Appendix K: Investigative Workflow

Introduction

From the time when the initial event occurs, organizations must follow a consistent and repeatable process that encompasses several stages of information gathering (ie, preserving digital evidence, conducting interviewing), communication (ie, stakeholder reporting, escalations), and documentation (ie, standard operating procedures, incident/case management knowledgebase).

The goal of following a logical investigative process is to reduce the possibility for quick and uninformed decisions to be made at any time. However, understanding that the context of every investigation can be uniquely different, the logical workflow should still provide organizations with the ability to make the best and the most educated decision for what actions are performed next.

The investigative workflow illustrated in Figures K.1–K.4 encompasses each business risk scenario as discussed further in chapter “Define Business Risk Scenarios.” While the specific business risk naming conventions have not been used in the workflow that follows, the methodology and approach takes into consideration the workflow and activities required to address each risk scenario as they occur.

Figure K.1 Investigative workflow—process initiation.

Figure K.2 Investigative workflow—volatile data process. PCA, public/corporate affairs.

Figure K.3 Investigative workflow—targeted forensic process. HR, human resources; ER, employee relations; PCA, public/corporate affairs.

Figure K.4 Investigative workflow—broad audit process. PCA, public/corporate affairs.

Taxonomy

1 BOT (short for “robot”) is a application that operates as an agent for a user, on behalf of another application, or to simulate human activity.