The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

There is a great lack of communication between ISSO professionals and law enforcement agencies. Neither profession seems to know what the other does, or how they can assist each other. The ISSO works primarily in the internal world of the corporation. Therefore, ISSOs usually are ignorant of what investigations are being conducted by law enforcement agencies, even in the cities where the corporation has facilities.

This lack of communication means that the ISSO, and more often than not the Director of Security, is not aware of local high-technology crime investigations that law enforcement are conducting. Thus, the ISSO is unaware of some high-technology crime techniques which would be useful to know about when developing internal defenses and controls to protect the corporation against such attacks.

When to Call for Help—and Whom

If you or one of your staff is conducting an NCI or supporting a security staff member conducting an investigation, there is more than one person who can be of assistance. These include:

• Victims,

• Witnesses,

• Consultants,

• Vendors,

• Suspects, and

• Law enforcement officers.

What if a high-technology crime is perpetrated at IWC and the law requires a law enforcement agency to be contacted? What if management decides that they want the perpetrator caught and prosecuted? They will file a complaint with the appropriate law enforcement agency and support criminal prosecution of the offender. Even though this is primarily a Secretary Department matter, often the ISSO has an important role to play. Therefore, the ISSO should be aware of the processes involved. Some of the things to consider are:

• Does IWC have a company policy as to when or when not to call an outside law enforcement agency?

• Are Legal staff involved?

• Are Human Resources personnel involved?

• Are Public Relations personnel involved?

• Is budget available to support the investigation and prosecution?

• Is the question "Can IWC stand the bad publicity?" considered in making the decision?

• Is executive management prepared for the required commitment?

• Is reporting required by law?

• If yes, should it be reported?

• If not, should it be reported?

When deciding whether or not to call law enforcement, one should also consider:

• Costs versus benefits;

• Extent of loss;

• Probability of identifying and successfully prosecuting the suspect;

• Potential lawsuits that will follow if someone is identified (whether or not he or she is successfully prosecuted); and

• Time in supporting the criminal justice process: investigation through prosecution.

There are some advantages to calling law enforcement, who can:

• Perform acts that are illegal if done by citizens;

• Obtain search warrants to recover property;

• Gain access to related information; and

• Protect victims under some instances.

Some of the disadvantages of calling law enforcement for help include:

• Control over the incident is lost;

• It is probably costly and time-consuming; and

• The company must be willing to cooperate in prosecution where the case may receive high visibility from news media, stockholders, and others.

If you decide to call in a law enforcement agency, IWC management must also decide which one to call and why—national, state, or local. No matter which one is called, IWC management must also be prepared to help them for an extended period of time. Initially, the ISSO in concert with the Director of Security should^[4]:

• Prepare a briefing for investigators;

• Ensure that executive management and legal staff director attend;

• Be sure of their facts;

• Brief in clear, concise, and nontechnical terms;

• Identify the loss, the basis for the amount, and the process used to determine that amount;

• Gather all related evidence;

• Know the related laws;

• Describe action taken to date;

• Explain the real-world impact of the alleged crime;

• Identify and determine if any victims will cooperate;

• Explain what assistance they can provide.

If the incident is to be handled internally:

• What is the objective?

• What is the plan to accomplish that objective?

• What expertise is available to help?

• What is the cost?

• What are the consequences?

• What can be done to be sure it doesn't happen again?

^[4]See http://www.shockwavewriters.com; Articles; ShockwaveWriter for a detailed case scenario related to calling law enforcement for help, entitled, "There's Been a Computer Crime! Call the Sheriff?"