Disaster recovery & business continuity
-
Upload
dhani-ahmad -
Category
Internet
-
view
99 -
download
1
Transcript of Disaster recovery & business continuity
Transforming Lives. Inventing the Future. www.iit.edu
I ELLINOIS T UINS TI TOF TECHNOLOGY
ITM 578 1
Disaster Recovery & Business Continuity
Ray TrygstadITM 478/578 Spring 2004Master of Information Technology & Management ProgramCenter for Professional Development
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning ObjectivesUpon completion of this lesson the student should be able to:
– Describe what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
– Discuss the elements that comprise a business impact analysis and the information that is collected for the attack profile.
– Recognize the components of an incident response plan.
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning ObjectivesUpon completion of this lesson the student should be able to:
– Explain the steps involved in incident reaction and incident recovery.
– Define the disaster recovery plan and its parts.– Define the business continuity plan and its
parts.– Discuss the reasons for and against involving
law enforcement officials in incident responses and when may be required.
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
FIGURE 7-1 Contingency Planning and the SecSDLCContingency Planning and the SecSDLC
Contingency Planning
Design:planning for continuty
Chapter 7
Investiga te
Ana lyze
Implement
Ma inta in
Physica l Design
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Continuity StrategyManagers must provide strategic
planning to assure continuous information systems availability ready to use when an attack occurs
Plans for events of this type are referred to in a number of ways: – Business Continuity Plans (BCPs)– Disaster Recovery Plans (DRPs)– Incident Response Plans (IRPs)– Contingency Plans
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Continuity Strategy
Large organizations may have many types of plans, small organizations may have one simple plan, but most have inadequate planning
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning
Components of Contingency Planning (CP):– Incident Response Planning (IRP) – Disaster Recovery Planning (DRP) – Business Continuity Planning (BCP)
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning The primary functions of these three
planning components: – IRP focuses on immediate response, but if the
attack escalates or is disastrous the process changes to disaster recovery and BCP
– DRP typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP
– BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Team
Before any planning can begin, a team has to plan the effort and prepare the resulting documents
Champion - A high-level manager to support, promote, and endorse the findings of the project
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Team Project Manager - Leads the project and
makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Team Members - Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Hierarchy
ContingencyContingencyPlanningPlanning
DisasterDisasterRecoveryRecovery
IncidentIncidentResponseResponse
BusinessBusinessContinuityContinuity
FIGURE 7-2 Contingency Planning Hierarchy
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Planning Timeline
FIGURE 7-3 Contingency Planning Timeline
Incident Response (IRP)Incident Response (IRP)Disaster Recovery Planning (DRP)Disaster Recovery Planning (DRP)
Business Continuity (BCP)Business Continuity (BCP)
Attack Post Attack(hours)
Post Attack(days)
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Major Steps in Contingency Planning
Identification of Identification of threats and attacksthreats and attacks
Business unit analysisBusiness unit analysis
Scenarios of Scenarios of successful attackssuccessful attacks
Assessment of Assessment of potential damagespotential damages
Classification of Classification of subordinate planssubordinate plans
Incident Incident planningplanning
Incident Incident detectiondetection
Incident Incident reactionreaction
Incident Incident recoveryrecovery
Plan for Plan for disasterdisaster
recovery recovery
CrisisCrisisManagementManagement
RecoveryRecoveryoperationsoperations
EstablishEstablishContinuityContinuitystrategystrategy
Plan for Plan for continuity ofcontinuity ofoperations operations
Continuity Continuity managementmanagement
Incident responseplanning
Business impactanalysis (BIA)
Disasterrecoveryplanning
Businesscontinuityplanning
FIGURE 7-4 Major Steps in Contingency Planning
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Impact AnalysisBegin with Business Impact Analysis
(BIA)if the attack succeeds, what do we do then?
The CP team conducts the BIA in the following stages:1.Threat attack identification2.Business unit analysis3.Attack success scenarios4.Potential damage assessment5.Subordinate plan classification
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Threat Attack Identification & Prioritization
Update threat list with latest developments and add the attack profile
The attack profile is the detailed description of activities during an attack
Must be developed for every serious threat the organization faces
Used to determine the extent of damage that could result to a business unit if the attack were successful
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Table 7-1 – Attack Profile
Date of AnalysisDate of Analysis
Attack name & descriptionAttack name & description
Threat & probable threat agentThreat & probable threat agent
Known or possible vulnerabilitiesKnown or possible vulnerabilities
Likely precursor activities or indicatorsLikely precursor activities or indicators
Likely attack activities or indicators of attack in Likely attack activities or indicators of attack in progressprogress
Information assets or risk from this attackInformation assets or risk from this attack
Damage or loss to information assets likely Damage or loss to information assets likely from this attackfrom this attack
Other assets at risk from this attackOther assets at risk from this attack
Damage or loss to other assets likely from this Damage or loss to other assets likely from this attackattack
TABLE 7-1 Attack Profile
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Unit AnalysisThe second major task within the BIA
is the analysis and prioritization of business functions within the organization
Identify the functional areas of the organization and prioritize them as to which are most vital
Focus on a prioritized list of the various functions the organization performs
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Attack Success Scenario Development Next create a series of scenarios depicting
the impact a successful attack from each threat could have on each prioritized functional area with:– details on the method of attack – the indicators of attack – the broad consequences
Attack success scenarios details are added to the attack profile including:– Best case– Worst case– Most likely alternate outcomes
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Potential Damage Assessment
From the attack success scenarios developed, the BIA planning team must estimate the cost of the best, worst, and most likely cases
Costs include actions of the response team
This final result is referred to as an attack scenario end case
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Subordinate Plan Classification Once potential damage has been assessed, a
subordinate plan must be developed or identified
Subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario
An attack scenario end case is categorized as disastrous or not
The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Planning
Incident response planning covers the identification of, classification of, and response to an incident
An incident is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Planning
Attacks are only classified as incidents if they have the following characteristics:– Are directed against information assets– Have a realistic chance of success– Could threaten the confidentiality, integrity, or
availability of information resources IR is more reactive, than proactive, with
the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident PlanningThe pre-defined responses enable the
organization to react quickly and effectively to the detected incident
This assumes two things: – first, the organization has an IR team– second, the organization can detect the
incidentThe IR team consists of those
individuals needed to handle the systems as incident takes place
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Planning
The military process of planned team responses can be used in an incident response
The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident
These plans must be properly organized and stored
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response PlanFormat and Content
– The plan must be organized to support quick and easy access to the information needed
Storage– The plan should be protected as sensitive
information – On the other hand, the organization needs
this information readily available
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Response Plan
Testing– An untested plan is not a useful plan.
The levels of testing strategies can vary:– Checklist– Structured walk-through– Simulation– Parallel– Full-interruption
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Detection The most common occurrence is a complaint about
technology support, often delivered to the help desk Possible detections:
– intrusion detection systems, both host-based and network-based
– virus detection software – systems administrators – end users
Only through careful training can the organization hope to quickly identify and classify an incident
Once an attack is properly identified, the organization can respond
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident IndicatorsPossible indicators of
incidents: – Presence of unfamiliar
files– Unknown programs or
processes– Unusual consumption of
computing resources– Unusual system crashes
Probable indicators of incidents:– Activities at unexpected
times– Presence of new accounts– Reported attacks– Notification from IDS
Definite indicators of incidents:– Use of dormant accounts– Changes to logs– Presence of hacker tools– Notifications by partner
or peer– Notification by hacker
Predefined situations that signal an automatic incident: – Loss of availability– Loss of integrity– Loss of confidentiality– Violation of policy– Violation of law
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident or DisasterWhen Does an Incident Become a
Disaster?– the organization is unable to mitigate the
impact of an incident during the incident– the level of damage or destruction is so
severe the organization is unable to quickly recover
– It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Reaction Incident reaction consists of actions that
guide the organization to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident
In reacting to the incident there are a number of actions that must occur quickly including:– notification of key personnel – assignment of tasks– documentation of the incident
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Notification of Key Personnel Most organizations maintain alert rosters
for emergencies. An alert roster contains contact information for the individuals to be notified in an incident
Two ways to activate an alert roster: – A sequential roster is activated as a contact
person calls each and every person on the roster– A hierarchical roster is activated as the first
person calls a few other people on the roster, who in turn call a few other people, and so on
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
The Alert Message
The alert message is a scripted description of the incident, with just enough information so that everyone knows what part of the IRP to implement
Can be prepared rapidly by filling in the blanks in a template included in the IRP
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Documenting an Incident Documenting the event is important:
– First, it is important to ensure that the event is recorded for the organization’s records, to know what happened, and how it happened, and what actions were taken. The documentation should record the who, what, when, where, why, and how of the even
– Second, it is important to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident
– Finally, the recorded incident can also be used as a simulation in future training sessions
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Containment Strategies Before an incident can be contained, the
affected areas of the information and information systems must be determined
The organization can stop the incident and attempt to recover control through a number of strategies including:– severing the affected circuits– disabling accounts– reconfiguring a firewall– The ultimate containment option, reserved for
only the most drastic of scenarios, involves a full stop of all computers and network devices in the organization
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Incident Recovery Once the incident has been contained, and
control of the systems regained, the next stage is recovery
The first task is to identify the human resources needed and launch them into action
The full extent of the damage must be assessed
The organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores the data and services of the systems
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Damage Assessment There are several sources of information:
– including system logs– intrusion detection logs– configuration logs and documents– documentation from the incident response– results of a detailed assessment of systems and
data storage Computer evidence must be carefully
collected, documented, and maintained to be acceptable in formal proceedings
Individuals assessing damage need special training
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
RecoveryIn the recovery process:
– Identify the vulnerabilities that allowed the incident to occur and spread and resolve them
– Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them
– Evaluate monitoring capabilities. Improve their detection and reporting methods, or simply install new monitoring capabilities
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Recovery
In the recovery process:– Restore the data from backups– Restore the services and processes in use– Continuously monitor the system– Restore the confidence of the members of
the organization’s communities of interest– Conduct an after-action review
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Automated Response New systems can respond to incidents
autonomously Trap and trace uses a combination of
resources to detect intrusion then trace back to source
Trapping may involve honeypots or honeynets
Entrapment is luring an individual into committing a crime to get a conviction
Enticement is legal and ethical, while entrapment is not
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Disaster Recovery Planning Disaster recovery planning (DRP) is planning the
preparation for and recovery from a disaster The contingency planning team must decide which
actions constitute disasters and which constitute incidents
When situations are classified as disasters plans change as to how to respond - take action to secure the most valuable assets to preserve value for the longer term even at the risk of more disruption
DRP strives to reestablish operations at the ‘primary’ site
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
DRP Steps There must be a clear establishment of
priorities There must be a clear delegation of roles and
responsibilities Someone must initiate the alert roster and
notify key personnel Someone must be tasked with the
documentation of the disaster If and only if it is possible, some attempts
must be made to mitigate the impact of the disaster on the operations of the organization
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Crisis Management Crisis management is actions taken during and after
a disaster focusing on the people involved and addressing the viability of the business
The crisis management team is responsible for managing the event from an enterprise perspective and covers: – Supporting personnel and families during the crisis – Determining impact on normal business operations and, if
necessary, making a disaster declaration– Keeping the public informed– Communicating with major customers, suppliers, partners,
regulatory agencies, industry organizations, the media, and other interested parties
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Disaster Recovery Planning
Establish a command center to support communications
Includes individuals from all functional areas of the organization to facilitate communications and cooperation
Some key areas of crisis management include:– Verifying personnel head count– Checking the alert roster– Checking emergency information cards
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
DRP Structure Similar to the IRP, DRP is organized by
disaster, and provides procedures to execute during and after a disaster
Provides details on the roles and responsibilities for those involved in the effort, and identifies the personnel and agencies that must be notified
Just as the IRP must be tested, so must the DRP, using the same testing mechanisms
Each organization must examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Business Continuity Planning
Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations
If a disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Continuity Strategies There are a number of strategies for
planning for business continuity The determining factor in selection between
these options is usually cost In general there are three exclusive options:
– hot sites– warm sites– cold sites
And three shared functions: – timeshare– service bureaus– mutual agreements
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Off-Site Disaster Data Storage To get these types of sites up and running quickly,
the organization must have the ability to port data into the new site’s systems
These include: – Electronic vaulting - The bulk batch-transfer of data to an
off-site facility.– Remote Journaling - The transfer of live transactions to an
off-site facility; only transactions are transferred not archived data, and the transfer is real-time.
– Database shadowing - Not only processing duplicate real-time data storage, but also duplicates the databases at the remote site to multiple servers.
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Model for IR/DR/BC Plan
The single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR/DR plans
The model presented is based on analyses of disaster recovery and incident response plans of dozens of organizations
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
The Planning Document1. Establish responsibility for managing
the document, typically the security administrator
2. Appoint a secretary to document the activities and results of the planning session(s)
3. Independent incident response and disaster recovery teams are formed, with a common planning committee
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
The Planning Document
4. Outline the roles and responsibilities for each team member
5. Develop the alert roster and lists of critical agencies
6. Identify and prioritize threats to the organization’s information and information systems
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
The Planning ProcessThere are six steps in the Contingency Planning process:
1. Identifying the mission- or business-critical functions
2. Identifying the resources that support the critical functions
3. Anticipating potential contingencies or disasters
4. Selecting contingency planning strategies5. Implementing the contingency strategies6. Testing and revising the strategy
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Using the Plan
During the incidentAfter the incidentBefore the incident
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Contingency Plan
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Law Enforcement Involvement When the incident at hand constitutes a violation of
law the organization may determine that involving law enforcement is necessary
There are several questions, which must then be answered:– When should the organization get law enforcement
involved? – What level of law enforcement agency should be involved:
local, state, or federal? – What will happen when the law enforcement agency is
involved? Some of these questions are best answered by the
organization’s legal department
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Local, State, or Federal Authorities Selecting the level of law enforcement
depends on the level and type of crime discovered:– The Federal Bureau of Investigation deals with
many computer crimes that are categorized as felonies
– The US Secret Service works with crimes involving US currency, counterfeiting, credit cards, identity theft, and other crimes
– The US Treasury Department has a bank fraud investigation unit and the Securities and Exchange Commission has investigation and fraud control units as well
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
State Investigative Services Each state has its own version of the FBI
(except Illinois! – interesting story why not) These state agencies arrest individuals,
serves warrants, and generally enforce laws on property that is owned by the state or any state agency
In Illinois, computer crime is the responsibility of the State of Illinois High Tech Crime Bureau, part of the Attorney General’s Office
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Local Law Enforcement Local agencies enforce all local and state
laws and handle suspects and security crime scenes for state and federal cases
Local law enforcement agencies seldom have a computer crimes task force, but most investigative (detective) units are capable of processing crime scenes, and handling most common criminal activities and the apprehension and processing of suspects of computer related crimes
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has advantages:– Agencies may be much better equipped at
processing evidence than private organizations
– Unless the organization has staff trained in forensics they may less effective in convicting suspects
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has advantages:– Law enforcement agencies are also
prepared to handle the warrants and subpoenas needed
– Law enforcement skilled at obtaining statements from witnesses, completing affidavits, and other information collection
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies has disadvantages:– On the downside, once a law
enforcement agency takes over a case, the organization loses complete control over the chain of events
– The organization may not hear about the case for weeks or even months
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 61
ILLINOIS INSTITUTE OF TECHNOLOGY
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies has disadvantages:– Equipment vital to the organization’s
business may be tagged as evidence, to be removed, stored, and preserved until it can be examined for possible support for the criminal case
– However, if the organization detects a criminal act, it is a legal obligation to involve the appropriate law enforcement officials