Collecting Evidence of an Information Security Breach
Evidence of an Information Security breach must be collected to comply with statutory, regulatory or contractual obligations and avoid breaches of criminal or civil law. Advice on specific legal requirements should be sought from the organisation's legal advisers. Legal requirements vary from country to country.
Evidence collected for a disciplinary hearing may be too weak to bring disciplinary charges. The threat to security posed by the staff member remains.
Log all Information Security incident data and responses in a format suitable for use in a legal case. When collecting evidence consider:
Rules for evidence: To have adequate evidence to support an action against a person or organisation.
Admissibility of evidence: Complying with any standard or code of practice for the production of admissible evidence.
Quality and completeness of evidence: To achieve quality and completeness of the evidence, a strong evidence trail is needed.