iSACA Cybersecurity Fundamentals Certification Practice Exam

Which of the following best describes 'chain of custody'?

• A. Securing digital assets from unauthorized access
• B. Tracking evidence handling and ownership
• C. Analyzing user behavior anomalies
• D. Improving system recovery speed

The correct answer is: Tracking evidence handling and ownership

The concept of 'chain of custody' fundamentally refers to the process of maintaining and documenting the handling of evidence. This is crucial in both legal and cybersecurity contexts, as it ensures that any evidence collected remains intact, unaltered, and can be verified with confidence regarding its origin and handling history. When evidence is collected during an investigation—be it digital evidence from a cyber incident or physical evidence from a crime scene—documenting who collected the evidence, where it was stored, and who had access to it at all times establishes a clear chain of custody. This documentation is essential for maintaining the integrity of the evidence, as it validates that the evidence has not been tampered with or altered from the point of collection to its presentation in court or during analysis. The other options describe relevant concepts within cybersecurity but do not align with the precise definition of 'chain of custody.' Securing digital assets from unauthorized access focuses on preventative measures, while analyzing user behavior anomalies relates to proactive monitoring for security breaches. Improving system recovery speed pertains to disaster recovery and business continuity but does not connect to the integrity and documentation of evidence in the context of an investigation. Thus, tracking evidence handling and ownership is the correct description of 'chain of custody.'