Wednesday, November 25, 2020

Metrics & CISO Series

How well are digital forensic laboratories coping and performing, whether accredited to ISO17025 or not, in a Covid-19 world? Is Metrics relevant to digital forensics? 

In the first instance it largely depends whether there is a need for Qualitative and Quantitative (Q&Q) process in place that requires measurement to understand Capex, RoI, the performance of people and systems (for test and measurement), security (detection and prevention), information security management and so on. Where labs are tax payer funded then of course they should be scrutinised irrespective whether they are law enforcement or not. This isn't a criticism about public funded labs, but there does need to be a distinction made where private labs use capital expenditure to drive their operation to gain a return on investment. For both public/private large organisation Metrics shines a spotlight on the operational performance of these organisations (successes/failures).

In the second instance the simple is Yes but subject to if (?) the requirement exists of course. The question mark arises as to whether any implementation has taken place. Talking about it is one thing. Acting upon it is another. If the second question is considered first, it may reveal what impact there has been since Covid-19 and where to target resources.

Back in 2013 when the rumblings about ISO17025 were gathering pace a book came out titled (ISBN: 978-1-59749-742-8)  David Watson & Andrew Jones Digital Forensics Processing and Procedures Meeting the Requirements of ISO17020, ISO17025, ISO27001 and Best Practice Requirements Copyright 2013 Elsevier, Inc. This book shed light on the processes and procedures to run an accredited laboratory under ISO17025 plus associated dependency standards ISO17020 and ISO27001.  

There are other books, but as starting point Digital Forensics Processing and Procedures Meeting the Requirements of ISO17020, ISO17025, ISO27001 and Best Practice Requirements has multiple landing points in the book dealing with the need for Metrics. Furthermore, ISO27001 concerning information security is a very important standard, as is ISO9001 regarding quality assurance. The detail in this book extended further to provide to the broadest extent possible various ISO standards having application to accredited laboratories.

In addition to the above International standards there are national standards to be considered and Guidance from authorised bodies to oversee compliance. In the UK the Forensic Science Regulator (FSR) over sees the requirement for accredited laboratories. The latest FSR publication titled 'Codes of Practice and Conduct for forensic science providers and practitioners in the Criminal Justice System FSR-C-100 Issue 5' can be downloaded using the weblink below :

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/880708/Codes_of_Practice_and_Conduct_-_Issue_5.pdf 

The Codes of Practice and Conduct identify standards etc the FSR considers fundamental to be able to use to assess compliance. Moreover, the Codes come with dependency obligations and one notable one is 'Information Legal Obligations FSR-I-400 Issue 7'. There is contained in this document the express requirement for production of 'Metric' results as a legal obligation which FSR-I-400 takes its direction from European Union Directive 80/181/EEC that sets out obligations on Member States to implement legal requirements with regard to the use of units of measurement. The FSR makes express use of these legal obligations that create implied terms that Metrics equally form part of the Codes assessment for compliance. The latest FSR-I-400 can be downloaded using the weblink below :

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/795995/FSR_Legal_Obligations_-_Issue_7.pdf

It is the above matters arising from earlier released documents from FSR and various digital forensic books that set my project path for the last 15-months to see how the Professionals in the information security management, cybersecurity, risk assessment etc sectors identify the indicators to be sampled and measured for Metrics and how quality and accuracy is defined in these sectors. I have slowly been publishing my findings in a series of discussion papers and these can be downloaded using the weblinks below :

Metrics papers for cyber security & CISO.pdf Colourful, glossy, high-quality imaged research publications can look really good, but ultimately it is the depth of knowledge that has been gained from researching is what pays off. Why? How do you know your Metrics criteria is relevant to your organisation if you weren't sure what questions to address at the get-go?!

https://www.dropbox.com/s/kqsdo3dpsu2k03k/Metrics%20papers%20for%20cyber%20security%20%26%20CISO.pdf  

Importance of Metrics - The opening 'Foreward' in George Campbell's book "Measuring and Communicating Security’s Value A Compendium of Metrics for Enterprise Protection" (2015) [Elsevier - ISBN: 978-0-12-802841-4] is by Dave Komendat, Chief Security Officer The Boeing Company. Dave refers to why it is compelling how important Metrics are to a CSO.

https://www.dropbox.com/s/94ek2jxtrwwt3um/Importance%20of%20Metrics.pdf

Metrics, CPS & CISO - This is my third byte-size posting on Metrics. The pdf is only a scoping documents discussing in an understated conversational/readable way dealing with a subject-matter that is far more convoluted, complex and complicated.

https://www.dropbox.com/s/4u3c8lyn2k1gxx1/Metrics%2C%20CPS%20%26%20CISO.pdf

Metrics - Quality, Accuracy & more and CISO Part1

https://www.dropbox.com/s/t9sk46grg2p7xi9/Metrics%20-%20Quality%2C%20Accuracy%20%26%20more%20and%20CISO%20Part1.pdf

This discussion will be updated with further discussion papers to download.