Security

Three security investigation pitfalls to avoid

Investigations are powerful tools for improving compliance. They should strengthen security controls and help nurture employee perception that the security team is a partner instead of the company's secret police. So investigators must avoid three common mistakes.

Investigations are powerful tools for improving compliance. They should strengthen security controls and help nurture employee perception that the security team is a partner instead of the company's secret police. So investigators must avoid three common mistakes.

-------------------------------------------------------------------------------------------------------------------

Policies are an integral part of a security program. They provide the framework upon which processes are built, processes that ensure consistent compliance and delivery of services. But simply writing policies and posting them on the company intranet isn’t enough. They must be backed up with policy enforcement activities. One of the most effective enforcement activities is policy violation investigation.

Why investigate?

There are two reasons to conduct investigations when one or more employees allegedly violate a policy. First, investigation reports raise management’s awareness of potential issues. Many policy violations are unintentional. They are caused by faulty processes. The investigation report helps appropriate managers identify weaknesses in how servers are built, permissions granted, systems are designed, etc., so they can take steps to improve security outcomes.

Second, intentional policy violations must be dealt with quickly and fairly. Sanctions applied in this way help reinforce the offending employee’s awareness of management’s commitment to the policy’s intended outcomes. Managers can also move repeat offenders to positions where they create less business risk.

To achieve these goals, investigators must carefully avoid making common mistakes, which often lead to investigator credibility or management support issues.

Common investigation pitfalls

Improperly conducted investigations can create new management challenges. When used as a club instead of a tool to achieve both process improvements and risk mitigation, employees react negatively—often moving a company’s business security posture to an unwanted position. Here are some common investigation pitfalls and how to avoid them:

  1. Inaccurate reporting. The investigator should aggressively and objectively pursue ALL the facts. Sometimes investigation reports are thrown together without interviewing all parties involved or reviewing all artifacts. This approach frequently results in getting only one side of a story. Since descriptions of what happened often differ due to perception or agenda, it’s important not to fall into the trap of seeing the situation through the eyes of only a small, biased subset of the participants.
  2. Not involving management early. When a security analyst investigates a violation, he or she simply reports the facts to relevant members of the management team. It’s up to these managers—often including HR as well as the offender’s direct supervisor—to decide on appropriate action. I’ve found that involving them early in the process helps avoid contentious interaction--caused by the appearance of being “internal affairs investigators” instead of partners in the effort to secure information assets--when the report is finally delivered. In our investigation process, the appropriate managers are notified as soon as an incident is identified and before interviews or evidence collection begins.
  3. Treating the investigation report like a police report. Unless a law was broken or an action taken requiring immediate termination of employment, the final report should be the basis for an after action review (AAR). Instead of treating the results of an investigation as something to fear, position it as a tool to improve outcomes. Sit down with all involved parties and work toward conditions which help improve employee awareness of management’s expectations. This will help strengthen security controls and help nurture employee perception that the security team is a partner instead of the company’s secret police.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

1 comments
tuomo
tuomo

Sounds good but (IMHO) it really starts a little wrong - dealing with security over 35 years I have found all the points in article being good but the main cause has almost always been bad / lazy / inexperienced management, not the individuals making mistakes or even trying some mischief. This often makes the investigation like asking the fox "who stole the chicken?" Also, these questions assume that the security is well documented, you know who to involve and who to avoid in certain cases - not often the reality. It is the current trend that any manager is a god, maybe if you think that they can fire you but even gods make mistakes, unintentionally or sometimes not. Security should always be a separate function of anything else. Otherwise other issues cloud the security issues very fast, nobody likes to admit mistakes, etc. Decisions are not always made security in mind because it's seen a side issue, a problem to get something else done, takes time, not knowing all the benefits and / or problems it may cause when seen from on point, not out of my budget, etc. It's the same as for example in capacity planning, increase the capacity in one place of infrastructure not knowing / caring the effects to other parts and the whole comes to screeching halt very fast, causes huge problems and big costs, very common today. It is much more cost effective and less risky to be prepared instead investigating. And as the articles says, it is like an police investigation and should be the same way, find the "big bad boss" and you will get rid of all the smaller fish for free, much more cost effective.