Investigations are powerful tools for improving compliance. They should strengthen security controls and help nurture employee perception that the security team is a partner instead of the company's secret police. So investigators must avoid three common mistakes.
Policies are an integral part of a security program. They provide the framework upon which processes are built, processes that ensure consistent compliance and delivery of services. But simply writing policies and posting them on the company intranet isn't enough. They must be backed up with policy enforcement activities. One of the most effective enforcement activities is policy violation investigation.
There are two reasons to conduct investigations when one or more employees allegedly violate a policy. First, investigation reports raise management's awareness of potential issues. Many policy violations are unintentional. They are caused by faulty processes. The investigation report helps appropriate managers identify weaknesses in how servers are built, permissions granted, systems are designed, etc., so they can take steps to improve security outcomes.
Second, intentional policy violations must be dealt with quickly and fairly. Sanctions applied in this way help reinforce the offending employee's awareness of management's commitment to the policy's intended outcomes. Managers can also move repeat offenders to positions where they create less business risk.
To achieve these goals, investigators must carefully avoid making common mistakes, which often lead to investigator credibility or management support issues.
Common investigation pitfalls
Improperly conducted investigations can create new management challenges. When used as a club instead of a tool to achieve both process improvements and risk mitigation, employees react negatively—often moving a company's business security posture to an unwanted position. Here are some common investigation pitfalls and how to avoid them:
- Inaccurate reporting. The investigator should aggressively and objectively pursue ALL the facts. Sometimes investigation reports are thrown together without interviewing all parties involved or reviewing all artifacts. This approach frequently results in getting only one side of a story. Since descriptions of what happened often differ due to perception or agenda, it's important not to fall into the trap of seeing the situation through the eyes of only a small, biased subset of the participants.
- Not involving management early. When a security analyst investigates a violation, he or she simply reports the facts to relevant members of the management team. It's up to these managers—often including HR as well as the offender's direct supervisor—to decide on appropriate action. I've found that involving them early in the process helps avoid contentious interaction—caused by the appearance of being "internal affairs investigators" instead of partners in the effort to secure information assets—when the report is finally delivered. In our investigation process, the appropriate managers are notified as soon as an incident is identified and before interviews or evidence collection begins.
- Treating the investigation report like a police report. Unless a law was broken or an action taken requiring immediate termination of employment, the final report should be the basis for an after action review (AAR). Instead of treating the results of an investigation as something to fear, position it as a tool to improve outcomes. Sit down with all involved parties and work toward conditions which help improve employee awareness of management's expectations. This will help strengthen security controls and help nurture employee perception that the security team is a partner instead of the company's secret police.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.