Following Notification Procedures
As a cyber forensics investigator, you normally need to follow two life cycles of notification. The first notification guidelines are associated with external parties outside your organization. The second notification life cycle is the notification procedures handled internally, which was discussed earlier.
Regarding external notification procedures, the first thing to understand is that they may be governed by several laws and compliance regulations. Generally, federal and regulatory laws supersede all other requirements, so you may not want to disclose certain information but may be legally required to do so. Additionally, investigators generally need to take the cumulative and most transparent approach to procedures. Take, for example, California, which passed legislation in 2002 that required more transparency and notifications for breaches affecting California residents. The laws effectively forced organizations to deal with transparency around breaches to all their customers. The interesting aspect of this case is that federal law did not require certain types of disclosures, but state law enforced this practice. Typically, federal law in the United States supersedes state law, but the organizations in California are impacted harder by the state law in this example. It is important to understand and consider how exposure laws are viewed where your organization is located.
To generalize disclosure laws, they typically follow this order of precedence:
Federal law supersedes state law.
State law supersedes city/county laws.
City/county laws supersede organization/company guidelines.
Organization/company guidelines govern cyber forensic investigation procedures.
Finally, in some cases immediate disclosure must be made and law enforcement must be engaged, regardless of laws or jurisdiction. These cases normally involve anything that may pertain to endangerment issues or threats or acts that affect national security. You will probably know when these situations occur due to the legal and federal groups that want to get involved. Also, some laws may force you to disclose more data than what was likely lost. In these situations, the forensic investigator highlights areas that were likely exposed to the breach. Sometimes a law states that if breached systems were able to reach other networks, all those systems must also be reported as compromised even though there isn’t evidence suggesting they were compromised. This is why some breaches that go public state large amounts of data being lost. The reality could be a lot less data; however, certain laws force the organization to include any system that could be reached by the identified breached systems.
We have focused heavily on external notification, but internal notification for an incident is just as important. Internal notification keeps stakeholders informed of all procedures and helps employees understand what occurred and what they should and should not disclose about a situation. We recommend a schedule, as described earlier, be set to keep internal teams notified of updates. In many cases, an IRT may have a dedicated communications person assigned to handle updates.