Here are some tips to make the annual budget process pay off year-round, <B>The Advisory Council</B> says. Also, a practical approach to quantifying software quality and tips on how to deal with a letter requesting you preserve information for a criminal investigation.

InformationWeek Staff, Contributor

January 14, 2004

3 Min Read

Topic C: I just received a "Preservation Request" letter signed by an Assistant United States Attorney requesting internal logs and records associated with a hacker investigation. What should I do?

Our advice: A preservation request letter is more common than you might think. It signals that your organization is indirectly involved in a criminal investigation. Most likely, evidence collected by investigators from other sources has revealed that some component of your technological infrastructure, or one of your employees, was indirectly involved in the hack under investigation. The good news is that your organization is not currently a suspect in this investigation. If it was, you would have a court-authorized search warrant in your hands instead of a preservation request. Search warrants will usually disrupt your schedule for weeks. Preservation letters can often be handled in a day or two. So, what should you do? Before doing anything else, contact your corporate counsel. Their advice is critical in avoiding later problems--follow their advice to the letter.

Preservation letters are a form of a court subpoena, and in some cases your corporate counsel might want to challenge it. Your next step is to immediately collect copies of all the logs and records requested. These requests typically only apply retrospectively. They do not normally require you to capture and preserve new information after the date of the request. Providing copies of selected back-up tapes is usually a quick way of satisfying a majority of these requests, especially if the request is for substantial amounts of data.

But this may have a significant drawback, as these tapes could become part of a public record accessible under the Freedom of Information Act. So, if you do provide copies of back-up tapes, make sure you know what is on them. Also, you must be able to identify by name the files containing the logs or records requested in a format the assistant U.S. attorney can read. Providing 320-Gbyte DAT tapes that the assistant U.S. attorney is incapable of reading (because they don't have the proper hardware or software) doesn't satisfy the request. Failure to comply with an unchallenged preservation request can result in fines, imprisonment, or both. If there is some valid reason that prevents you from complying with the request, make sure you document these facts with details that would satisfy the most demanding and unreasonable auditor.

Personally supervise the collection of the logs and records requested. It's your name on the letter, not your network administrator's or help-desk supervisor's name. Keep all this activity confidential. When it's over, you should be able to count on one hand the people who were involved in gathering the information.

--Bill Spernow

David Roger, TAC Expert, has more than 20 years as a developer and implementer of IT applications. His industry experience ranges from retail to environmental health and safety to hospitality and food services. His specific areas of expertise include enterprise analytics and reporting, project justification and management, and decision-support and financial systems.

Vladimir Tsivkin, TAC Expert, has more than 20 years of experience in advanced software development, with the last five-plus years in senior project-management roles at major financial-services institutions. His primary specialty is software quality engineering, including Six Sigma and Capability Maturity Model. He has published a number of papers in operations research, management-science applications, and quality management.

Bill Spernow,TAC Expert, has more than 20 years of experience successfully mitigating internal and external events that threaten IT infrastructures. A Certified Information Systems Security Professional (CISSP), he specializes in developing and implementing policies, procedures, security controls, and security-awareness training programs that not only work, but make sense to all involved. He also is a guest instructor for the Federal Law Enforcement Training Center and the University of New Haven.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights