Sunday, February 13, 2011

Managing the InfoSec Investigative Function

Managing the InfoSec Investigative Function: Applying the Lessons of Traditional Investigators

In a corporate setting large enough to have a dedicated Information Security function – whether as a sub-department of the IT division or as a separate division unto itself – Information Security Officers and Analysts are often called upon to conduct investigations into user actions.

If, for example, a line manager hears an allegation that an employee has been accessing adult material on the internet or has been emailing proprietary information to the competition, the line manager will often request that InfoSec help determine whether the allegation is true.

This makes sense because InfoSec professionals will have access to email servers, log files, and other resources that line managers cannot access. In addition, InfoSec specialists will often have the technical expertise to gather and interpret at least some of the data necessary to determine the facts of the case. So, it is understandable and appropriate that line managers expect InfoSec to play a role in investigations of this kind.

However, conducting effective and fair investigations requires specialized knowledge, skills, and abilities. It is not necessarily the case that the InfoSec analyst who can manage a tight network perimeter can also conduct a good investigation. Furthermore, investigations are risky and politically sensitive affairs, and they must be governed by sound policies and by oversight at the appropriate level of the organization.

The InfoSec investigative function must be carefully managed by the organization and must be carried out by information security practitioners with specialized qualifications. Ineffective, inconsistent, or unfair investigative practices put an organization at serious risk. Such practices fail to provide adequate protection for the organization’s information assets, and they invite legal action from employees who are treated unfairly. An organization must give careful thought to how its InfoSec investigative function will be managed and conducted.

When considering their investigative role, InfoSec professionals can borrow many of the concepts long embraced by traditional investigators. “Traditional investigators” here means those professionals who investigate crimes and policy violations taking place in the physical, as opposed to electronic, world. A sufficiently large organization will have a Security or Public Safety function that provides physical security and investigates issues such as asset theft, workplace violence, trespassing, etc. This article will refer to that function as “Public Safety” to avoid confusion with Information Security. Public Safety departments have been part of the corporate landscape for years and have developed mature processes for handling investigations. Although Public Safety and InfoSec investigations often involve different kinds of alleged infractions and different technologies, many of the foundations of traditional investigative practice are equally applicable to InfoSec investigations.

This article describes six key concepts of traditional investigations that can also be applied to InfoSec investigations. InfoSec practitioners can learn a great deal from the mature processes developed over years of traditional investigative practice. The purpose of this article is to help InfoSec managers and other organizational leaders effectively establish, conduct, and oversee the InfoSec investigative function. The six key concepts discussed in this article are:

  1. Establishing Defined Policies and Procedures
  2. Obtaining Approval from the Appropriate Organizational Level
  3. Agreeing on the Scope and Objectives of the Investigation
  4. Engaging Investigators with the Appropriate Expertise
  5. Maintaining Effective Documentation
  6. Separating Fact-Finding and Decision-Making
Establishing Defined Policies and Procedures

InfoSec investigations must be governed by executive-level policies. If an investigation can lead to disciplinary action against an employee, legal action, etc., then the policies and processes governing the investigative function must rise to the executive level, not merely the departmental level. At the highest level, the organization must decide what its approach to investigations will be and what behavior and risks it will accept.

Policies must be written and be signed by an executive at an organizational level sufficient to ensure that the policies will apply with equal force to all employees of the organization. The finalized policies must be made public within the organization. If an Information Security Analyst is going to be reviewing the internet activity of a Vice President, it is absolutely essential that the organization has made permanent and public its commitment to the InfoSec investigative function. The InfoSec manager should insist on adequate policy backing to protect his or her staff from the political fallout of investigations. Investigators have to know that they can carry out their function without risk of reprisals.

In addition, defined policies and procedures help to ensure fairness. If an organization has an ad-hoc process for investigations, it is inevitable that inconsistent standards will be applied. Absent strong policies and procedures, investigations may be pursued more readily or more aggressively against certain departments, groups, or individuals. Even well-intentioned managers and InfoSec staff may demonstrate latent biases or be subconsciously motivated by office politics when deciding whether or not to investigate certain users.

Such inconsistency in investigations is unfair and unethical, erodes morale, and can expose the organization to claims of discrimination or other legal liabilities. One expert on traditional investigations warns, “Plaintiffs and the attorneys who represent them love employers (and investigators) who lack process, fly by the seat of their pants, and make mistakes at every turn” (Ferraro, 25). Strong policies and procedures, enforced by executive mandate, militate against these risks..

Obtaining Approval from the Appropriate Organizational Level

A corollary to the above is that each individual investigation must be approved at the appropriate level of the organization. “Because workplace investigations can be extremely complex and often involve potential litigation, a commitment by management is an essential component if success is to be achieved” (Ferraro, 2). Just as a traditional investigator would surely not begin undercover surveillance of an employee without the appropriate approval, an InfoSec investigator should not poke into an employee’s internet activity without similar approval. The policies and procedures described above should include a clear and well-defined process for InfoSec investigators to request and obtain approval for each and every investigation they conduct.

In practice, the organization may establish a blanket approval for certain types of day-to-day monitoring. For example, an organization may have a policy that InfoSec analysts routinely monitor the internet filter for certain types of content. In this example, the policy may state that suspicious activity is to be referred to appropriate individuals for further investigation.

Any investigation that goes beyond day-to-day system monitoring, however, should be formally presented to the person or persons with organizational authority to approve it, before the investigation begins. Approval for investigations should come from outside IT and InfoSec. Human Resources, General Counsel, Risk Management, or similar functions are more appropriate sources for this approval. Just as an organization requires two signatures on checks over a certain amount, it is a good idea to require two or more signatures, such as both the VP of HR and the VP of Risk Management, on any investigation request. IT and InfoSec have neither the expertise nor the organizational position to commit the organization to the legal requirements, personnel issues, and other challenges that may come as a consequence of the investigation.

Agreeing on the Scope and Objectives of the Investigation

At the time of approval, InfoSec and the organizational officers authorizing the investigation should agree on the scope of the investigation, the questions to be answered, and the standard of proof to be met. Traditional investigators recognize that “no investigation of any complexity can be successful without meaningful objectives” (Ferraro, 8). They discuss the investigation with the approval authority, “decide what it is [they] are pursuing, what information [they] are seeking, and the desired outcome” (Ferraro, 8).

Setting the scope and objectives can often be accomplished in a quick conversation. The question to be answered may be quite simple, such as true sender of an inappropriate email. In other cases, the scope and objectives may be very complex and may need to be laid out in detailed documentation. In either case, it is important for the organization to decide what they want to know and to communicate that to the InfoSec investigator in such as way that the investigator can provide actionable results and can be clear about the extent of organizational support for his or her activities.

If the person being investigated objects to the actions of the investigator, the investigator will be relieved to have documentation from the organization authorizing the investigation and explicitly laying out the scope. Conversely, if an investigator exceeds the scope of the investigation, the organization will have the documentation necessary to take appropriate action against the investigator.

This is not to say that the scope of the investigation cannot be revised. There should be a process by which investigators can request a change of scope as new information becomes available (Ferraro, 10). This can be accomplished with a simple process by which the investigator documents the requested change of scope, and the approval authorities sign off on it.

Engaging Investigators with the Appropriate Expertise

Traditional investigators are individuals with the specialized training and experience necessary to carry out the investigative function. In larger organizations, the Public Safety function will have a distinct sub-function dedicated to complex investigations. Although general security officers and investigators may both be under the umbrella of a Public Safety division, it is well recognized that those roles require different skill sets and that it would be unfair and ineffective to ask anyone but a trained investigator to carry out the traditional investigative function.

Similarly, InfoSec investigators require specialized training and skills. Conducting investigations is a sub-specialization within InfoSec. The InfoSec professional who is highly trained and experienced in managing firewalls, VPN access, and anti-malware systems is not necessarily qualified to conduct forensically-sound evidence gathering, uncover latent evidence from a hard drive, maintain chain of custody, and find traces of hacking tools, for example. When investigators without the necessary training conduct investigations, the results may be unreliable, and the risk of evidence spoliation is significant.

An organization that wants to conduct InfoSec investigations in-house must hire qualified investigators. When it is impractical to keep one or more investigators on-staff, an organization should engage the services of qualified third-party investigators. In some cases, it may be most cost-effective for an organization to simply outsource all InfoSec investigations to an outside vendor.

Maintaining Effective Documentation

The value of good documentation in traditional investigations cannot be overstated. “Everything else being equal, the difference between a good or competent investigator and one who is considered excellent is reflected in the superior investigator’s report writing-skills. Furthermore, there is a direct relationship between the efficiency of a security department or an investigative office and the quality of its records and reports” (Sennenwald, 181). Good documentation demonstrates that the investigation has been conducted by serious professionals, aids in memory, and provides a permanent and easily-referenced record for decision-makers.

The same is true of InfoSec investigations. Taking good notes, maintaining adequate documentation, and delivering written reports are the hallmarks of an effective, professional investigation. The organization should expect the investigator to deliver the results of the investigation in writing, and the investigator should maintain notes sufficient to recall all necessary details of the investigation.

Separating Fact-Finding and Decision-Making

In a traditional investigation, the person or team conducting the investigation is the “fact finder”. The role of the fact finder is just that – to determine the facts of the case. The fact finder is given the important and complex job of determining whether an allegation is true or a suspicion is warranted. The fact finder makes a report to the “decision maker,” who decides what action the organization will take based on these facts. The roles of fact finder and decision maker are separate. “The fact finder should never play the role of decision maker or vice versa. In fairness to the subject and the process ... the duties of the fact-finder and decision maker [should be separate]” (Ferraro, 25).

This principle should be strictly followed in InfoSec investigations as well. InfoSec investigators should determine the facts of the case, report the findings to the appropriate organizational officers (usually the individuals who approved the investigation), and answer technical questions about the findings. However, InfoSec should not be involved in the disciplinary process or other decisions made based on those facts. If an investigation finds that a user has violated an organizational policy, the user should be referred to the appropriate organizational function for discipline.

There are three main reasons to maintain this strict separation of duties. First, fairness requires that fact finders and decision makers are separate. Just as the police are separate from the court system, so should corporate fact-finding be separate from adjudication. Second, InfoSec are not the appropriate people to comment on matters of discipline. Organizations have HR departments, Risk Managers, and attorneys who are qualified and responsible for making those kinds of judgments. InfoSec practitioners are highly skilled in information security, not in HR management. And third, only by referring disciplinary matters to the appropriate organizational function can they be handled effectively. For example, an InfoSec investigator might believe that a minor internet policy violation is a first offense that can be handled with an informal warning, while HR might have already reprimanded the individual for other non-computer-related violations and might regard the new violation as a final straw. InfoSec should not interfere with the organization’s ability to enforce discipline.

Conclusion

Information Security investigations are complex and potentially risky undertakings requiring the efforts of specially-trained professionals. Organizations must think carefully about how InfoSec investigations will be handled. Whether InfoSec investigations are handled in-house or outsourced to dedicated third-party investigators, the activities of investigators must ultimately be governed from the executive level.

InfoSec professionals can borrow many concepts from the field of traditional investigations. Although there are clear differences between traditional investigations and InfoSec investigations, many core principles underlay both disciplines. InfoSec investigations should be governed by policies and procedures enforced at the executive level; individual investigations should be approved by one or more organizational officers outside of the InfoSec function; the scope, methods, and outcome of an investigation should be set down in writing at the outset; qualified professionals should be kept on staff or engaged as required; documentation should be thorough and permanent; and fact-finders should be separated from decision makers.

By learning from the years of experience already amassed by our colleagues in traditional investigative roles, InfoSec practitioners can conduct fair and effective investigations that meet the needs of organizational leaders.

References/Suggested Further Reading

Dempsey, John (2003). Introduction to Investigations. Clifton Park, NY: Delmar.

Ferraro, Eugene and Norman Spain (2006). Investigations in the Workplace. Boca Raton, FL: Auerbach Publications.

McMahon, Rory (2007). Practical Handbook for Professional Investigators. Boca Raton, FL: CRC Press.

Sennenwald, Charles and John Tsukayama (2006). The Process of Investigations: Concepts and Strategies for Investigators in the Private Sector. Burlington, MA: Butterworth-Heinemann.