ISO/IEC 27001 Control 5.28: Collection of evidence

The organization should establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

MidPoint is one of important sources of evidence for incident investigation. Additionally, midPoint access control capabilities can be used to preserve evidence.

MidPoint is an essential system for identity administration and governance, which makes it one of the most important sources of evidence. Reporting capabilities can be used to provide current information, while audit trail and meta-data can provide insights into past state of information before the incident, and changes occurred during the incident. Synchronization capability can be used to discover discrepancies between the policy and reality, discovering illegal accounts and privileges that were either created by the attacker, or that are leftovers from incident response. Access control mechanisms, especially the segregation of duties (SoD) mechanism, can be used to assist in evidence preservation. E.g. the SoD mechanism can be used to limit possibilities of "history rewriting" by modification of midPoint audit trail, by excluding database administration and midPoint administration roles, ensuring that no single person has full control over content of audit trail.

Even though midPoint is an important source of evidence related to information security events, it is just one of many sources. Most of the evidence that midPoint records is indirect evidence, created as a copy of data from other systems.