The University of Sheffield
Corporate Information and Computing Services

Investigation of Incidents

On occasion, Administrators may be involved in the investigation of security breaches, complaints or other incidents. Under such circumstances, Administrators may be asked to take actions beyond those described in this charter. Some of these situations are noted in the charter itself. Such activities may well have legal implications for both the individual and the organisation, for example under the Human Rights Act.
In all cases the Administrator must seek individual authorisation from Management for the specific action they need to take. Departments need to define the level of staff empowered to authorise an investigation (the list for CICS appears in Annex 2). Departments need to balance the serious consequences which can arise if powers are misused against the common need for timely action.
In dealing with a potential disciplinary case, Personnel Services or Students Services should be involves, as appropriate. Where there is the possibility of there being a serious breach of the law, the University Security Advisor should be approached before an investigation takes place. CiCS can provide advice on handling such investigations and related matters such as the securing of evidence and the interpretation of log files.
Keeping good records, preferably against a pre-prepared checklist (Annex 1), will help to protect the Administrator and the institution from any charge of improper actions. When investigating complaints, the implication of any evidence should be carefully considered. For example it is quite simple for email addresses to be forged. It is possible that, though something was apparently done from a specific machine or account, the normal user was not the person involved. The records may not tell the full story and may not even be complete or accurate.
It is important to consider how best to handle an investigation and the proper role of the Administrator. For example in the case of an abusive email, the use of a computer is really incidental, and the matter would normally be best handled as a case of Harassment with the Administrator providing information as requested. However in the event of a security breach the investigation may need to be handled by an Administrator who would have a full understanding of the nature of the breach and the import of evidence collected.
Considerable technical efforts are put into security: firewall, passwords, controlled access to systems and monitoring for attempted intrusion. However in all this it is often human beings that are the weakest link. When discussing privileged information of any kind, the Administrator needs to ensure that the person requesting the information has the right to have it. This is particularly important in respect of dealings with outside organisations. Somebody purporting to be from say the Police particularly on the phone may not be, so the Administrator must always establish that they are not only dealing with who the person claims, but also that the Administrator is authorised to talk to them. Investigations must always be kept confidential to those who have the need to know.