SmartAdvice: Top-Down Strategy

Business commitment, good project management, and an incremental approach can improve your chances for a successful supply-chain-management implementation, <B>The Advisory Council</B> says. Also, control the costs of computer hardware maintenance and avoid the pitfalls of corporate IT-abuse investigations.

InformationWeek Staff, Contributor

February 18, 2004

5 Min Read

Question C: We're considering setting up our own IT-abuse investigations group. What issues should we consider in making this decision?

Our advice: Electronic discovery and forensic analysis of Internet traffic dominates the landscape in both the public and private sectors. While public-sector law enforcement has benefited immensely from federally subsidized training during the last decade, the same isn't true for the private sector. As a result, corporate staffs tasked with investigating policy violations within their organizations seldom have formal investigative training in forensic techniques, especially identifying and analyzing computer-based evidence. As you can imagine, the likelihood that their efforts will fail is in direct relation to the number of things done wrong. In some cases, these missteps only result in a blown investigation; in other cases, they can result in significant lawsuits initiated by employees who allege their careers have been harmed in some manner by irresponsible actions. The top 25 reasons corporate IT-abuse investigations fail are:

  • Telling your executive VP such investigations can be done quickly and inexpensively.

  • Not having corporate counsel sign-off on the equivalent of an in-house search warrant before searching network accounts and cubes or offices for evidence (both electronic and nonelectronic).

  • Conducting searches without a solid understanding of where employees do, and do not, have an expectation of privacy.

  • Misidentifying your policy violator and interviewing the wrong employee (during which you may imply they are a pervert or at the very least dishonest).

  • Allowing IT staff to "assist" with the technical aspects of the investigation. (Remember what happens when the fox gets to guard the hen house?)

  • Allowing investigations and analysis of E-mail and Internet activity to be used for witch hunts.

  • Not realizing that forensic standards for law enforcement and forensic standards for corporate investigators are significantly different.

  • Treating every investigation like it will be going to federal prosecution.

  • Not using an eyewitness or pinhole camera to tie your policy violator to the keyboard in question at the time of the original incident or when the incident reoccurs.

  • Failure to personally interview the policy violator, victim, complainant, witnesses, and peers in the incident under investigation.

  • Allowing human resources to participate in the technical investigation before the employee interview. (Can you say leak?)

  • Failure to follow a reasonable "chain of custody" procedure when handling evidence.

  • Not being able to describe/define the process used to discover and acquire evidence to senior management in terms they can understand.

  • Improper storage of evidence (not under monitored lock and key).

  • Allowing unauthorized employees to examine the computer or evidence discovered such that allegations of evidence tampering can be made.

  • Not understanding the types and locations of potential logs containing evidence that are produced by security controls within your infrastructure.

  • Not understanding how easy it is to spoof MAC and IP addresses.

  • Analyzing the original evidence. (Use duplicate copies for this whenever possible.)

  • Not verifying who had access to computers where evidence has been discovered.

  • Failing to perform a complete virus/Trojan check on the evidence prior to analysis (avoiding the "someone else caused it" argument).

  • Not verifying that the timestamps of computers involved are accurate, making event correlation difficult to impossible.

  • Being unable to pay attention to boring, minute details (the ones that often end up cracking the case).

  • Deviating from accepted procedures while handling or examining evidence.

  • Not documenting ongoing discovery and analysis activities in a detailed log.

  • Being unable to get a signed, handwritten confession from your policy violator.

-- Bill Spernow

Humayun Beg, TAC Thought Leader, has more than 18 years of extensive experience in business IT management, technology deployment, and risk management. He has significant experience in all aspects of systems management, software development, and project management and has held key positions in directing major IT initiatives and projects. Stephen Rood, TAC Expert, has more than 24 years of experience in the IT field, specializing in developing and implementing strategic technology plans for organizations, as well as in senior project-management and help-desk operations review. His consulting experience has included being the chief technology planner in designing and then implementing a state-of-the-art emergency 911 call center for the city of Newark, N.J., and managing technology refreshes for a major nonprofit entertainment organization and for a large regional food broker. He's the author of the book "Computer Hardware Maintenance: An IS/IT Manager's Guide," which presents a model for hardware maintenance cost containment. He's a senior consultant with Strategic Technology in Scarsdale, N.Y. Bill Spernow, TAC Expert, has more than 20 years of experience successfully mitigating internal and external events that threaten IT infrastructures. A Certified Information Systems Security Professional, he specializes in developing and implementing policies, procedures, security controls, and security-awareness training programs that not only work, but make sense to all involved. He also is a guest instructor for the Federal Law Enforcement Training Center and the University of New Haven.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights