In the course of responding 10 an information security incident, the BEST way to treat evidence for possible legal action is defined by:
A . international standards.
B . local regulations.
C . generally accepted best practices.
D . organizational security policies.
Answer: B
Explanation:
Legal follow-up will most likely be performed locally where the incident took place; therefore, it is critical that the procedure of treating evidence is in compliance with local regulations. In certain countries, there are strict regulations on what information can be collected. When evidence collected is not in compliance with local regulations, it may not be admissible in court. There are no common regulations to treat computer evidence that are accepted internationally. Generally accepted best practices such as a common chain-of-custody concept may have different implementation in different countries, and thus may not be a good assurance that evidence will be admissible. Local regulations always take precedence over organizational security policies.