Lecture 10 Corporate Investigation

--- title: 'Lecture 10 Corporate Investigation' disqus: hackmd --- :::info ST2502 Computer Law & Investigation ::: Lecture 10 Corporate Investigation === <style> img{ /* border: 2px solid red; */ margin-left: auto; margin-right: auto; width: 80%; display: block; } </style> ## Table of Contents [TOC] Criminal VS Corporate Investigation --- ![](https://i.imgur.com/z8KqrBc.png) ### Criminal Investigation - technology crime forensics branch (TCFB) deals with - comp crimes - Eg. tampering of files & unauthorised access - general offences whr tech used in committing/abetting crime - tech-based commercial crimes - Eg. online share frauds #### Private Criminal Investigation - criminal investigation & prosec dont need to be done by police alone - victims of criminal activities can also proceed to prosec cases themselves - such cases normally refer to non-injury cases like - IT related offences like infringement of copyright & trademarks - comp crimes - such cases would be prosecuted by private indivs AKA magistrate complaints - section 12 of criminal procedure code - public prosec may by fiat(formal auth) & on such terms & conditions he sees fit, permit any person to prosecute on person's own behalf, any particular offence punishable under penal code (cap 224) or any other written law - or to pursue any further proceedings in such prosec - AKA public prosecutor's fiat ### Corporate Investigation - AKA non-criminal investigation - some consider it low-lvl investigations - however, this doesnt mean less effort/importance than crim case - comp forensics required usually in following areas - commercial fraud cases like investigation of libel & slander - defamation cases like email investigation of libel & slander - dishonesty among employees using company resources/sending spam using corporate accs Sources of Law --- - does corporate personnel & his agents have right to conduct forensics on another employee's comp resources? - following docs are critical - comp user policy agreement/corporate security policy - privacy laws & data protection code (PDPA) - ISO 17799 ### ISO 17799 - ISO - international org for standardisation - a comprehensive set of controls comprising best practices in info sec - 2 parts - code of practice - ISO 17799 - specification for info security management system - BS7799-2 - basically an internationally recognised generic info security standard #### Objectives - intended to serve as single ref pt for identifying range of controls needed for most situations whr info systems used in industry & commerce - essentially the facilitation of trading in trusted env - established as the major standard for info sec - when creating new policies/etc ensure they cover all ISO 17799 issues #### Contents - business continuity planning - to counteract interruptions to business activities & critical business processes from effects of major failures/disasters - system access control - to control access to info & prevent unauthorised access to info systems - system development & maintenance - to prevent loss/modification/misuse of user data in appplication systems & to protect the confidentiality, authenticity and integrity of info - physical & env security - prevent unauthorised access, dmg & interference to business premises & info - to prevent loss, dmg or compromise of assets & interruption to business activities - prevent compromise/theft of info & info processing facilities - compliance - avoid breaches of any crim/civil law, statutory, regulatory or contractual obligations & of any security requirements - ensure compliance of systems with organisational security policies & standards - personnel security - reduce risks of human error/theft/fraud/misuse of facilities - ensure user are aware of info security threats & concerns & equipped to support corporate security policy in course of their normal work - to minimise dmg from security incidents & malfunctions & learn from them - security organisation - manage info security within the company - maintain security of info when responsibility for info processing is outsourced to another org - comp & network management - minimise risk of systems failures & protect integrity of software & info - asset classification & control - maintain appropriate protection of corporate assets - ensure info assets receive an appropriate lvl of protection - security policy - provide management direction & support for info security ### User Policy Agreement (UPA) - most companies have UPA - shld be properly drafted to protect company from liability & allow company to conduct investigations appropriately - however, most UPA not well drafted to deal with relevant scope to protect interest of company #### Common UPA - define computer resources - defined as human res & all facilities & funcs of a comp system - mainframe, distributed/workstation & all processing envs - prohibitions - limited to org-related work - no contravention of copyright act, CMA & CA, films act, penal code, undesirable publications act, common gaming houses act, indecent ads act, maintenance of religious harmony act - powers to investigate & enforcement procedures - use of covert surveillance - search for info of all comp res - dispense with right of privacy - dispute resolution - who is final arbitrator of disputes? - sole decision of chief executive officer, chief tech officer, member of board of directors or mediators from sg mediation centre - decision shall be final & conclusive Balancing Security & Privacy --- - many unresolved issues/probs - privacy law in sg? - pdpa - law of confidential info - isit right to tilt balance against privacy in interest of security? ###### tags: `CLI` `DISM` `School` `Notes`