1、Information technology Governance of digital forensic risk frameworkBS EN ISO/IEC 30121:2016(ISO/IEC 30121:2015)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06National forewordA list of organizations represented on this subcommittee can be obtainedThis publication d
2、oes not purport to include all the necessary provisions ofa contract. Users are responsible for its correct application. The British Standards Institution 2016.Published by BSI Standards Limited 2016I S B N 9 7 8 0 5 8 0 92356 2 I C S 3 5 . 0 8 0Compliance with a British Standard cannot confer immun
3、ity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 31 March 2015.Amendments/corrigenda issued since publicationBRITISH STANDARDBS EN ISO/IEC 30121:2016on request to its secretary.Date T e x t a f f e c t e d30 September
4、2016 This corrigendum renumbers BS ISO/IEC 30121:2015 as BS EN ISO/IEC 30121:2016This British Standard is the UK implementation of EN ISO/IEC 30121:2016. It is identical to ISO/IEC 30121:2015. It supersedes BS ISO/IEC 30121:2015 which is withdrawn.The UK participation in its preparation was entruste
5、d by Technical Committee IST/33, IT - Security techniques, to Subommittee IST/33/4, Security Controls and Services.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 30121 August 2016 ICS 35.080 English Version Information technology - Governance of digital forensic risk framework (ISO/IEC
6、 30121:2015) Technologies de linformation - Gouvernance du cadre de risque forensique numrique (ISO/IEC 30121:2015) Informationstechnik - Leitfaden fr die Betriebsfhrung digitaler Forensik (ISO/IEC 30121:2015) This European Standard was approved by CEN on 19 June 2016. CEN and CENELEC members are bo
7、und to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the
8、CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-C
9、ENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland
10、, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Manageme
11、nt Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 30121:2016 E EN ISO/IEC 30121:2016 (E) European foreword The text of ISO/IEC 30121:2015 has been prep
12、ared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 30121:2016. This European Standard shall be given the status of a national stan
13、dard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent righ
14、ts. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, C
15、yprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the Uni
16、ted Kingdom. Endorsement notice The text of ISO/IEC 30121:2015 has been approved by CEN as EN ISO/IEC 30121:2016 without any modification. iiBS EN ISO/IEC 30121:2016ISO/IEC 30121:2015(E) ISO/IEC 2015 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Te
17、rms and definitions . 14 Principles . 24.1 Responsibility 24.2 Strategy 24.3 Acquisition 24.4 Performance 24.5 Conformance . 24.6 Human behaviour . 25 The framework . 25.1 Stakeholder mandate. 25.2 Establishment 25.3 Evaluate . 25.4 Direct . 35.5 Monitor 36 Processes 36.1 Archival strategy 36.2 Disc
18、overy strategy 36.3 Disclosure strategy 36.4 Digital forensic capability strategy 36.5 Risk compliance strategy . 37 Metrics . 47.1 General . 47.2 Key goal indicators 47.3 Key performance indicators 47.4 Key business indicators . 4Annex A (informative) International Standard overview . 5Bibliography
19、 6BS EN ISO/IEC 30121:2016ISO/IEC 30121:2015(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the develop
20、ment of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmenta
21、l, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directi
22、ves, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of th
23、e elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declar
24、ations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information abo
25、ut ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword Supplementary information.The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 40, IT Service Management and IT Governance.iv ISO/IEC 201
26、5 All rights reservedBS EN ISO/IEC 30121:2016ISO/IEC 30121:2015(E)IntroductionOrganizations of any kind face both internal and external factors and influences that can lead to the occurrence of legal actions and placement of demands on the Information Technology (IT) and related Information Systems
27、(IS) to disclose digital evidence. The occurrence of legal action may be the result of an uncertain, unplanned, or unexpected event or it may occur as a planned course of action against employees, competitors, or service suppliers. Whether a risk is significant or not will depend on the level of ris
28、k and the organizations risk attitude. Its risk attitude will be reflected in its risk criteria. Because it is almost certain that digital evidence will be discovered and, therefore, be subject to legal disclosure, organizations should plan and develop capability to deal with such legal actions befo
29、re they occur.This International Standard is about the prudent strategic preparation for digital investigation of an organization. Forensic readiness assures that an organization has made the appropriate and relevant strategic preparation for accepting potential events of an evidential nature. Actio
30、ns may occur as the result of inevitable security breaches, fraud, and reputation assertion. In every situation, IT should be strategically deployed to maximise the effectiveness of evidential availability, accessibility, and cost efficiency.The responsibility of the Governing body is to provide str
31、ategic direction in all matters of relevance to the organization. The Governing body is informed by principles of best practice that provide general guidance on matters of certainty and compliance. These principles may come from legal mandates, standards, or social and cultural imperatives. In this
32、International Standard, the principles come from ISO/IEC 38500 for the guidance of best practice for the governance of IT (Clause 4).Principles require implementation. The tasks of governance are to evaluate proposals and plans, to monitor performance and conformance, and to direct strategy and poli
33、cies. The stakeholders of an organization may provide the mandate for governance and the Governing body has the ultimate ownership of risk. A framework for the governance of digital forensic risk is established by the owners of risk taking appropriate actions to assure the strategic direction of the
34、 organization. Hence, the strategic objective is to implement the principles and to assure adequate preparation for digital investigation (Clause 5).The framework requires strategic processes to deliver direction to executives and top managers. The strategic processes are selected to assure adequate
35、 scope and are principally archival, discovery, disclosure, capability, and risk criteria compliance (Clause 6).The goals derived from the principles are measureable through Key Goal Indicators (KGIs), the strategic objectives derived from the strategies are measurable through the Key Performance In
36、dicators (KPIs), and the variation between the KGIs and the KPIs measures is an indication of the organizations business performance (KBIs) (Clause 7).This International Standard should be used in conjunction with the vocabulary contained in ISO Guide 73:2009; ISO/IEC 35802, Information technology G
37、overnance of IT framework and model; and ISO/IEC 38500, Information technology Governance of IT for the organization. ISO/IEC 2015 All rights reserved vBS EN ISO/IEC 30121:2016This page deliberately left blankBS EN ISO/IEC 30121:2016Information technology Governance of digital forensic risk framewor
38、k1 ScopeThis International Standard provides a framework for Governing bodies of organizations (including owners, board members, directors, partners, senior executives, or similar) on the best way to prepare an organization for digital investigations before they occur. This International Standard ap
39、plies to the development of strategic processes (and decisions) relating to the retention, availability, access, and cost effectiveness of digital evidence disclosure. This International Standard is applicable to all types and sizes of organizations.2 Normative referencesThe following documents, in
40、whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 38500, Information technolog
41、y Governance of IT for the organizationISO Guide 73:2009, Risk management Vocabulary3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 38500, ISO Guide 73:2009, and the following apply.3.1digital evidenceinformation or data stored or transmitted in b
42、inary form that may be relied upon as evidenceSOURCE: ISO/IEC 27037:2012, 3.53.2Governing bodyperson or group of people who are accountable to stakeholders for the performance and conformance of the organizationSOURCE: ISO/IEC TR 38502:2014, 2.93.3digital forensicsscientific tasks, techniques, and p
43、ractices used in the investigation of stored or transmitted binary information or data for legal purposes3.4strategic riskeffect of uncertainty on goalsINTERNATIONAL STANDARD ISO/IEC 30121:2015(E) ISO/IEC 2015 All rights reserved 1BS EN ISO/IEC 30121:2016ISO/IEC 30121:2015(E)4 Principles4.1 Responsi
44、bilityIndividuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for digital evidence. Those with responsibility for investigations also have the skill, independence and authority to perform those actions.4.2 StrategyThe organ
45、izations strategy development takes into account the current and future retention, availability, access to and cost effectiveness of digital evidence; the strategic plans for evidential capability satisfy the current and ongoing needs of the organization.4.3 AcquisitionIT asset acquisitions are made
46、 to support the organizations strategies, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.4.4 PerformanceIT is fit for purpose in sup
47、porting the organization, providing the services, levels of service and service quality required to meet current and future organization digital evidence requirements.4.5 ConformanceIT assets comply with all mandatory legislation and regulations. Policies and practices are clearly defined, implement
48、ed and enforced in accordance with the organizations risk criteria.4.6 Human behaviourDigital forensic policies, practices and decisions demonstrate respect for human behaviour, including the current and evolving needs of all the people in the organizations processes.5 The framework5.1 Stakeholder m
49、andateThe Governing body should be constituted to represent the stakeholders, is to have the authority to set the strategic direction of the organization, and should establish the capabilities to function.5.2 EstablishmentThe work cycle of the Governing body should be aligned with the tasks of Evaluate Direct Monitor; and to facilitate the adoption of strategic policy, strategic planning and strategic capability.5.3 EvaluateThe Governing body should examine and make judgement on the current and future requirements for digital evidence,
