ISO/IEC 27001 Control 5.28: Collection of evidence

The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint is one of important sources of evidence for incident investigation. Additionally, midPoint access control capabilities can be used to preserve evidence.

MidPoint is essential system for identity administration and governance, which makes it one of the most important sources of evidence. Reporting capabilities can be used to provide current information, while audit trail and meta-data can provide insights into past state of information before the incident, and changes occurred during the incident. Synchronization capability can be used to discover discrepancies between the policy and reality, discovering illegal accounts and privileges that were either created by attacker, or that are leftovers from incident response. Access control mechanisms, especially the segregation of duties (SoD) mechanism, can be used to assist in evidence preservation. E.g. the SoD mechanism can be used to limit possibilities of "history rewriting" by modification of midPoint audit trail, by excluding database administration and midPoint administration roles, ensuring that no single person has full control over content of audit trail.