Internal Investigations: The Basics
Internal investigations must uncover the truth about misconduct or fraud without damaging innocent employees. Here are the basics of how to plan and conduct a successful internal investigation.
By Derek Slater
January 25, 2010 — CSO —
Internal investigations are a vital part of a security program. It's a serious matter when an employee is alleged to be violating company rules. So-called 'insider threats' can cause as much damage as thieves outside. These threats come in many different forms, including:
- Accounting fraud
- Outright theft of physical assets
- Unauthorized access, to manipulate data or to sell it
- Threats, sexual harrassment or other inappropriate forms of behavior or communication
- and more.
Internal investigations aim to uncover the truth about alleged misconduct within the organization. But a good internal investigation must do so without compromising the relationship with innocent employees or unnecessarily damaging anyone's reputation. That calls for good planning, consistent execution, analytical skill, sensitivity, and a solid grasp of the legalities involved.
Typical elements of an investigation include collection and examination of written or recorded evidence, interviews with suspects and witnesses, and computer and network forensics. It may also require consultation with managers, human resources and legal personnel, and potentially also law enforcement. The exact players and actions will be ONLY those dictated as necessary by the particular case at hand.
Here is a primer covering the basics of internal investigations, compiled from expert advice in CSOonline articles. You will find links throughout pointing to more detailed information.
- What planning steps should be undertaken at the outset of an internal investigation?
- Who should be kept informed about an investigation at each stage?
- What departments or skills sets are likely to be required in an internal investigation?
- Is it typically worthwhile to set up an employee hotline, allowing anonymous accusations or tips?
- What about detecting and investigating financial fraud specifically?
- What tools can help with the computer aspect of evidence-gathering?
- If I need to confiscate the subject's computer, won't that tip them off that they are under investigation?
- Can employees or outsiders successfully evade computer forensic tools?
- How do I interview a suspect?
- Is it reasonable to include hidden cameras in my surveillance effort?
- What investigation tactics clearly should be avoided?
Q: What planning steps should be undertaken at the outset of an internal investigation?
A: Attorney John Thompson notes that investigations are often lead by personnel other than security. (In fact, Thompson has written a series of books to provide specific direction to various constituencies: audit
Have clear policies. A policy is helpful in several regards. It should dictate the appropriate personnel and procedures for internal investigations at your organization. A clearly written policy will help your arrive at a successful and correct outcome, avoid common blunders, ensure that proper documentation is kept (see next point), and keep your company out of legal hot water.
Document your work. This includes documenting your compliance with your own policies. In the event that, for example, the subject of the investigation files a lawsuit against your company, you will need to demonstrate to a judge's satisfaction that you behaved responsibly and legally throughout.
Another key document is a confirmatory memorandum. You may determine this is necessary, frequently the case when a verbal complaint or accusation is made. A confirmatory memorandum clarifies the scope of the investigation for all parties involved, including the complainant.ESSENTIAL READING
How to plan investigations into internal fraud, retail theft, workplace incidents, digital forensics, and more. You'll find the technical, procedural, practical and legal advice you need for effective investigations.
Internal investigations basics
How to conduct an effective investigation that protects your organization while respecting the rights of everyone involved
The investigator's toolkit
Corporate investigations manager Brandon Gregg's series of practical tips on finding and managing pertinent information
Digital and physical investigations merge
Every investigation requires elements from each discipline. Here's how to make it all work together.
How to plan an investigation
Timelines, questions, confidentiality, evidence collection and more—care taken up front pays off in solid case resolutions
How to spot a liar
There's no single telltale clue, but body language and logic together can help identify dishonesty
How to use legal hold software
How to choose and use digital forensics tools
The rise of anti-forensics
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Planning For Failure: Incident Management Is A Top Priority
- Identity Governance: The Business Imperatives
- CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
- Data Loss Prevention Solution for Managing E-Discovery
- Enterprise Strategy Group: The Case for a New Data-centric DLP White Paper
- Business Centric DLP
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
