Certified Information Security Manager (CISM) — Question 664

An employee who denies accusations of downloading inappropriate material to an organizational device has been discharged. In support of the disciplinary action the collection of legal evidence is required. Which of the following is the information security manager's BEST recommendation?

Answer options

• A. Delete all inappropriate material after taking a local copy
• B. Create a forensic image of the original file system
• C. Log in to the employee's device and create a local copy to USB drive
• D. Rely on server backup allowing strict access control

Correct answer: B

Explanation

Creating a forensic image of the original file system is crucial because it preserves the evidence in its original state, ensuring its integrity for potential legal proceedings. Deleting material or merely creating a local copy may compromise the evidence, while relying on server backups does not provide direct access to the original device's data.