UnixTime

Research Note

RISK-0006 Evidence Integrity Loss Due to Weak Chain of Custody

Because incident evidence is collected or stored without integrity controls, investigation, legal, regulatory, disciplinary, or audit conclusions may not be defensible.

On this page

RISK-0006

Risk summary

Likelihood
3
Impact
5
Score
15
Level
High
  1. 01

    Asset

    Incident evidence, logs, forensic images, screenshots, statements, access records, and chain-of-custody records.

    Business object or system that needs protection.
  2. 02

    Threat

    Evidence contamination, overwriting, unauthorized access, missing metadata, legal challenge, or audit rejection.

    Event, actor, or condition that can create harm.
  3. 03

    Vulnerability

    No evidence collection trigger, no chain-of-custody record, broad evidence storage access, missing integrity checks, and responders modifying systems before evidence is preserved.

    Weakness that makes the threat relevant.
  4. 04

    Risk

    Because incident evidence is collected or stored without integrity controls, investigation, legal, regulatory, disciplinary, or audit conclusions may not be defensible.

    Scenario evaluated with likelihood, impact, and ownership.
  5. 05

    Treatment

    Mitigate through evidence collection procedures, chain-of-custody logging, restricted evidence storage, integrity checks, retention rules, and early evidence decisions during response.

    Decision path for reducing, accepting, transferring, or avoiding risk.

Assessment Rationale

Likelihood

The likelihood is medium because incident responders are under pressure to restore service. Without a disciplined collection process, evidence preservation is often treated as secondary.

Impact

The impact is high because weak evidence can block root-cause analysis, weaken legal or disciplinary action, reduce insurance or regulatory defensibility, and create audit findings.

Residual Risk

After treatment, residual risk is estimated as medium if evidence records show integrity checks, custody transfers, access restrictions, and retention decisions.

Review Notes

Review after investigations, legal holds, audit findings, and changes to logging, storage, or incident response tooling.

Software Object Mapping

  • risk
  • evidence
  • chain_of_custody
  • control
  • Iso27005
  • Risk
  • Iso27001
  • Incident management
  • Evidence

Note Metadata

Aliases: RISK-0006

Source: 05-Risk-Knowledge-Base/RISK-0006-Evidence-Integrity-Loss.md