17.3.13 Data Forensics

Data forensics is the practice of identifying, extracting and examining data in response to incidents. This may include data held in on IT assets, e-mail, SharePoint, or any other digital repositories.

Data forensics are normally performed after consultation with and consent from the data owner. In cases where the data owner does not consent or where legal or other requirements prevent seeking the consent of the data owner, the approval procedure described below will be used.

As an overarching principle, data forensics should folow PRP 1.3.2 Respectrul Workplace Policy.

The incidents triggering data forensics, along with the data and IT assets involved, are often sensitive or confidential in nature. The Data Forensics Procedure ensures that all data forensics activities throughout this process are performed in a way that satisfies objectivity, integrity and authenticity of the information examined. The procedure requires that appropriate approvals are given, that the privileges of the parties involved are segregated, and that access to data is limited to only that relevant to the incident.

Request
The data forensics investigation request form (hereinafter referred to as "Request Form" in this section) is completed by the individual (the Investigator) tasked with performing the examination of the data, or responsible for the transfer of custody of the data in cases involving the police, a court or an equivalent authority. The Request Form should include:

• The reasoning behind the request
• The data to be targeted as part of the request
• The duration for which access to the data will be required​
• Whether the data owner will be informed and requested to approve the request (normal approval procedure)
• If not, the reasoning why the data owner cannot be informed or consent cannot be obtained

Approval Procedure

1. Approval by data owner:
   The data owner should always be asked first to approve the access to the data. If the data owner does not agree or cannot be asked, one of the two following approval procedures apply.
2. Simplified approval for the following cases:
   1. Internal request by a Compliance Investigatory Committee, Public Research Fund Investigatory Committee or Substantial Investigation Committee (PRP Chapter 23), or other Committees (PRP Chapter 39).
   2. External request or order by the police, a court or an equivalent authority.

The Request Form must be approved by:

• a Vice President, a Dean, the Secretary General or the Provost;
• the General Counsel; and
• the data owner or the President

Notwithstanding the above, the Investigator cannot serve as one of the approvers mentioned above.

3. Approval for all other cases:
   In all other cases, the Request Form must be approved by both the Approval Committee specified below, the General Councel and the President.
   The Approval Committee consists of;
   1. Chair of the Faculty Assembly or their delegate
   2. Secretary General or their delegate
   3. A third committee member will be one of the VPs in the University's administration, to be selected in agreement by the two standing committee members, considering the relevant matter and potential conflict of interest.
      The selection must be made within 24 hours of convening.

In the case that one of the above is the Investigator, that committee member will be replaced by the Provost or by another executive approved by the Chair of the Faculty or their delegate.

The Approval Committee has the authority to deny the request, to approve the request or to approve the request with changes.

Verification
The CIO or delegated representative will receive the request and verify that the appropriate approvals have been provided. They will then appoint a member of the IT Division or the Information Security Section to extract the relevant data. The IT Division or the Information Security Section will have the ability to engage a forensics consultant when deemed necessary.

Extraction
The member of the IT Division, the Information Security Section, or forensics consultant performing the investigation (the Investigator) will extract the requested data to an encrypted, dedicated temporary PC, and give custody to the CIO or a delegated representative.

Access
The CIO or delegated representative will then give custody of the temporary PC and associated access credentials to the Investigator. The Investigator will restrict the data search to material relevant to the request, based, for example, on the subject or the recipient of a message. Privacy of personal communications and the rights of third parties should be respected as much as possible.

Deletion
Once the access duration period has expired, the CIO will ensure the temporary PC is returned and all extracted data is securely erased.

Reporting
The CIO will prepare and send a final report to the President that describes the result of the data forensics activity, and confirms the date of deletion of the data extracted.

The CIO will report annually to the Board of Governors, the Executive Committee and the Faculty Assembly the number of requests and approvals in each of the three approval procedures.

Filing
The Request Form will be filed within the Information Security Section, along with the final report.

Responses to IT security incidents are not covered here, and are instead covered under the 17.3.12, Information Security Incident Response [Link: 17.3.12] in this Chapter.