All incidents should be reported to management as soon as possible. Prompt internal reporting is imperative to collect and preserve potential evidence. It is important that information about the investigation be limited to as few people as possible. Information should be given on a need-to-know basis, which limits the possibility of the investigation being leaked. In addition, all communications related to the incident should be made through an out-of-band method to ensure that the intruder does not intercept any incident-related information. In other words, E-mail should not be used to discuss the investigation on a compromised system. Based on the type of crime and type of organization it may be necessary to notify –
- Executive management.
- The information security department.
- The physical security department.
- The internal audit department.
- The legal department.
The Preliminary Investigation
A preliminary internal investigation is necessary for all intrusions or attempted intrusions. At a minimum, the investigator must ascertain if a crime has occurred ; and if so, he or she must identify the nature and extent of the abuse. It is important for the investigator to remember that the alleged attack or intrusion may not be a crime. Even if it appears to be some form of criminal conduct, it could merely be an honest mistake. There is no quicker way to initiate a lawsuit than to mistakenly accuse an innocent person of criminal activity.
The preliminary investigation usually involves a review of the initial complaint, inspection of the alleged damage or abuse, witness interviews, and, finally, examination of the system logs. If during the preliminary investigation, it is determined that some alleged criminal activity has occurred, the investigator must address the basic elements of the crime to determine the chances of successfully prosecuting a suspect either civilly or criminally. Further, the investigator must identify the requirements of the investigation (i.e., the dollars and resources). If it is believed that a crime has been committed, neither the investigator nor any other company employees should confront or talk with the suspect. Doing so would only give the suspect the opportunity to hide or destroy evidence.
