Your investigation will vary based on the type of incident you are investigating. For example, if you work for a financial company and there was a compromise of a financial system, you might have a regulatory investigation. If a hacker defaces your company website, you might have a criminal investigation. Each type of investigation has special considerations:
- Administrative. The primary purpose of an administrative investigation is to provide the appropriate authorities with all relevant information so they can determine what, if any, action to take. Administrative investigations are often tied to HR scenarios, such as when a manager has been accused of improprieties.
- Criminal. A criminal investigation occurs when a crime has been committed and you are working with a law enforcement agency to convict the alleged perpetrator. In such a case, it is common to gather evidence for a court of law, and to have to share the evidence with the defense. Therefore, you need to gather and handle the information using methods that ensure that the evidence can be used in court . We covered some key points earlier, such as chain of custody. Be sure to remember that in a criminal case, a suspect must be proven guilty beyond a reasonable doubt. This is more difficult than showing a preponderance of evidence, which is often the standard in a civil case.
- Civil. In a civil case, one person or entity sues another person or entity; for example, one company might sue another for a trademark violation. A civil case typically seeks monetary damages, not incarceration or a criminal record. As we just saw, the burden of proof is less in a civil case.
- Regulatory. A regulatory investigation is conducted by a regulating body, such as the Securities and Exchange Commission (SEC) or Financial Industry Regulatory Authority (FINRA), against an organization suspected of an infraction. In such cases, the organization is required to comply with the investigation, for example, by not hiding or destroying evidence.
- Industry standards. An industry standards investigation is intended to determine whether an organization is adhering to a specific industry standard or set of standards, such as logging and auditing failed logon attempts. Because industry standards represent well-understood and widely implemented best practices, many organizations try to adhere to them even when they are not required to do so in order to reduce security, operational and other risks.