Operational and Organizational Security: Incident Response • Chapter 11  635

                 are many people who will need to be notified and informed as to what has
                 occurred. Once a problem is recognized, you will need to maintain a list of who
                 were involved in the situation (inclusive to witnesses and potential suspects), deter-
                 mine what has occurred (e.g., a system failure or a hacking attempt), determine the
                 scope of the problem, and document the steps that were taken. Once you’ve
                 acquired enough information to have an understanding of the situation, you will
                 then need to notify management of the problem, and determine if police interven-
                 tion is necessary.
                    The company’s incident response policy should have procedures included in it
                 dealing with disclosure, outlining who is to be notified of an incident and when
                 police and the public should be notified. Laws or policies may exist stating that any
                 crimes must be reported to the police and any incidents must be disclosed to the
                 public. In some cases, the situation itself requires going public. For example, in
                 October of 2006, Brock University had their systems hacked, with the personal
                 information of alumni and other donators being stolen, including credit card and
                 banking information.The situation required the university to contact police and
                 notify the people whose information may have been stolen. If a company must go
                 public with information about an incident or crime, then disclosure of the infor-
                 mation should be coordinated with the company’s public relations office.A respon-
                 sibility of the Incident Response Team will be to provide decision makers with
                 information that is easy to understand, and outlines what has occurred and what is
                 being done about it. In doing so, management and public relations staff will be
                 better able to properly notify the right people (i.e., media, customers, stockholders,
                 and so forth) and defuse a potentially embarrassing situation. Because evidence may
                 be used in criminal proceedings, thorough documentation cannot be stressed
                 enough. Documentation provides a clear understanding of what occurred to obtain
                 the evidence, and what the evidence represents.All observations and actions that
                 were made must be documented.This information should include the date, time,
                 conversations pertinent to the investigation, tasks that were performed to obtain
                 evidence, names of those present or who assisted, and anything else relevant to the
                 forensic procedures that took place.
                    Documentation may also be useful as a personal reference tool or used to tes-
                 tify in court. Because of the technical nature involved, it is important to review the
                 details of the evidence before testifying at trial.These notes may also be referred to
                 on the stand, but doing so will cause them to be entered into evidence as part of
                 the court record.As the entire document is entered into evidence, it is very impor-
                 tant not to have notes dealing with other cases or other sensitive information in the
                 same document, as this will also become public record.



                                                                              www.syngress.com