TAC The Advisory Council Expertise-as-a-Service Has Arrived
Home Services & Products Events & Workshops Results Our Experts About Us FAQ Contact TAC News

Question:We're considering setting up our own IT-abuse investigations group. What issues should we consider in making this decision?

Our advice: Electronic discovery and forensic analysis of Internet traffic dominates the landscape in both the public and private sectors. While public-sector law enforcement has benefited immensely from federally subsidized training during the last decade, the same isn't true for the private sector. As a result, corporate staffs tasked with investigating policy violations within their organizations seldom have formal investigative training in forensic techniques, especially identifying and analyzing computer-based evidence. As you can imagine, the likelihood that their efforts will fail is in direct relation to the number of things done wrong. In some cases, these missteps only result in a blown investigation; in other cases, they can result in significant lawsuits initiated by employees who allege their careers have been harmed in some manner by irresponsible actions. The top 25 reasons corporate IT-abuse investigations fail are:

  • Telling your executive VP such investigations can be done quickly and inexpensively.
  • Not having corporate counsel sign-off on the equivalent of an in-house search warrant before searching network accounts and cubes or offices for evidence (both electronic and nonelectronic).

  • Conducting searches without a solid understanding of where employees do, and do not, have an expectation of privacy.

  • Misidentifying your policy violator and interviewing the wrong employee (during which you may imply they are a pervert or at the very least dishonest).

  • Allowing IT staff to "assist" with the technical aspects of the investigation. (Remember what happens when the fox gets to guard the hen house?)

  • Allowing investigations and analysis of E-mail and Internet activity to be used for witch hunts.

  • Not realizing that forensic standards for law enforcement and forensic standards for corporate investigators are significantly different.

  • Treating every investigation like it will be going to federal prosecution.

  • Not using an eyewitness or pinhole camera to tie your policy violator to the keyboard in question at the time of the original incident or when the incident reoccurs.

  • Failure to personally interview the policy violator, victim, complainant, witnesses, and peers in the incident under investigation.

  • Allowing human resources to participate in the technical investigation before the employee interview. (Can you say leak?)

  • Failure to follow a reasonable "chain of custody" procedure when handling evidence.

  • Not being able to describe/define the process used to discover and acquire evidence to senior management in terms they can understand.

  • Improper storage of evidence (not under monitored lock and key).

  • Allowing unauthorized employees to examine the computer or evidence discovered such that allegations of evidence tampering can be made.

  • Not understanding the types and locations of potential logs containing evidence that are produced by security controls within your infrastructure.

  • Not understanding how easy it is to spoof MAC and IP addresses.

  • Analyzing the original evidence. (Use duplicate copies for this whenever possible.)

  • Not verifying who had access to computers where evidence has been discovered.

  • Failing to perform a complete virus/Trojan check on the evidence prior to analysis (avoiding the "someone else caused it" argument).

  • Not verifying that the timestamps of computers involved are accurate, making event correlation difficult to impossible.

  • Being unable to pay attention to boring, minute details (the ones that often end up cracking the case).

  • Deviating from accepted procedures while handling or examining evidence.

  • Not documenting ongoing discovery and analysis activities in a detailed log.

  • Being unable to get a signed, handwritten confession from your policy violator.

-- Bill Spernow


  • What does a CIO have to do to establish a leadership-development program for the IT organization?


  • How do I develop a information-technology plan when the company itself doesn't have a strategic plan?


  • What are the most productive tasks an IT leader can focus on?


  • After three years of downsizing and cost cutting, how do I motivate my management team and build a high-performance organization?


  • As the economy turns around, what IT skills will be most in demand this year?


  • How should we manage change in our IT infrastructure to minimize risk?


  • Several weeks ago, you wrote about when a project-management office makes business sense. What is the appropriate design for a PMO?


  • The economy seems to be picking up. Looking ahead, how do I retain good IT people in the face of an improving IT market while my budget remains under pressure?


  • What IT skills will be most in demand this year?


  • How do I objectively evaluate the readiness of my organization to support emerging business requirements?


  • What cultural and people factors are important to consider when building IT capabilities to support manufacturing factory and retail operations in China?


  • How could the Project Management Institute help us effectively manage real-life IT projects to ensure success?


  • How do we make our communications proactive, rather than only getting to them when there's a crisis?


  • What are the critical success factors to achieve and maintain strategic alignment?


  • How can we develop an enterprise architecture across disparate business units?


  • How can I develop a long-term information-technology plan when my company doesn't have a strategic plan?


  • What attributes and features should we consider when selecting IT asset-management software?


  • As an overworked IT manager, what can I do to reduce my workload while maintaining high availability and good security?


  • We're under management pressure to outsource application development and to cut staff, but I'd rather get more value from our existing staff, who know our business. How can I broaden their skills?


  • As business picks up, what should I do to rebuild my organization, tactical plan, and internal-management processes?


  • We have a strong team that I'd like to make stronger. How do I instill more leadership qualities and skills into my team?


  • What organizational structure would be most effective for information-security governance?


  • How can we achieve effective process ownership within our IT organization?


  • What organizational, people, and process issues should we consider when setting up a telecommuting program?


  • We've cut staff so much in the last four years that I'm wondering if I can afford (from a work perspective) to take vacation this summer. What can I do to reduce the chance of something unraveling catastrophically while I'm away?


  • A few weeks ago, writing about creating a vision statement, you said "seek expert facilitation to reach a vision supported by all." Where can we get this expertise?


  • We know that we could save money by consolidating servers currently scattered across business units. How should we address the political issues around getting the business units to give up their servers?


  • What level of IT spending is appropriate for a midsize to large financial organization?


  • How should we assess our IT organizational structure and processes?


  • How can we retain good IT people in the face of an improving IT job market?


  • How should we determine the appropriate network-support staffing level for a 10,000-node network?


  • What strategies are most successful in a "political" organization?


  • How can one reduce behaviors that are wasteful of IT resources?


  • How can we raise the IT knowledge of non-IT employees?


  • I'd like to establish a management mentoring program within my organization. How should I start?


  • How should we deal with the cultural and skill-set changes needed when moving from mainframe-based applications to client/server and Web-based applications?


  • We're considering setting up our own IT-abuse investigations group. What issues should we consider in making this decision?


  • How should we assess and set priorities for our IT project portfolio?


  • What features should we consider when selecting portfolio-management dashboard software?


  • How do we minimize the negative impact of project cancellations on IT staff morale?


  • After three years in my current CIO position, I still find myself out of the loop when it comes to strategic business decisions. What can I do about this?


  • Many large companies have a project management office responsible for portfolio and program management. When does a PMO make business sense?


  • After the extended economic downturn, we need to create a new vision for the organization. How do we do that?


  • What technical and security issues should we consider when setting up a telecommuting program?


  • How do we change IT from reactive to proactive in a change-resistant corporate culture?


  • How can the CIO shift the IT organization's mindset from service delivery to value creation?


  • What criteria should be included in the due-diligence assessment of IT at an acquisition candidate?


  • How do I establish my credibility with the CEO, chief operating officer, and CFO?


  • How do I motivate my technical staff to cooperate with staff from our offshore outsourcing vendor?




    • ©2002-2010 The Advisory Council Inc. All rights reserved. Privacy Policy & Guidelines | Terms & Conditions