Assignment: Implementing and Enforcing Company Policy
To effectively implement such policies, the company needs to inform each employee of the company policy. Employees who use company resources such as Internet or computer systems for personal use not only violate company policies but also waste resources, time, and money. To take care of company policy violations, forensic examiners or investigators are called in to perform internal investigations. As a computer forensic professional, an investigator has to gather the evidence from the suspect's computer and determine whether a crime or violation of the company policy has occurred. An investigator should follow a standard methodology for investigating company policy violations.
The motive behind company policy violation investigation is not always to take punitive steps. Sometimes, employees just need to be educated, as they might not be aware of the fact that they are violating company policy. If the problem persists, however, the company can take strict action against those employees who continue to violate company policy.
Policy Violation Case Example
Mike is suspected of conducting his own business using a company computer.
• Situation: Employee abuse case
• Nature of the case: Side business
• Specifics about the case: The employee is reportedly conducting a side business on his computer.
• Type of evidence: USB flash drive
• OS: Windows 7
• Known disk format: FAT32
• Location of evidence: The disk that a manager found near Mike's computer; the manager had received complaints from Mike's co-workers that he was spending too much time on his own business and not performing his assigned work duties.
Based on case details, you can determine the case requirements:
• Type of evidence: Mike was conducting his own business using his employer's computer.
• Computer forensics tools: Tools for duplicating the USB flash drives and finding deleted and hidden files
• Special operating systems: Any operating systems that had been installed on company computers by the suspect
3-8jChain-of-Evidence Form
The chain-of-evidence form documents what has and has not been done with both the original evidence and any forensic copies of the evidence.
The information contained in such a form, including some not shown in the example, is explained below:
• Case number: The number of the case being investigated. Each case has a different case number, and this number is assigned by the organization to which an investigator belongs.
• Investigating organization: The name of the organization investigating the case.
• Investigator for the case: The name of the investigator who is dealing with the case. It may happen that a certain case requires more than one investigator; in such cases, this field contains the name of the lead investigator.
• Nature of the case: A short description of the case. If an employee violates the company policy, then the nature of the case is "Employee Policy Violation Case."
• Description of the evidence: Contains information about the type of evidence collected.
• Evidence recovered by: The name of the investigator who recovered the evidence. This is the building block for chain of custody. Chain of custody is a method of documenting the history and possession of a sample from the time of its collection to its final disposition. It is the responsibility of the person who recovers the evidence to ensure that nothing damages the evidence and no one tampers with it. The investigator is responsible for the transportation, security, and preservation of evidence.
• Date and time: The date and time when the evidence was taken into custody.
• Location from which the evidence was recovered: The location where the evidence was discovered. In the case of multiple pieces of evidence, a new form is created for each different location.
• Evidence processed by item number: When the evidence is processed and analyzed by an investigator, the name of the person who handled and processed it on a particular date and time is written here.
• Evidence placed in the locker: Contains information about which secure evidence container is being used to store the evidence and when the evidence was placed in it.
• Item/evidence processed by/Disposition of evidence/Date/Time: Contains information regarding the investigator name, specific item number of evidence, and description about what was performed when an investigator obtains the evidence for processing and analysis.
• Page number: Contains the page number of the form. The page number is specified in the format "Page x of y."
• Name of vendor: The name of the manufacturer of the evidence. For example, if the evidence is a floppy disk, its manufacturer could be Imation or IBM.
• Model or serial number: The model number or serial number of the computer component. Most computer components have model numbers rather than serial numbers. Single pieces of computer equipment can have different model numbers, and as technology is upgraded, new features are added to existing equipment.
Format your assignment according to the following formatting requirements:
1. The answer should be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides.
2. The response also includes a cover page containing the title of the assignment, the student's name, the course title, and the date. The cover page is not included in the required page length.
3. Also include a reference page. The Citations and references should follow APA format. The reference page is not included in the required page length.