Incident Response

3 key considerations and 3 best practices for data collection from the experts

Just before the holidays, Exterro hosted a webinar, Critical Data Collection Methodologies and Use Casesfeaturing data collection experts from the United Kingdom and EU including Sarah Hargreaves, VP of Global Training at Exterro; Carlo Vreugde, Data Protection Manager for the government of the Netherlands; and Dr. Cedric Krummes, Information Governance Officer at HS2 Limited.

Without further ado, let’s dig into three key considerations that inform the best practices mentioned later in this article.

Key consideration #1: Understand the purpose of your data collection.

Criminal forensic data collection potentially very different from a more targeted, e-discovery-based, legal-based or even privacy-based collections. This distinction will inform how much data you collect, what types of data you collect, the technical challenges you might face, and the technology you’ll use to collect it.

In a government setting, you might be collecting data from government officials or citizens, and they lend themselves to being treated differently. For citizens, there will be privacy concerns, as you will have a variety of interlinked data types around each citizen, from administrative, to medical, to financial records.

On the other hand, a data subject access request (DSAR) will have very defined, finite boundaries. Ideally you should know what data you have on each subject, where it is stored, how it is used, and how to readily retrieve it. You won’t be conducting a forensic deep dive; rather, you need to fulfill the operational requests efficiently in the time allotted by a regulatory body.

Key consideration #2: Be aware of the limitations of search.

You can only search for what you know you need to search for. Otherwise, you’ll need to understand methods and technological capabilities using software to really understand data relationships, such as emails and their attachments, contextual data that is similar or linked to other pieces of data, content clustering, and relationships between various individuals who are custodians or owners or subjects of data.

Key consideration #3: Understand the landscape of data sources.

Even a couple of years ago, before COVID sent large swathes of the workforce into remote-first, work from home environments, many data collections would be able to focus on in-office devices. This change has resulted in a much-increased potential for data leakage or “rogue devices.” These devices might be personal phones, tablets, or laptops—and you, as a data collector, may not be fully aware of all of these devices.

You need to have processes in place to account for these additional data sources. For security purposes, you may mandate multi-factor authentication to reduce the risk of loss of sensitive data. To make collection more efficient, you may need to update and make explicit policies restricting or defining appropriate use of personal devices for work purposes, as well as when or if it is acceptable to use work devices for personal purposes.

With those key considerations in mind, here are five best practices you should take to heart and implement in your data collections.

Best practice #1: Know your data. Understand your data environment. What types of data do you possess? Where are they? Do you have the appropriate tools you need to collect from the various types of data that are in your organization, or are likely to crop up in your investigation?

Best practice #2: Document your processes and procedures. Make sure everyone in your organization understands why the data they’re responsible is important, what it is used for, and their responsibilities to ensure its security. With documented procedures, if there is a data breach or incident, you can go back and see what went wrong.

Best practice #3: Have a security information and event management (SIEM) system or security operations center (SOC). Collect and analyze security event logs routinely. That way you know if everything goes smoothly, there's nothing wrong. Everything is registered. Everything is stored. And when something happens, you can go back and look into the data logs, review the analysis, identify where mistakes happened, and then learn lessons and rectify potential missteps before they happen again.

If you want to learn more about this topic, attend the on-demand webinar, Critical Data Collection Methodologies and Use Cases.

Tim Rollins, E-Discovery Market Analyst at Exterro

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.