Home » Physical Security » Investigations/Forensics

10 Rules for Responsible Investigations

Readers' best practices for making sure the sleuth work matches the allegation

How do you run a responsible investigation, one that’s done not only in a legal and ethical way (of course that’s a prerequisite) but that’s also effective? To find out, and as a follow-up to our analysis of Hewlett-Packard’s recent troubles over its inquiry into boardroom leaks, we asked readers of CSOonline.com. We posted a preliminary list of best practices at Disclosures, the blog from CSO’s editors, and invited readers to add their own. Below, the results.

1) Don’t break the law. Don’t hire anyone (or hire anyone who will hire anyone) who will break the law.

2) Before you start, agree on some general objectives. What do you want to accomplish? Set milestones to measure your progress. The overarching goal, of course, is to protect the corporation—both from whatever allegation you’re investigating and from the possible repercussions of how you investigate it.

3) Seek the truth. Don’t start with a preconceived outcome and try to make the facts fit—even if it is more convenient for the company.

4) Match the investigation to the crime. Don’t launch a $10,000 investigation into a $1,000 crime. Beware of a tendency to hit the ground running to catch the bad guys quickly, which could result in an investigation that veers off course and creates a larger issue than the reason the investigation was started in the first place.

5) Match the investigatory methods to your corporate culture. There’s a huge gray area of ethics in investigations. Make sure that what you’re doing makes sense for your company and follows practices that your CEO would be willing to defend on camera.

6) Be consistent. Don’t treat a high-performing employee different from the slacker for the same offense. Apply even standards in how you manage contractors and subcontractors. Ensure that whatever practice you use is well documented, can be replicated and can be presented to opposing counsel.

7) Practice strict “need to know” rules during the investigation. Don’t allow allegations to ruin someone’s reputation. Expand the base of people involved only when absolutely necessary, even at the expense of ruffling some senior corporate egos. There will be plenty of time to brief people once the allegations are confirmed.

8) Make sure employees know their rights. Your personnel policy should state clearly that phone conversations on company phones and data that traverses the company network or company equipment is the property of the company and as such may be monitored, tracked and audited.

9) Decide when to tell the subject of an investigation. Have a formal policy for when those under investigation will (or will not) be notified.