Sunday, May 12, 2013

Enterprise IT Forensic Process - Approval


In last March 2012, I wrote a piece about what are the key processes for IT Forensic in Enterprise's environment. Let's do a bit of a recap. There are 5 key processes - Approval, Acquisition, Analysis, Reporting and Disposal.

Today, I'm going to dive into more details on the first process - Approval.

Approval is the most important process. We don't want to do something that is illegal right? Therefore, this process will ensure that the investigation and forensic activities are legal in every aspect e.g. company's policy as well as law's.

Normally, the process starts when there is a Request for Investigation (RFI) raised by someone within the company (referred as Requestor hereafter). Naturally, the obvious next step is for the the Investigator to discuss with the Requestor in details about the RFI. Following questions shall be discussed and agreed:

Who shall approve this investigation?
As each request is normally a unique one, it cannot be predetermined who shall be the approver. However, typically following persons/roles should be part of the approval list:
a) A person that can confirm that investigation is allowed from employment contract's perspective e.g. Head of Human Resource Department
b) A person who can confirm that investigation is allowed from country law's and legal's perspective e.g. Head of Legal Department
c) A person who can confirm that data belonged to the subject (or suspect) is allowed to be transferred and examined by the Investigator e.g. Head of Data Protection.
d) a person who is direct disciplinary authority to the subject e.g. Direct manager of the subject
e) In some countries e.g. Germany where the Workers Council is strong, their approval maybe needed as well.
f) Your boss. He has to approve from resource allocation's perspective :)

Who shall be the driver to gather all these approvals?
It is in the best interest of the Requestor for the investigation to be approved. Therefore, the Requestor shall be primarily responsible to gather all the needed approval. The Investigator, to a certain extend (due to resource limitation etc) could provide support as well.

Another reason to have the Requestor taking the lead role is to avoid "misuse" of RFI. As an investigator, I'm sure you don't want to be running around chasing for approvals whenever there is a RFI raised to you :) .

We know we will get the approval, to expedite the time, could we start collecting evidence in parallel? 
NO. You shall not do that. Never collect or acquire evidence before you have all the green lights, no matter how strong is the pressure. Just like a police shall never search a place without a warrant.

Is email approval accepted?
I will say yes, provided that the email is digitally signed with a valid user certificate of your organisation's PKI infrastructure. A digitally signed email will ensure non-repudiation.