The first thing to do is investigate the issue. Locking down devices and/or denying data access to suspected staff members is one way to go, but that would be a sure tip-off. In most cases, monitoring employee activity and building a case is the most productive plan of action. Keep in mind, this should not be done alone: legal and HR groups need to be involved to make sure any remediation, sanction or other activity is handled legally...
and within corporate policies.
Once enough information is gathered to prove foul play, then it will be up to the powers that be to handle the situation. Depending on the nature of the transgression, law enforcement may be brought in. In all cases, the documentation and other information that was used to build the case will need to be provided.
Prosecuting an incident is one of the worst parts of being in the security business. But it's critical and unfortunately it's usually best to make a public example of the transgression. You may or may not believe in the power of a "public execution" as a deterrent to future bad behavior – but I do. I've seen it work.
For more information:
Dig deeper on Information Security Incident Response-Detection and Analysis
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.