Professional Documents
Culture Documents
Overview-of-Digital-Forensics WHP Eng 0315 PDF
Overview-of-Digital-Forensics WHP Eng 0315 PDF
Digital Forensics
www.isaca.org/cyber
Overview of Digital Forensics
FIGURE
Associa Examiners
Search
1st For
Scienti
1st Inte
Interna
DOJ/F
UK Na
SWGD
Budap
ISO pu
Fraud
Team
HTCIA
Access
Digital
on Com
Eviden
for Com
rnation
BI Tec
tional H
ensics
ial Cas
est Co
fic Wo
tional O
blishes
, FLET
publish
tion of
, FBI C
ce form
Eviden
Data
puter E
p
hnical
rking G
nventio
al Con
es
C,
Compa
u
i-Tech
standa
rganiza
es Bes
Certifie
te r Foren
ART
ce (SW
ed
Workin
videnc
ferenc
roup
n on C
ny
Crime
rd ISO
t Practi
d
tion on
sics Pa
GDE)
e
e
g Grou
ybercr
Unit
17025
c
Compu
e s
per
p
ime
ter
1
Mohay, George M.; Alison Anderson; Byron Collie; Rodney D. McKemmish; Olivier de Vel; Computer and Intrusion Forensics, Artech House, USA, 2003
2
Ibid.
3
The International Society of Forensic Computer Examiners®, “Certified Computer Examiner,” www.isfce.com/history.htm
Early forensic tools, like MACE and Norton, provided Following are further developments in digital forensics:
basic recovery abilities, such as undelete and
• 1993—The first International Conference on Computer
unformat. Most investigations were on a single
Evidence was held in the United States.
workstation that was used by one individual. The
open-source, community-driven model that is used • 1995—The International Organization on Computer
today for digital forensic tool development makes tool Evidence (IOCE) was formed.
evolution modular, extensible, robust and sustainable, • 1998—G8 appointed IOCE to create international
across various platforms. Software and standards principles, guidelines and procedures for digital
baselines provide a foundation that focuses on evidence and the INTERPOL Forensic Science
extensions, plug-ins and digital evidence bag (DEB) Symposium, to respond to issues in computer
metaformat for development. forensics. With the advent of cases admitting digital
Government involvement in standardizations began evidence in court, there was a need for standardization.
in 1984, when the FBI established the Computer • 2002—The SWGDE published “Best practices for
Analysis and Response Team (CART) to meet the Computer Forensics.”5
growing demands of law enforcement for a more
• 2004—The Budapest Convention on Cybercrime, which
structured approach to examine evidence. By the
was signed in 2001, became effective. The convention
early 1990s, the FBI was assisting the US Postal
worked to reconcile national computer crime laws,
Service in creating its own computer forensics unit.
investigative techniques and international cooperation.
A group of federal crime laboratory directors, which
The Convention was the first international treaty on
became the Scientific Working Group on Digital
crimes committed via the Internet and other computer
Evidence (SWGDE), began meeting twice a year to
networks, focusing on infringements of copyright,
discuss areas of mutual interest. After Mark Pollitt,
computer-related fraud, child pornography, hate crimes
Unit Chief of CART, spoke to the directors about
and violations of network security.6 The United States
digital evidence and Scott Charney, CCIPS, discussed
was the sixteenth country to ratify the Convention in
legal aspects of computer evidence and search
2006.7
warrant requirements for seizing digital evidence,
another technical working group (TWG) was formed • 2005—The International Organization for
to address the forensic issues that are related to Standardization (ISO) published ISO 17025, General
digital evidence.4 In the United Kingdom, the needs requirements for the competence of testing and
of law enforcement led to the creation of the National calibration laboratories.
Hi-Tech Crime Unit in 2001, with resources that are
centralized in London. The unit became the Serious
Organised Crime Agency (SOCA) in 2006.
4
Morgan Whitcomb, Carrie; “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View,” International Journal of Digital Evidence, Spring 2002, Volume 1, Issue 1,
www.utica.edu/academic/institutes/ecii/publications/articles/9C4E695B-0B78-1059-3432402909E27BB4.pdf
5
Scientific Working Group on Digital Evidence, “Best Practices for Computer Forensics v1.0,” 15 November 2004, https://www.swgde.org/documents/Archived%20Documents/2004-11-15%20SWGDE%20
Best%20Practices%20for%20Computer%20Forensics%20v1.0
6
Council of Europe, “Convention on Cybercrime,” Budapest, 23 November 2001, www.conventions.coe.int/Treaty/en/Treaties/html/185.htm
7
Anderson, Nate; “World’s Worst Internet Law ratified by Senate,” arstechnica.com, 4 August 2006, www.arstechnica.com/uncategorized/2006/08/7421/
In 2013, US President Obama issued Executive Order (EO) The two types of computer crime investigations are
13636, Improving Critical Infrastructure Cybersecurity, computer-based crime and computer-facilitated crime.
which calls for a voluntary risk-based cybersecurity In a computer-based crime, a computer or computers
framework (the Cybersecurity Framework, or CSF) that is are used as the vehicle to commit a crime. In computer-
“prioritized, flexible, repeatable, performance-based, and facilitated crime, a computer is the target of a crime
cost-effective.” The National Institute of Standards and (e.g., a hacking incident or theft of information).10
Technology (NIST) led the development of the CSF through
Computer-based crimes are activities such as child
an international partnership of organizations, including
pornography, cyberbullying, cyberstalking, spamming or
owners and operators of the nation’s critical infrastructure
cyberterrorism. Typically, computers and/or hard drives
and ISACA. Key principles from the ISACA COBIT 5
are seized as evidence and provided to a forensic expert
business framework, which helps enterprises to govern
to analyze. When a computer has been the target of a
and manage their information and technology, are
crime, usually the information system is compromised,
embedded into the CSF.
and information on the system or network is stolen, or
Implementing the NIST Cybersecurity Framework guide fraudulent documents are created. Digital forensics is
implements the CSF using ISACA’s COBIT 5 processes. used to capture volatile information from random access
In the CSF, digital forensics is a subcategory in the memory (RAM) and other running processes, including
Respond function and Analysis category of the Framework networks.11 It is important for the forensics expert to
Core.8 The study guide for the ISACA Cybersecurity consider the following four areas of analyses:
Fundamentals Certificate discusses digital forensics in the
• Storage media
incident responses topic.9
• Hardware and operating systems
TYPES OF INVESTIGATIONS • Networks
Although cybercrime activity and security breaches
• Applications
continue to rise, business requirements often take
precedence over security requirements. This precedence
leaves applications, systems and networks vulnerable to
intrusion. When a breach occurs, the forensic analyst must
locate the point of compromise. The mission criticality
of the compromised application, system or network
determines the level of investigation. A full forensic
examination is less likely on a highly critical system
because the system cannot be shut down or slowed
down to do a full backup.
8
ISACA, Implementing the NIST Cybersecurity Framework, USA, 2014, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Implementing-the-NIST-Cybersecurity-Framework.aspx
9
ISACA, Cybersecurity Fundamentals Study Guide, USA, 2014 http://www.isaca.org/cyber/Pages/Cybersecurity-Fundamentals-Certificate.aspx
10
Hailey, Steve; “What is Computer Forensics?,” Cybersecurity Institute™, 19 September 2003, www.csisite.net/forensics.htm
11
Ibid.
12
Office of Legal Education Executive Office for US Attorneys, Prosecuting Computer Crimes, www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf
For a more comprehensive reading of applicable US DIGITAL FORENSICS POLICIES AND SET
federal laws, Prosecuting Computer Crimes is available OF CONTROLS
for download from the Department of Justice.13 State The enterprise cybersecurity program should have
statutes should also be considered, and consulting policies that address all forensics considerations, such as
with a legal counsel is advised. Additional US laws14 contacting law enforcement, monitoring, and conducting
include the following: regular reviews of forensics policies, guidelines and
procedures. Good practice requires that policies are part of
• Health Insurance Portability and
an overall governance and management framework, such
Accountability Act (HIPAA)
as COBIT 5, from ISACA, which provides a hierarchical
• Gramm-Leach-Bliley Act (GLBA) structure into which all policies should fit and link clearly
• Sarbanes-Oxley Act (SOX) to the underlying principles.17 Policies should be aligned
• Consumer Credit Protection Act with the enterprise risk appetite, which is determined in the
risk governance activities, and are a key component of the
• Telephone Records and Privacy Protection Act
enterprise system of internal control.18 Policies should allow
Internationally, the European Union (EU) developed a authorized personnel to monitor systems and networks and
working document that pertains to the identification perform investigations for legitimate reasons in appropriate
and handling of electronic evidence. The EU/Council of circumstances. The policies should clearly define the roles
Europe (COE) Joint Project on Regional Cooperation and responsibilities of all people who perform or assist with
against Cybercrime: Electronic Evidence Guide is a the enterprise forensic activities.19 Policies, guidelines and
basic guide for law enforcement and judges.15 procedures should clearly identify the tools that may be
US law enforcement personnel who search and seize used in a forensic review and provide reasonable guidance
computers during an investigation should be aware on the use of those tools under various circumstances.
of the requirements in the Searching and Seizing
Note: Information security and cybersecurity require a
Computers and Obtaining Electronic Evidence in
comprehensive set of controls. The set of controls, audit
Criminal Investigations manual, from the Department
category and reviews for cybersecurity investigations and
of Justice Computer Crime and Intellectual Property
forensics are explained in detail in the ISACA publication
Section.16
Transforming Cybersecurity.20 This publication applies the
COBIT 5 framework and its component publications to
transforming cybersecurity into a business process in a
systemic way.
13
Ibid.
14
Bosworthy, Seymour; M.E. Kabay, M.E.; Computer Security Handbook Fourth Edition, John Wiley & Sons, Inc., October 2002
15
Council of Europe, Electronic Evidence Guide, 2013, http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/Documents/Electronic%20Evidence%20Guide/default_en.asp
16
Cybercrime.gov, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Office of Legal Education Executive Office for United States Attorneys, 2009,
www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf
17
ISACA, COBIT® 5 for Assurance, USA, 2013, www.isaca.org/COBIT/Pages/Product-Family.aspx
18
Ibid.
19
Kent, Karen; Suzanne Chevalier; Tim Grance; Hung Dang; NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, Recommendations of the National Institute of Standards
and Technology, National Institute of Standards and Technology (NIST), August 2006, www.csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
20
ISACA, Transforming Cybersecurity, USA, 2013, http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Transforming-Cybersecurity-Using-COBIT-5.aspx
Many cyberincidents can be handled more efficiently and 3. Image and hash—When digital evidence is found,
effectively if forensics considerations are incorporated it should be carefully duplicated and then hashed to
into the information system life cycle. Examples of such validate the integrity of the copy.
considerations follow:
4. Validate tools—When possible, tools that are used for
• Perform regular backups of systems and maintain forensics should be validated to ensure reliability and
previous backups for a specific period of time. correctness.
• Enable auditing on workstations, servers and 5. Analyze—Forensic analysis is the execution of
network devices. investigative and analytical techniques to examine the
• Forward audit records to secure centralized log evidence.
servers. 6. Repeat and reproduce (quality assurance)—The
• Configure mission-critical applications to perform procedures and conclusions of forensic analysis
auditing and include the recording of all authentication should be repeatable and reproducible by the same or
attempts. other forensic analysts.
• Maintain a database of file hashes for the files 7. Report—The forensic analyst must document his/
of common operating system and application her analytical procedure and conclusions for use by
deployments, and use file integrity checking software others.
on particularly important assets. 8. Possibly present expert testimony—In some cases,
• Maintain records (e.g., baselines) of network and the forensic analyst will present his/her findings and
system configurations. conclusions to a court or another audience.
• Establish data retention policies that support the The process involves more than intrusion-related security
performance of historical reviews of system and incidents. Zatyko defines scientific digital forensics as:
network activity, comply with requests or requirements “The application of computer science and investigative
to preserve data that are related to ongoing litigation procedures for a legal purpose involving the analysis of
and investigations, and destroy data that are no longer digital evidence after proper search authority, chain of
needed.21 custody, validation with mathematics, use of validated tools,
DIGITAL FORENSICS SCIENTIFIC PROCESS repeatability, reporting, and possible expert presentation.”23
Ken Zatyko, the former director of the Defense Computer As the process steps indicate, the digital forensic analyst
Forensics Laboratory, defined the following eight-step meticulously handles, analyzes and reports on the evidence
digital forensics scientific process:22 obtained, to present an objective opinion on the facts of a
case without prejudice.
1. Obtain search authority—In a legal investigation,
legal authority is required to conduct a search or
seizure of data.
2. Document chain of custody—In legal contexts,
chronological documentation of evidence handling is
required to avoid allegations of evidence tampering or
misconduct.
21
Ibid.
22
Zatyko, Ken; “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January 2007, www.forensicmag.com/articles/2007/01/commentary-defining-digital-forensics
23
Ibid.
APPLYING VARIATIONS OF THE SCIENTIFIC METHOD Because physical evidence may never depict all the
Scientists often use variations of the scientific method events that happened, inductive reasoning has a greater
to solve problems. Deductive reasoning applies broad level of uncertainty. The conclusions are based on limited
principles to predict specific answers (see figure 2). information rather than on a more solid scientific principle,
Conversely, inductive reasoning uses a series of specific but inductive reasoning can be useful when no broad
pieces of information to extrapolate a broad conclusion. principle can be applied. The forensic analyst identifies
For example, forensic analysts might use inductive the best tools and approach for each case.24
reasoning to determine where a cyberincident started.
FIGURE
Inductive Deductive
Reasoning Reasoning
Observation Experiment
Generalizations Predictions
Paradigm/Theory
Digital forensics follows a rigorous scientific process to present findings of fact to prove or disprove a hypothesis in a court
of law, civil proceeding or another action. Zatyko’s eight-step process can be grouped into three basic steps: acquisition,
analysis and reporting, which are discussed in the following paragraphs and shown in figure 3.
24
Forensics: Examining the Evidence, “Understanding the Scientific Method,” www.forensicbasics.org/science-law/what-constitutes-science/understanding-the-scientific-method/
FIGURE
Data from: Zatyko, Ken, “Commentary: Defining Digital Forensics,” Forensic Magazine, 2 January 2007,
www.forensicmag.com/articles/2007/01/commentary-defining-digital-forensics
DATA COLLECTION
The acquisition of data begins with seizure, imaging or reasoning and the items to be seized. Regardless of the
collection of digital evidence to capture suspect media country, enterprises should understand and follow local
or network traffic and logs, post breach. Enterprises and country jurisdiction laws before seizing materials.
typically assume that they have the right to monitor their
After digital media are acquired, an exact duplicate image
internal networks and investigate their own equipment as
long as they observe the privacy right of the employee. (the forensic image) of the original media evidence is
Employee privacy rights and the enterprise rights created and validated with hash values that have been
should be in written policies that are communicated to calculated for the original digital media and the duplicate
employees. In the United States, the Fourth Amendment image. A hashing function, e.g., MD5, SHA-1 and SHA-
covers seizures. Federal warrants are issued under 256, applies a mathematical algorithm to the digital data
Title 18 of the US Code for probable cause of a crime. and returns a fixed-size bit string hash value. Any change
However, exceptions allow data collection without a to the data will change the hash value. Data with the same
warrant for reasons such as consent, hot pursuit or hash value are identical. The hash value validates that the
plain view. In the United Kingdom, a magistrate issues evidence is still in the original state. The original media
warrants to a constable under Section 18 of the Police evidence is write blocked and stored to prevent any
and Criminal Evidence Act. In the US, no one should further possible alteration. Hashing may not always be
ever go on site until after they read the search warrant possible. Mobile devices and memory, in particular, may
to review the seizure authority and the affidavit for the have to be treated differently to maintain evidence.
EXAMINATION AND ANALYSIS Digital forensic analysts provide facts and impart knowledge
After the duplicate image of the evidence is created, to give expert opinion only when they are required to do so
analysis can begin on the image. The digital forensic in court. They never seek to aid or blame. Instead, analysts
analyst may use specialized tools to uncover deleted provide a scientific basis so that the court, company or
or hidden material. Depending on the forensic request, other requesting party may use the unbiased evidence
the analyst can report findings about numerous types and gain a better understanding of events.
of information, e.g., email, chat logs, images, hacking
software, documents and Internet history. After evidence BRANCHES OF DIGITAL FORENSICS
is collected and analyzed, it is assembled to reconstruct Computer forensics is the oldest and most stable
events or actions and provide facts to the requesting discipline of digital forensics. It concentrates on
party. These facts may identify people, places, items developing evidence from a computer and associated
and events and determine how they are related so that digital storage devices in a forensically sound manner
a conclusion can be reached. This effort can include to preserve, develop, recover when necessary, analyze
correlating data among multiple sources.25 In some and present facts in a clear and concise manner.
environments, early case assessment (ECA) provides In computer forensics, after the storage device is
immediate review for the requesting parties, at which time acquired, it is standard practice for an analyst to create
they can ask for more advanced analysis. ECA typically a disk image from which to work. If the original device is
involves imaging, indexing, archiving and an internal confiscated, it is safely stored as evidence. Sometimes
reporting mechanism for the requesting party to quickly a device is not confiscated so that additional evidence
access needed reconnaissance. ECA typically saves time can be gathered and future activities can be monitored.
and is often preferred over analysis. The forensic analyst creates a disk image of the device to
preserve the original evidence. Today, virtual drives may
REPORTING also be used as way to emulate an entire machine.
After the analysis is complete, a report of the findings is
developed, which outlines findings and methodologies. A number of techniques are used in computer forensics
The provided exhibits may include attribution of file investigations. Cross-drive analysis correlates information
ownership, chat logs, images and emails; detailed login/ that is found on multiple hard drives, which are being
logoff times; entry into facility logs and anything that used to identify social networks. Live analysis extracts
places the suspect at the device at the same time and dates using existing system administration or developed
location of an event. The findings can be used to confirm forensic tools. Recovering deleted files is often in
or disprove alibis and provided statements. Digital the news, and it remains a mainstay of forensics for
evidence can also be used to prove intent. The completed recovering evidence. Because files are not erased, but are
report is given to the investigator, who is usually from law overwritten eventually, over a period of time, an analyst
enforcement in a criminal matter or a designated senior has time to reconstruct deleted files.
manager in a civil action. Further actions are determined
after the report is reviewed.
25
Op cit. Kent
Network forensics is a relatively new field within digital as contacts, emails, web browsing information, photos,
forensics. Generally, network forensics focuses on monitoring videos, calendars, geolocation, and social network messages
and analyzing computer network traffic to gather evidence and contacts. Mobile devices present greater challenges
of exceeding authorization or detect an intrusion from a in handling due to memory volatility, so proper handling
party with no authorization to be on that system or network. procedures must be followed to protect digital data.
Because network traffic is volatile and dynamic, analysts Most mobile devices have a basic set of comparable
must be proactive in their approach to capturing information. features and capabilities. They house a microprocessor,
Network forensics takes two approaches to gathering read-only memory (ROM), random access memory (RAM),
information: a radio module, a digital signal processor, a microphone
and speaker, a variety of hardware keys and interfaces,
• The more traditional approach catches and stores
and a liquid crystal display (LCD). The operating system
all data for analysis at a later time (e.g., logging the
of a mobile device may be stored in either NAND or NOR
Internet usage of all users and only reviewing the
memory, while code execution typically occurs in RAM.26
data after an alert).
Generally, the information collected comes from internal
• The second approach scans the data that pass through memory (flash memory) or external memory (subscriber
the network and is selective about the data that are identity module [SIM], Secure Digital [SD], MultiMediaCard
captured (e.g., only logging blocked sites and specific [MMC], CompactFlash [CF] cards or memory sticks). Call
file formats from user activity). records and mobile backups can also be obtained through
The benefit of the first approach is that the analyst has all carriers, which provide other information that is useful in
the information, but the negative aspect is that a large amount developing evidence, especially in cases of encryption.
of archival storage space is needed and analysis is done later. For a more complete understanding of techniques for
In the second approach, the analyst does not need to waste handling mobile devices, NIST SP 800-101, Guidelines on
time filtering, but the approach requires faster processing Mobile Device Forensics27 and the SWGDE “Best Practices
speed to manage incoming network traffic. Because data for Mobile Phone Forensics”28 should be reviewed.
gathering is minimized, the likelihood of private or sensitive Encryption has become the standard on Windows® 8.1,
information being captured is substantially reduced. Digital Mac® OSX 10.9, and will continue to be a challenge in
forensic analysts can review network communications from the field. Circumventing encryption can involve a few
obscure sources such as BitTorrent clients, PlayStation® steps, including memory capture for passwords in RAM,
and Xbox® game consoles, and Raspberry Pi. Network password cracking of a system image, interrogating the
forensics continues to grow, due to the popularity of wireless suspect or obtaining a search warrant for a mobile backup
communication, obfuscated communication (e.g., Tor of a phone from a service provider. There are endless
anonymity software), and mobile devices. ways to defeat encryption, but forensic analysts must be
Mobile device forensics roots began when mobile devices willing to evolve with technology. This may include the
started to become popular, about 2000. Forensics of mobile biggest taboo in the field: modifying the user’s data in
devices includes cell phones, but can also include Universal order to obtain said encryption keys. Memory forensics
Serial Bus (USB) drives, personal digital assistants (PDAs), is too large a topic to be discussed here, but previewing
global positioning systems (GPSs), cameras and tablet applications and obtaining data from RAM leaves a
devices. From a law enforcement prospective, these data footprint. Having a standardized process and taking
sources may provide a wealth of personal information, such copious notes are just two ways to justify actions in the
field, but this does not erase the blurred lines.
26
Ayers, Rick; Sam Brothers; Wayne Jansen; NIST SP 800-101 Rev 1, Guidelines on Mobile Device Forensics, National Institute of Standards and Technology (NIST), May 2014,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf
27
Ibid.
28
Scientific Working Group on Digital Evidence, “SWGDE Best Practices for Mobile Phone Forensics, Version: 2.0,” 11 February 2013,
www.swgde.org/documents/Current%20Documents/2013-02-11%20SWGDE%20Best%20Practices%20for%20Mobile%20Phone%20Forensics%20V2-0
CONCLUSION
Digital forensics is a growing field with much diversity in Note: Because not all aspects of the digital forensics field
the technologies in which a professional can specialize. could be covered in this paper, such as eDiscovery and
From the early stages of digital forensics, when evidence anti-forensics techniques, the reader can explore the field
was collected from a stand-alone machine, to the highly further to gain a wider knowledge of digital forensics.
networked cloud and mobile environment of today, digital
forensic analysts have always taken great care while
handling and preserving electronic information. Developing
a step-by-step approach to preserve information for each
new type of technology has evolved along with the field.
The National Academy of Science recently identified digital
forensics as a subfield within cybersecurity. As Scott
Charney, head of the Department of Justice, Computer
Crimes and Intellectual Property Section (CCIPS), stated,
“The Internet crime problem is going to get worse. How
do I know? Simple. There is always a percentage of the
population who are up to no good. As the entire population
moves to the Internet, so will the criminals.”
ACKNOWLEDGMENTS
Expert Reviewers Knowledge Board Cybersecurity Task Force
Jaime Buzzeo, USA Steven A. Babb Eddie Schwartz
Joel Valverde, USA CGEIT, CRISC, ITIL CISA, CISM, CISSP, MCSE, PMP,
Vodafone, UK, Chairman USA, Chairman
Alexander Applegate, USA
Rosemary M. Amato Manuel Aceves
CISA, CMA, CPA, CISA, CISM, CGEIT, CRISC,CISSP, FCITSM,
ISACA Board of Directors Deloitte Touche Tohmatsu Ltd., The Netherlands Cerberian Consulting, SA de CV, Mexico
Robert E Stroud Neil Patrick Barlow Sanjay Bahl
CGEIT, CRISC, CISA, CISM, CRISC, CISSP, CISM, CIPP,
CA, USA, International President Capital One, UK India
Steven A. Babb Charlie Blanchard Neil Patrick Barlow
CGEIT, CRISC, ITIL, CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, CISA, CISM, CRISC, CISSP,
Vodafone, UK, Vice President Amgen Inc., USA Capital One, UK
Garry J. Barnes Sushil Chatterji Brent Conran
CISA, CISM, CGEIT, CRISC, CGEIT, CISA, CISM, CISSP,
BAE Systems Detica, Australia, Vice President Edutech Enterprises, Singapore USA
Robert A. Clyde Phil J. Lageschulte Derek Grocke
CISM, CGEIT, CPA, HAMBS, Australia
Clyde Consulting LLC, USA, Vice President KPMG LLP, USA Samuel Linares
Ramses Gallego Anthony P. Noble CISA, CISM, CGEIT, CRISC, CISSP, GICSP,
CISM, CGEIT, CCSK, CISSP, SCPM, CISA, Industrial Cybersecurity Center (CCI), Spain
Six Sigma Black Belt, Viacom, USA Marc Sachs
Dell, Spain, Vice President Jamie Pasfield Verizon, USA
Theresa Grafenstine CGEIT, ITIL V3, MSP, PRINCE2,
CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, Pfizer, UK
US House of Representatives, USA, Vice President Ivan Sanchez Lopez
Vittal R. Raj CISA, CISM, ISO 27001 LA, CISSP,
CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, DHL Global Forwarding & Freight, Germany
Kumar & Raj, India, Vice President
Tony Hayes
CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA,
Queensland Government, Australia, Past
International President
Gregory T. Grocholski
CISA,
SABIC, Saudi Arabia, Past International President
Debbie A. Lew
CISA, CRISC,
Ernst & Young LLP, USA, Director
Frank K.M. Yam
CISA, CIA, FHKCS, FHKIoD,
Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis
CISA, CGEIT, CRISC, ITIL, PMP,
Grupo Cynthus S.A. de C.V., Mexico, Director