Domain 1 – Chapter 19 – Investigation and Ethics

By adminDomain 1 - Chapter 19 - Investigation and Ethics
Domain 1.0 – Security and Risk Management

ICS2 code of professional ethics – https://www.isc2.org/ethics

Code of Ethics Preamble
  • The safety and welfare of society and the common good, duty to our principals, and to each other, require that we adhere, and to be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this code is a condition for certification.
Code Of Ethics Canons
  1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  2. Act honorably, honestly, justly, responsibly, and legally.
  3. Provide diligent and competent service to principals.
  4. Advance and protect the profession.
Code of Ethics Complaints
  • Any member of the general public may file a complaint involving cannon 1 or 2.
  • Only an employer or someone with a contracting relationship with the individual may file a complaint under canon 3.
  • Other professionals may file a complaint under canon 4. It is important to note that this is not limited to cybersecurity professionals. Anyone who is certified or licensed as a professional and subscribe to a code of ethics as part of a licensure or certification is eligible to file a canon 4 complaint.
RFC 1087

RFC 1087 states that any activity with the following purposes is unacceptable and unethical:

  • Seeks to gain unauthorized access to Internet resources.
  • Disrupts the intended use of the Internet.
  • Waste resources (people, capacity, computers) through such actions.
  • Destroys the integrity of computer-based information.
  • Compromises the privacy of users.

Investigations

Failure to follow the proper procedures may violate the civil rights of the individual(s) being investigated and could result in a failed prosecution  or even legal action against the investigator.

Investigation Types

Administrative Investigations
  • Internal in nature and examines either operational or organizational policies.
  • Conducted as part of technical troubleshooting or other administrative processes, for example, HR disciplinary procedures.
  • It may require a stronger standard of evidence, especially if it results in sanctions against an individual.
  • It may quickly transition to another type of investigation. For example, a slow responding server might reveal an ongoing cybersecurity event.
Operational Investigations
  • Examines issues related to the organization’s computing infrastructure, with the primary goal of resolving operational issues.
  • Have the loosest standards for collecting information. They are NOT intended to produce evidence – internal operational purposes only.
  • Does not need to be thorough or well documented, because resolving the issue is the primary goal.
  • Often used in root cause analysis, seeking to identify the reason that an operational issue occurred.
  • Root cause analysis often highlights issues that require remediation to prevent similar incidents in the future.
Criminal Investigations
  • Typically conducted by law enforcement personnel.
  • Follows a strict evidence collection and preservation process.
  • Must meet the “beyond a reasonable doubt” standard of evidence.

Beyond a reasonable doubt: means the jury must be firmly convinced of the defendant’s guilt based on the evidence. There can be no reasonable alternative explanation consistent with innocence, but it does not require absolute certainty or the elimination of all doubt, only reasonable doubt.

In simple terms: If a reasonable person would still hesitate because of a logical, evidence-based doubt, the standard is not met.

Civil Investigations
  • Typically, they do not involve law enforcement.
  • Involves internal employees and outside consultants working on behalf of a legal team.
  • The evidence gathered is presented in civil court cases, usually resolving disputes between two parties.
  • Not as rigorous as those used in criminal cases.
  • Most civil cases do not follow the beyond a reasonable doubt standard of proof. Instead, they use the “weaker” “preponderance of evidence” standard.

Note: Preponderance of the evidence is the legal standard commonly used in civil cases. It means that a claim is proven if it is more likely than not to be true, even if the likelihood is slightly over 50%.

In simple terms: if the evidence tips the scale just a bit in favor of one side, that side meets the standard.

Regulatory Investigations
  • Conducted by government agencies when they believe that an individual or corporation has violated administrative law.
  • Regulatory investigations vary widely in scope and procedure, and are often conducted by government agencies.
  • Regulators typically conduct these investigations with a standard of proof commensurate with the venue where expect to try their case.
Industry Standards
  • Some regulatory investigations may not involve government agencies. These are based on industry standards such as:
    • Payment Card Industry Data Security Standard (PCI DSS).
    • Health Insurance Portability and Accountability Act (HIPPA) (1996).
    • Gramm-Leach-Bliley Act (GLBA)
    • General Data Protection Regulation (GDPR)
  • These industry standards are not laws but are contractual obligations entered into by the participating organizations.
  • Failure to participate in these investigations or negative investigation results may lead to fines or other sanctions.
Electronic Discovery
  • Regarding legal proceedings: Each side has a duty to preserve evidence related to the case and, through the discovery process, share information with its adversary.
  • The discovery process applies to both paper and electronic records, and the electronic discovery (eDiscovery) process facilitates the processing of electronic information for disclosure.
Electronic Discovery Reference Model (EDRM)
  • Describes a standard process for conducting eDiscovery with 9 aspects.
  1. Information Governance: Ensures that information is well organized for future eDiscovery efforts.
  2. Identification: Locates information that may be responsive to a discovery request when the organization believes that litigation is likely.
  3. Preservation: Ensures that potentially discoverable information is protected against alteration or deletion.
  4. Collection: Gathers the relevant information centrally for use in the eDiscovery process.
  5. Processing: Screens the information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening.
  6. Review: Examines the remaining information to determine what information is relevant to the request and removes any information protected by attorney-client privilege.
  7. Analysis: Performs a deeper inspection of the content and context of the remaining information.
  8. Production: Places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel.
  9. Presentation: Displays the information to witnesses, the court, and other parties.

Reference: https://edrm.net/edrm-model/current/

Image: EDRM 2.0 Model — used under Creative Commons Attribution 4.0 International License from EDRM.net

mnemonic: Information Is Properly Collected, Processed, Reviewed, Analyzed, Produced, Presented.

Evidence
  • Evidence must provide suffiencent evidence to prove an individual’s guilt beyond a resonable doubt.
  • The items of evidence maintained and used in court are called artifacts.
    • Physical devices (computers, mobile devices, network devices)
Admissible Evidence

There are three basic requirements for evidence to be introduced in a court of law. To be considered admissbile evidence, it must meet all three of these requirements, as determined by a judge, prior to being discussed in open court:

  • The evidence must be relevant to determining a fact.
  • The fact that the evidence seeks to determine must be material (related) to the case.
  • The evidence must be competent, meaning it must be obtained legally.
Types of Evidence

Real Evidence: Known as “object evidence.”

  • Things that can be brought into a court of law in computer-related cases may include:
    • Keyboard with fingerprints, a hard drive from a malicious actor’s computer, etc.
  • Real evidence may also be conclusive evidence, such as DNA, which is incontrovertible.

Documentary Evidence: Includes anything written that’s brought into court to prove a fact.

  • This evidence must be authenticated.
    • Computer evidence – a system administrator to testify that log collection is part of the organization’s routine process and is indeed the log collected by the system.

Two additional documentary evidence rules:

  1. Best evidence rule: When the document is used in court, the original document must be introduced.
    1. Copies or descriptions of the original evidence (secondary evidence) will not be accepted as evidence unless certain exceptions to the rule apply.
  2. Parol evidence rule: When parties agree in writing, the written document is presumed to contain all the terms of the agreement, and no oral agreements may modify it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.