Improper case management can lead to adverse outcomes and significantly increase the time it takes a security team to detect or respond to active threats in an enterprise environment. If and when security cases result in litigation, it is vital that the case management processes and workflows followed be unimpeachable, and that as much relevant, reliable information is captured before, during, and after executing a case.
Security of the evidence and related data are equally important. Leaving these vulnerable negatively impacts their integrity. This course will teach you concepts such as chain of custody, secure evidence and data storage, why data retention, destruction, and backup are necessary considerations, as well the best methods for capturing contemporaneous notes.
Prerequisites
- Knowledge of incident response and handling methodologies (i.e. NIST)
- Knowledge of the CIA triad
- Knowledge of security principles such as least privilege and ‘need to know’
- Experience identifying and remediating security events and incidents
- Knowledge of SIEM and SOAR tools also beneficial
Course Goals
By the end of this course, students should be able to:
- Create and complete chain of custody and examination forms
- Determine how and where to securely store case evidence and related data
- Determine the best data retention, destruction, and backup procedures for their organization
- Write comprehensive contemporaneous notes and capture information relevant to security cases
