Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
1.5 Domain 1 · Security & Risk Management

Investigation Types

Understand requirements for investigation types — administrative, criminal, civil, regulatory, industry standards

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

There are five investigation types, and each one determines three critical things: the standard of proof required, who leads the investigation, and what happens to the subject.

Administrative — internal HR matter, lowest evidence bar
Criminal — law enforcement leads, highest evidence bar
Civil — legal dispute between parties
Regulatory — external government or regulatory body
Industry — compliance auditor (PCI QSA, SOC 2, etc.)

Getting the type wrong can compromise the entire case. If you handle a criminal matter as an administrative investigation, you may contaminate the evidence chain and make prosecution impossible.

At a mature organization, each investigation type follows a distinct process:

  • Administrative — HR leads the investigation. Standard of proof is preponderance of evidence (more likely than not). Outcome: termination, suspension, or policy remediation. No law enforcement involvement required.
  • Criminal — Law enforcement leads. Standard of proof is beyond reasonable doubt — the highest bar. Chain of custody is absolutely critical. The security team preserves evidence and cooperates but does not lead. Outcome: prosecution, fines, imprisonment.
  • Civil — Legal counsel leads. Standard of proof is preponderance of evidence. Typically involves lawsuits between parties — breach of contract, negligence, intellectual property disputes. Outcome: monetary damages, injunctions.
  • Regulatory — An external regulatory body leads (HIPAA OCR, SEC, FTC, GDPR DPA). The organization cooperates and provides evidence. Outcome: fines, consent decrees, mandatory remediation plans.
  • Industry — A qualified assessor or auditor leads (PCI QSA, SOC 2 auditor, ISO auditor). Standard: compliance with the specific framework requirements. Outcome: certification, remediation requirements, loss of certification.

Notice: the security team never leads a criminal investigation and never makes prosecution decisions. Your job is to preserve evidence and cooperate with the appropriate authority.

TypeStandard of ProofLed ByExampleKey Concern
Administrative Preponderance of evidence HR / Management AUP violation, policy breach Due process, documentation
Criminal Beyond reasonable doubt Law enforcement Data theft, fraud, hacking Chain of custody, evidence preservation
Civil Preponderance of evidence Legal counsel Breach of contract, IP theft lawsuit Discovery obligations, litigation hold
Regulatory Varies by regulation External regulatory body HIPAA audit, GDPR investigation Mandatory cooperation, penalties
Industry Framework compliance QSA / Auditor PCI DSS assessment, SOC 2 audit Certification status, remediation
Key Takeaway

Evidence standard determines everything. Criminal investigations require “beyond reasonable doubt” — the highest bar. Administrative and civil both use “preponderance of evidence” (51% likely). If you start administrative and it escalates to criminal, any evidence mishandled under the lower standard may be inadmissible.

You’re the security manager at a mid-size e-commerce company. An alert fires: an employee in the database team has been running unusual queries against the customer payment table after hours.

Scenario
The Suspicious Queries
E-commerce · 50K customer records · PCI environment
HR Director“Let’s handle this quietly. We’ll do an internal investigation, and if they did it, we fire them. No need to involve the police.
Legal Counsel“Hold on. If this involves customer credit card data, we may have mandatory breach notification obligations. This isn’t just an HR matter anymore.”
You“We need to preserve evidence as if this is criminal — chain of custody from the start. If we handle it as administrative and it turns out to be criminal, we’ve contaminated our evidence.”
HR Director“But a criminal investigation means publicity. The board won’t like that.”
You“The board will like it even less if we can’t prosecute because we destroyed the evidence chain trying to keep it quiet.”
Compensating Control

Preserve evidence at the highest standard first. You can always downgrade from criminal to administrative. You cannot upgrade from administrative to criminal after mishandling evidence. When in doubt, treat it as criminal until legal counsel advises otherwise.

Real Talk — Career Context

In practice, organizations often want to “handle it quietly.” The pressure to avoid publicity is real. But the security professional’s job is to protect the organization — and that means preserving the option for criminal prosecution even if leadership hasn’t decided to pursue it yet.

On the exam: When a question involves potential criminal activity, the answer that involves law enforcement and proper evidence handling is almost always correct. “Handle it internally” is usually the wrong answer.

You discover an employee has been exfiltrating customer data. Your CEO says “handle it quietly — fire them and move on.” But the data includes PII of 50,000 customers, and your state has mandatory breach notification laws.

Option A
Administrative investigation + termination

Quick, quiet, minimal disruption. Fire the employee, patch the vulnerability, notify no one externally.

Option B
Involve law enforcement, begin criminal investigation

Slower, public risk, but preserves chain of custody and meets breach notification obligations.

Option B is correct — the scale triggers legal obligations you cannot ignore

Option B: With 50,000 customer PII records involved, mandatory breach notification laws almost certainly apply. Administrative handling alone will not preserve evidence to the criminal standard (“beyond reasonable doubt”). Law enforcement involvement ensures proper chain of custody and demonstrates the organization acted responsibly — which matters when regulators review your response.

Option A’s kernel of truth: Speed matters, and terminating access quickly is correct. But “notify no one externally” violates breach notification laws. The termination can happen alongside the criminal investigation — these aren’t mutually exclusive.

On the exam: when the scenario involves large-scale PII exposure, the answer always includes external notification and proper investigation procedures. “Handle it quietly” is a distractor.

“Handle it internally first”
If it’s criminal, internal handling destroys chain of custody. You cannot go back and recreate a proper evidence chain after the fact. When there’s any indication of criminal activity, preserve evidence at the criminal standard from the beginning — even if the final decision hasn’t been made yet.
Why it’s tempting: It feels responsible to “gather facts first.” But gathering facts without proper chain of custody contaminates them.
“Higher evidence standard is always better”
The standard of proof matches the investigation type, not a universal preference. Administrative investigations use preponderance of evidence — requiring “beyond reasonable doubt” for an HR matter would make it nearly impossible to act on policy violations. Each type has the appropriate standard for its context.
Why it’s tempting: “Beyond reasonable doubt” sounds more rigorous and thorough. But applying it everywhere paralyzes the organization.
“Security team leads all investigations”
Criminal investigations are led by law enforcement, not the security team. Regulatory investigations are led by the regulatory body. The security team’s role is to preserve evidence, cooperate, and provide technical expertise — not to lead the investigation or make prosecution decisions.
Why it’s tempting: Security professionals naturally want to own incident response. But “leading” a criminal investigation without authority can compromise it.
Exam Signal

When you see potential criminal activity in a question: the answer always involves law enforcement and proper evidence preservation. The security team’s first job is to preserve evidence — disable accounts, capture logs, maintain chain of custody. Never confront the suspect (tips them off), never begin forensic analysis without proper authority, and never “handle it quietly.”

Quick Check — End of 1.5
An employee is suspected of committing fraud using company systems. What should the security team do FIRST?
  • A Disable the account and preserve logs
  • B Confront the employee
  • C Begin forensic analysis
  • D Notify law enforcement

Correct: A. Preserve evidence first — disable the account to prevent further damage and capture logs before they can be altered. Then involve law enforcement. Confronting the employee (B) tips them off and gives them time to destroy evidence. Forensic analysis (C) should wait for proper authority and chain of custody procedures. Law enforcement notification (D) is critical but happens after evidence is preserved — you need something to hand them.

Related Topics
→ 1.4 Legal & Regulatory (compliance framework) → 1.6 Security Policy (enforcement authority)
← 1.4 Legal & Regulatory ← Domain 1 Hub Next: 1.6 Security Policy →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official ISC2 content, is not endorsed by ISC2, and does not guarantee exam success. All practice questions are original and based on published exam objectives. Always refer to the official ISC2 CISSP Exam Outline as your primary reference.