Investigation

An investigation is a fact-finding process that involves logically, methodically, and lawfully gathering and documenting information.

The goal is to develop an objective and reasonable conclusion based on the facts discovered during the process.

Investigations are conducted to uncover information that supports conclusions about an allegation, claim, assertion, or incident. They are essential for understanding events, assigning responsibility, and determining appropriate actions.

The primary purpose of an investigation is to:

  • Establish what happened
  • Identify who is responsible
  • Identify, collect, preserve, and analyze evidence

Types of Investigations

There are several types of investigations that cybersecurity professionals may be involved in. The main categories include:

  • Administrative investigations
  • Criminal investigations
  • Civil investigations
  • Regulatory investigations
  • Industry standard investigations

Administrative Investigations

Administrative investigations are internal investigations conducted by an organization. They are typically related to non-criminal issues such as policy violations, misconduct, or technical incidents.

These investigations follow internal policies and procedures, as long as they comply with applicable laws.

Common Triggers

Administrative investigations may be initiated due to:

  • Security incidents
  • Employee complaints
  • Operational mishaps
  • Misconduct or policy violations

Key Characteristics

  • Conducted internally within the organization
  • Focus on policy compliance rather than criminal law
  • Flexible procedures based on internal rules

Outcomes

Disciplinary actions may include:

  • Warnings or reprimands
  • Suspension
  • Termination of employment

If evidence of criminal activity is discovered during the investigation, it may escalate into criminal or civil investigations.

Example

An organization may notice that a user is downloading unusually large amounts of data.

  • The IT team investigates internally
  • They check if there is a legitimate business reason
  • If misuse is confirmed, disciplinary action is taken

If the activity involves illegal content such as copyrighted material, the case may be escalated to external authorities.

Criminal Investigations

Criminal investigations are conducted to determine violations of criminal law.

If an organization suspects a crime has been committed, it must involve law enforcement authorities, who take control of the investigation.

Objectives

Criminal investigators aim to determine:

  • The method used to commit the crime
  • The motive behind the crime
  • The identity of the offender

Key Characteristics

  • Initiated and conducted by government authorities
  • Concerned with offenses against society
  • Require strict legal procedures

Standard of Proof

Criminal cases require proof beyond a reasonable doubt.

  • This is a very high standard of proof
  • The evidence must strongly support guilt

Evidence Handling

  • Evidence must be carefully collected and preserved
  • Chain of custody must be maintained
  • Procedures must comply with legal standards

Penalties

Penalties are designed to punish and deter criminal behavior:

  • Imprisonment
  • Monetary fines

Civil Investigations

Civil investigations deal with disputes between individuals or organizations that result in loss or damage.

These cases are typically initiated by the affected party rather than the government.

Key Differences from Criminal Investigations

  • Initiated by individuals or organizations
  • Focus on compensation rather than punishment
  • Outcomes are liability-based rather than guilt-based

Standard of Proof

Civil cases use a lower standard of proof called preponderance of the evidence.

  • Requires at least a 51% probability that the claim is true
  • Less strict than criminal standards

Evidence Handling

  • Evidence requirements are less strict compared to criminal cases
  • Still must be credible and properly documented

Outcomes

The goal is to compensate the victim rather than punish the offender.

Typical outcomes include:

  • Financial compensation
  • Damages awarded to the affected party

Regulatory Investigations

Regulatory investigations are conducted to determine whether an organization is complying with laws and regulations established by government authorities.

These investigations can vary widely in scope and complexity. Depending on the severity of the violation, they may resemble administrative, civil, or even criminal investigations.

Characteristics of Regulatory Investigations

  • Initiated by regulatory bodies or government agencies
  • May be conducted independently or alongside law enforcement
  • Can involve third-party investigators or auditors
  • Scope can range from simple inquiries to extensive formal investigations

Investigation Process

Regulatory investigations may begin with:

  • Informal requests for information, such as phone calls or emails
  • Requests for documentation or clarification

In more serious cases, they may escalate to:

  • Formal investigations
  • Legal actions such as subpoenas
  • Comprehensive audits and evidence collection

Penalties and Consequences

Violations of regulatory requirements can result in significant consequences:

  • Financial penalties and fines
  • Sanctions or restrictions on business operations
  • Mandatory corrective actions

For example:

  • Under GDPR, fines can reach up to €20 million or 4% of global annual turnover, whichever is higher

In severe cases:

  • Regulatory investigations may lead to criminal investigations
  • Individuals or organizations may face imprisonment or substantial fines

Risk Management

Organizations must actively work to reduce exposure to regulatory risks by:

  • Ensuring compliance with applicable laws and regulations
  • Implementing strong governance and internal controls
  • Conducting regular audits and assessments

Industry Standards Investigations

Investigations related to industry standards focus on compliance with standards that are not laws but are enforced through contractual obligations.

Examples include standards such as PCI DSS, which organizations must follow when handling payment card data.

Characteristics of Industry Investigations

  • Based on agreements between organizations rather than legal statutes
  • Often required as part of doing business in certain industries
  • Enforced through contracts and compliance requirements

Investigation Process

Organizations may be required to:

  • Undergo audits and compliance assessments
  • Provide evidence of adherence to standards
  • Cooperate with independent third-party investigators

These investigations are often conducted by:

  • Certified auditors
  • Independent assessment organizations

Consequences of Non-Compliance

Even though these standards are not laws, violations can still result in serious consequences:

  • Financial penalties and fines
  • Loss of certification or compliance status
  • Termination of business relationships
  • Restrictions on conducting certain types of business

Because of these risks, industry standard investigations should be treated with the same level of seriousness as regulatory investigations.

Summary of Investigation Types

Cybersecurity professionals may encounter multiple types of investigations, each with different purposes and requirements.

  • Administrative investigations focus on internal policy violations
  • Criminal investigations address violations of law
  • Civil investigations resolve disputes and compensation
  • Regulatory investigations ensure compliance with laws and regulations
  • Industry investigations enforce contractual standards and compliance

Understanding these differences is essential for handling incidents correctly and ensuring proper evidence handling, reporting, and response.