respond to an incident, and what constitutes an incident.

Previous Page Next Page

Computer Service and Repair, 5th Edition Page 867 (867 of 1024)

Resources and Downloads

Help