employees sign an agreement that provides consent to search and seize any necessary evidence dur- ing an investigation. In this manner, consent is provided as a term of the employment agreement. This makes confiscation much easier and reduces the chances of a loss of evidence while waiting for legal permission to seize it. Make sure your security policy addresses this important topic. Incident Data Integrity and Retention No matter how persuasive evidence may be, it can be thrown out of court if you change it during the evidence collection process. Make sure you can prove that you maintained the integrity of all evidence. Chapter 17, “Law and Investigations,” includes more information on evidence rules. But what about the integrity of data before it is collected? You may not detect all incidents as they are happening. Sometimes an investigation reveals that there were previous incidents that went undetected. It is discouraging to follow a trail of evidence and find that a key log file that could point back to an attacker has been purged. Carefully con- sider the fate of log files or other possible evidence locations. A simple archiving policy can help ensure that key evidence is available upon demand no matter how long ago the incident occurred. Because many log files can contain valuable evidence, attackers often attempt to sanitize them after a successful attack. Take steps to protect the integrity of log files and to deter their modification. One technique is to implement remote logging. Although not a perfect solution, it does provide some protection from post-incident log file cleansing. Another important forensic technique is to preserve the original evidence. Remember that the very conduct of your investigation may alter the evidence you are evaluating. Therefore, it’s always best to work with a copy of the actual evidence whenever possible. For example, when conducting an investigation into the contents of a hard drive, make an image of that drive, seal the original drive in an evidence bag, and then use the disk image for your investigation. As with every aspect of security planning, there is no single solution. Get familiar with your system and take the steps that make the most sense for your organization to protect it. Reporting Incidents When should you report an incident? To whom should you report it? These questions are often difficult to answer. Your security policy should contain guidelines on answering both questions. There is a fundamental problem with reporting incidents. If you report every incident, you run the very real risk of being viewed as a noisemaker. When you have a serious incident, you may be ignored. Also, reporting an unimportant incident could give the impression that your orga- nization is more vulnerable than is the case. This can have a serious detrimental effect for orga- nizations that must maintain strict security. For example, hearing about daily incidents from your bank would probably not instill additional confidence in their security practices. On the other hand, escalation and legal action become more difficult if you do not report an inci- dent soon after discovery. If you delay notifying authorities of a serious incident, you will probably have to answer questions about your motivation for delaying. Even an innocent person could look as if they were trying to hide something by not reporting an incident in a timely manner. As with most security topics, the answer is not an easy one. In fact, you are compelled by law or regulation to report some incidents. If your organization is regulated by a government authority and the incident caused your organization to deviate from any regulation, you must report the incident. Make sure you know what incidents you must report. For example, any organization that stores personal health information must report any incident in which disclo- sure of such information occurred. Before you encounter an incident, it is very wise to establish a relationship with your corpo- rate legal personnel and the appropriate law enforcement agencies. Find out who the appropri- ate law enforcement contacts are for your organization and talk with them. When the time comes to report an incident, your efforts at establishing a prior working relationship will pay off. You will spend far less time in introductions and explanations if you already know the per- son with whom you are talking. Once you determine to report an incident, make sure you have as much of the following information as possible: What is the nature of the incident, how was it initiated, and by whom? When did the incident occur? Be as precise as possible with dates and times. Where did the incident occur? If known, what tools did the attacker use? What was the damage resulting from the incident? You may be asked to provide additional information. Be prepared to provide it in as timely a manner as possible. You may also be asked to quarantine your system. As with any security action you take, keep a log of all communication and make copies of any documents you provide as you report an incident. Ethics Security professionals with substantial responsibilities are held to a high standard of conduct. The rules that govern personal conduct are collectively known as rules of ethics. Several orga- nizations have recognized the need for standard ethics rules, or codes, and have devised guide- lines for ethical behavior. We present two codes of ethics in the following sections. These rules are not laws. They are minimum standards for professional behavior. They should provide you with a basis for sound, ethical judgment. Any security professional should be expected to abide by these guidelines regardless of their area of specialty. Make sure you understand and agree with the codes of eth- ics outlined in the following sections. ISC 2 Code of Ethics The governing body that administers the CISSP certification is the International Information Systems Security Certification Consortium ISC 2 . The ISC 2 Code of Ethics was developed to provide the basis for CISSP behavior. It is a simple code with a preamble and four canons. Here is a short summary of the major concepts of the Code of Ethics.