Abstract
Should an organization inform law-enforcement officials when it discovers evidence of
unauthorized activity in its information systems processing operations? Deciding how to
answer that question depends on some considerations. Information systems security professionals
should address the issue before to decide how to resolve it arises.
Building in law-enforcement agency personnel can create problems for the organization. A criminal
investigationmy drap on for some time. During this time, much of the organization's information
systems security resources could be tied up in responding to requests for information, helping
with teh investigation, and then appearing in court. However, not informing the appropriate law-
enforcement officials may lead to other types of problems for the organization. These problems
could include civil or criminal litigation, denial by its insurers of recompense for incurred losses,
and the imposition of penalties for breach of statutory requirments.
Keywords
Audit, Control, Security, Newsletter