Information security professionals often find themselves performing investigations of security incidents and participating in other investigations. In this video, learn about different types of investigations, interviewing techniques, and the use of root cause analysis during investigations.
- [Instructor] During the course of their work, information security professionals often find themselves involved in various types of investigations. In some cases, these investigations are lead by security teams in response to suspected or actual security incidents. In other cases, the investigation is lead by another group and security professionals are asked to contribute evidence and expertise. There are four main types of investigations that often involve cybersecurity professionals. These are administrative investigations, criminal investigations, civil investigations, and regulatory investigations.
Administrative investigations are internal investigations that an organization undertakes. They may be done for many different reasons. One of the most common reasons for an administrative investigation is to investigate operational issues related to the organization's technology infrastructure. For example, a service might be returning errors, a server might be responding too slowly, or a network might be congested. Operational investigations seek to get to the underlying cause of these symptoms and resolve them, restoring normal operations as quickly as possible.
During administrative investigations of operational issues, investigators should also conduct a root cause analysis. The goal of this root cause analysis is to go beyond simply solving the problem and determine what caused it in the first place. For example, an operational investigation may determine that a server failed, reboot it, and restore service. The root cause analysis may reveal that a hard drive in the server is failing and that it should be replaced to prevent a future failure.
Administrative investigations may also be undertaken to look into matters relating to human resources issues, such as employee performance, workplace harassment, or other issues directed by management. Administrative investigations do not have high standards of evidence because there is no legal action involved. The organization simply wishes to correct a problem and get back to work. Criminal investigations are at the other end of the spectrum. Criminal investigations are conducted by government law enforcement agencies with the objective of investigating violations of criminal law.
The stakes are very high in this case because, at the end of a criminal investigation, an individual may be charged with the violation of a criminal law. And the penalties for criminal violations include fines and possible jail time. Because of these high potential penalties, criminal cases use the highest possible standard for evidence. It's called the beyond a reasonable doubt standard. The prosecution in a criminal case must present evidence where there is no other reasonable conclusion than that the defendant committed the crime.
Civil investigations also investigate the violation of a law, but they are non-criminal offenses involving a dispute between two parties. Civil cases may be initiated by the government, businesses, or private citizens. Examples of civil cases include contract disputes, employment law violations, and intellectual property infringement. Since civil investigations do not involve criminal law, they do not put anyone in jeopardy of going to jail and, therefore, have a lower standard of evidence.
Civil investigations use the preponderance of the evidence standard, where the conclusion drawn by the jury simply needs to be that the evidence demonstrates that it is more likely than not that one party is correct. Finally, regulatory investigations are conducted by government agencies looking into potential violations of administrative law. Regulatory investigations may be either civil or criminal in nature and use the standard of evidence appropriate to the type of case that the agency plans to bring.
Regulatory investigations may also be undertaken by non-governmental authorities to enforce compliance with industry standard. These are always civil cases. For example, credit card regulators may direct an investigation into PCI DSS compliance matters at a firm. Interviews are one of the most important tools available to investigators conducting any type of investigation. During an interview, investigators ask a cooperating individual a series of questions that are designed to elicit information that's valuable to the investigation.
It's important to remember that an interview is always voluntary. When investigators question a hostile subject without consent, this is known as an interrogation. Cybersecurity analysts should never find themselves in the position of conducting an interrogation and should leave this responsibility to trained law enforcement officials. Understanding the differences between types of investigations is an important way for information security professionals to know their own role when participating in an investigation.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Conducting investigations
- Reporting and documenting incidents
- Continuous security monitoring
- Preventing data loss and theft
- Asset management
- Change management
- Virtualization security
- Security principles: need to know, separation of duties, and more
- Building an incident response program
- Personnel safety and emergency management