Coordinating Physical Evidence Collection in Employee Suspicions

A.

If an employee is suspected of causing an incident, the human resources department may be involvedfor example, in assisting with disciplinary proceedings.

Legal Department.The legal experts should review incident response plans, policies, and procedures to ensure their compliance with law and Federal guidance, including the right to privacy.

In addition, the guidance of the general counsel or legal department should be sought if there is reason to believe that an incident may have legal ramifications, including evidence collection, prosecution of a suspect, or a lawsuit, or if there may be a need for a memorandum of understanding (MOU) or other binding agreements involving liability limitations for information sharing.

Public Affairs, Public Relations, and Media Relations.

Depending on the nature and impact of an incident, a need may exist to inform the media and, by extension, the public.

The Incident response team members could include: Management - Information Security - Legal / Human Resources - Public Relations - Communications - Physical Security - Network Security - Network and System Administrators Network and System Security Administrators Internal Audit - Events versus Incidents - An event is any observable occurrence in a system or network.

Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt.

Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.

This guide addresses only adverse events that are computer security- related, not those caused by natural disasters, power failures, etc.

A computer security incident is a violation or imminent threat of violationof computer security policies, acceptable use policies, or standard security practices.

Examples of incidentsare: An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.

Users are tricked into opening a "quarterly report" sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.

An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.

A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

The following answers are incorrect: Industrial Security.Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected.

public relations.

Is incorrect because it is not the best answer.It would be an important element to minimize public image damage but not the best choice for this question.

External Audit Group.

Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected.

Reference(s) used for this question: NIST Special Publication 800-61

In the event that an employee is suspected of wrongdoing, it is critical to collect physical evidence to support the investigation. While the Legal Department is a critical partner in this process, there are other company functions that must be involved to ensure that the investigation is conducted effectively.

One of the most important functions to coordinate with is Human Resources (HR). HR plays a critical role in ensuring that the company's policies and procedures are followed and that employees are treated fairly. In the case of an investigation, HR may be responsible for interviewing employees, documenting the investigation, and managing any disciplinary actions that may result from the investigation. HR may also be responsible for ensuring that the company's internal investigation procedures are followed and that the company's legal obligations are met.

Another function that may need to be involved in the collection of physical evidence is Industrial Security. Industrial Security is responsible for ensuring the safety and security of the company's assets, including physical property, intellectual property, and personnel. Industrial Security may be responsible for securing physical evidence, including electronic records, hard drives, and other materials, and ensuring that the chain of custody is maintained.

While Public Relations and External Audit Group are important functions within a company, they may not play a direct role in the collection of physical evidence in the event of an investigation. Public Relations may be involved in managing the company's reputation during an investigation, but they would not typically be responsible for collecting physical evidence. Similarly, the External Audit Group may be involved in reviewing the company's internal controls and procedures, but they would not typically be responsible for collecting physical evidence during an investigation.