Law Enforcement Involvement

When an incident violates civil or criminal law, it is the organization’s responsibility to notify the proper
authorities. Selecting the appropriate law enforcement agency depends on the type of crime
committed.
Each state, country, has its own law enforcement agencies. These agencies enforce all local and state
laws, handle suspects, and secure crime scenes .
Local law enforcement agencies rarely have computer crime task forces, but the investigative
(detective) units are quite capable of processing crime scenes and handling most common criminal
violations, such as physical theft, trespassing, damage to property, and the apprehension and
processing of suspects.
They can then bring in additional expertise as needed to handle cybercrime.
Involving law enforcement agencies has both advantages and disadvantages. For example, such
agencies are usually much better equipped at processing evidence than a business organization.
Unless the security forces in the organization have been trained in processing evidence and digital
forensics, they may do more harm than good when attempting to extract information that can lead to
the legal conviction of a suspected criminal.
Law enforcement agencies are also prepared to handle the warrants and subpoenas necessary when
documenting a case. They are adept at obtaining statements from witnesses, search warrants, and
other required documents. For all these reasons, law enforcement personnel can be a security
administrator’s greatest allies in prosecuting a computer crime.
 Law Enforcement Involvement
• The disadvantages of law enforcement involvement include possible loss of control of the chain of
events following an incident, including control over the collection of information and evidence and the
prosecution of suspects.
• An organization that wants to simply reprimand or dismiss an employee should not involve a law
enforcement agency in the resolution of an incident.
• Additionally, the organization may not hear any new information about the case for weeks, or even
months, because of the agency’s heavy caseloads or resource shortages.
• A very real issue for commercial organizations when involving law enforcement agencies is the
evidence tagging of equipment that is vital to the organization’s business.
• Valuable assets can be removed, stored, and preserved to prepare the criminal case. Despite these
difficulties, if the organization detects a criminal act, it has the legal obligation to notify appropriate law
enforcement officials.
• Failure to do so can subject the organization and its officers to prosecution as accessories to the crime
or for impeding the course of an investigation.
• It is up to the security administrator to ask questions of law enforcement agencies to determine when
each agency needs to be involved and which crimes are addressed by each agency.
 Internal and External stakeholders
• Every organisation is different. However, your CSIRT must find a way to engage with the equivalents of the following
groups:
• IT Services. Your incident response team need to establish solid relationships with all the key parts of your IT
Services organisation. Internally, this includes networking, database teams and developers. Externally you need to
include hosting providers and service providers. This is the most crucial relationship they can have.
• Security Management. You need more than a CSIRT. The incident responders can be expected to own every aspect
of security. You need to ensure they have a route to engage other parts of security and especially security
management / leadership teams.
• Legal. Incidents open the door for lots of legal considerations. You need to make decisions about what to report and
how significant an event may be. Your incident responders should be technical experts, not legal experts. This
means your handers must have a way of seeking guidance from real lawyers. Ignore legal at your peril.
• Human Resources. Users are a frequent cause of security incidents. Your incident response team need to be able to
handle these in the correct way. To enable this, the CSIRT need to engage with HR. Ideally, there will be regular links
to ensure compliance and an ad-hoc link when an incident happens. As with legal, ignore HR at your peril.
• Public Relations. Incidents can go public with very little warning. No one wants to make the Talk Talk mistake with a
CEO talking faster than your incident response team can work. It is vital that your incident response guys engage
with PR before and during incidents. Your PR team are experts in making sure the incident response message is the
right one. If you need to go public and there is no link between incident response and PR, you will feel pain. Lots of
pain.
• Incident Response Communications
• So, you know it makes sense to engage, but how can you do it?
• Step 1: Identify the right people. Find or nominate key individuals within the
stakeholder groups. These do not need to be security experts, but they need
to be aware of the incident response team’s existence. Make them aware of
their duties – normally act as a support point for any incident activity.
• Step 2: Set up regular security cadence meetings. People forget things. You
can minimise this with a regular meeting between all the stakeholders. You
can use this to drive improvements, review previous incidents or just remind
everyone.
• Step 3: Incident Response Escalations. Your team is in-flight with an incident,
have them set up pro-active alerting. Don’t call everyone, every time, but
your handlers need to be planning ahead. Your incident response team need
to be warming up key contacts so when they have to press the button, it
doesn’t shock anyone.
Incident Response team
• An incident response team is a group of IT professionals in charge of
preparing for and reacting to any type of organizational emergency.
• Responsibilities of an incident response team include
developing a proactive incident response plan, testing for and
resolving system vulnerabilities, maintaining strong security best
practices and providing support for all incident handling measures.
• Incident response team members typically cover various technical
skills, backgrounds and roles to be prepared for a wide range of
unforeseen security incidents.
Examples of incident response teams
• Computer Security Incident Response Team (CSIRT). This is a team of
professionals responsible for preventing and responding to security incidents. A
CSIRT may also handle aspects of incident response in other departments, such as
dealing with legal issues or communicating with the press.
• Computer Emergency Response Team (CERT). This is a team of professionals in
charge of handling cyberthreats and vulnerabilities within an organization. In
addition, CERTs tend to release their findings to the public to help others
strengthen their security infrastructure.
• Security Operations Center (SOC). This is a type of command center facility that is
dedicated to monitoring, analyzing and protecting an organization from cyber
attacks. A SOC typically includes threat hunters and analysts that focus only on
system security incident response.
 Incident response team functions and responsibilities
• As companies will have different individual risk profiles and business processes to be mindful
of, specific skillsets within the incident response team may vary. Generally speaking, the core
functions of an incident response team include leadership, investigation, communications,
documentation and legal representation.
• Leadership. Coordinates the overall direction and strategy of response activities and ensures
the team stays focused on minimizing damage, recovering quickly and operating efficiently.
• Investigation. Coordinates efforts to determine an incident's root cause. It's important to
gather as much relevant information as possible. Specifically, information that can provide
value to correct the acute issue as well as prevent future issues.
• Communications. Manages relevant internal and external communications necessary for the
incident response. Communications may be required across an organization's teams and
departments, or with external stakeholders.
• Documentation. Keeps records of incident response measures and activities.
• Legal representation. Ensures that the incident response activities taken line up with laws
and regulations to protect the organization.
 Incident Response Team
• Incident response team members will include a mix of technical staff, cross-functional team members and,
potentially, external contractors. When choosing specific team members, organizations should look to include:
• Technical team. IT, security team members and other employees with technical expertise across company
systems. The technical team will be the core of the overall incident response team, and should include security
analysts and threat intelligence
• Executive sponsor. A senior executive should be present to provide oversight for information security and
business risk management.
• Incident responders. Responsible for keeping track of incident response timelines and following up with ongoing
management of incidents. May be charged with assessing the scope and urgency of incidents, reporting on
trends, educating employees and internal stakeholders, and potentially liaising with law enforcement.
• Communications coordinators. Responsible for managing internal communications relating to incident response
efforts, as well as public relations representatives to manage relationships with media outlets, affiliated business
entities and external stakeholders.
• Forensic analyst. An expert in forensics. May be an in-house employee or an outside advising contractor.
• External consultant. A third-party expert in incident response, information security or technical systems that
can advise on cases.
• Legal representatives. May be an in-house corporate attorney or an outside law firm hired to represent the
company if legal action is necessary.