Recording Evidence of Incidents (Information Security)

Evidence is collected in two cases, either because there has already been a breach of the law, or a breach is thought to be imminent. If you believe there has been a breach of Information Security, refer to Detecting and Responding to Information Security Incidents for guidelines. Where the breach has not yet taken place, but you suspect it may, it is important that any evidence being collected is admissible. See Admissible Evidence. N.B. Organisations should always seek legal advice concerning the admissibility of any evidence.

To view the related Policy click      

  • Where the evidence produced is not considered admissible, any possible legal case may be dismissed, and other forms of disciplinary action may fail.

  • Always seek legal guidance before placing legal reliance upon logs, files, or other information storage media.
  • Processes and procedures must be sufficiently robust to withstand legal scrutiny. At the very least, document all business processes thoroughly.
  • Periodically review procedures for continuity, as gaps in processing may indicate weaknesses in the integrity of the process.
  • Lack of continuity and completeness of evidence can compromise the legal position.

  • Where possible, ensure that evidence is both complete and sequential.
  • Where proof that the evidence has not been 'modified' is unavailable or unsatisfactory, the integrity of the evidence may be in doubt.

  • Produce details of the access control measures which apply together with any other supporting evidence to justify the integrity of the evidence.
  • Where there is no written evidence that the perpetrator was aware of any access restrictions to the various systems, this can scupper any legal redress.

  • All staff should sign a document which confirms their agreement to comply with the Information Security Policies of the organisation.
  • HR should retain all such signed documents as these might be needed as evidence of awareness of the access controls applicable to various systems.
  • Notwithstanding the possible admissibility of the evidence collected, where no procedures exist for the collection, storage and safekeeping of such evidence, it may be deemed inadmissible.

  • Procedures for the collection and storage of evidence should be agreed between the Security Officer, the Legal representatives, and the System Administrator.
Previous PageTop of this pageNext Page

Information Security Policies from US$595


Use of the guidance contained within RUSecure™ is subject to the End User Licence Agreement
This site created with EasyHTMLHelp(tm) for MS Word


Next PageUpPrevious Page