Domain 1 of 8 · Chapter 5 of 12

Investigation Types

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The five investigation types and why the type is decided first
  • Standards of proof and chain of custody by type
  • Exam-pattern recognition

The five investigation types: who runs it, the proof standard, and what is at stake

DimensionAdministrativeCivilCriminalRegulatory / Industry-standards
Who initiatesThe organization itselfA private plaintiffGovernment / prosecutorOversight agency or contractual framework (e.g. PCI DSS)
Standard of proofInternal management judgment (lowest)Preponderance of the evidence (>50%)Beyond a reasonable doubt (highest)Agency- or framework-defined (often administrative/civil-level)
Typical outcomeDiscipline, termination, policy changeMonetary damages or injunctive reliefFines, probation, imprisonmentPenalties, sanctions, fines, loss of standing
Evidence / process rigorAcceptable-use policy and consent bannersDiscovery / e-discovery between partiesWarrant, search-and-seizure rules, strict chain of custodyThe body's prescribed procedures and reporting deadlines

Decision tree

Could the outcome be criminalpunishment (imprisonment)?YesCriminalbeyond a reasonable doubtNoGovernment oversight agencyenforcing its rules?YesRegulatoryagency-defined levelNoPrivate contractual framework(e.g. PCI DSS)?YesIndustry-standardsframework-defined levelNoPrivate party suing fordamages or relief?YesCivilpreponderance of the evidenceNoAdministrative (internal)internal management judgmentAlways: preserve evidence and chain of custody to the highest standard that might plausibly applytypes are not mutually exclusive; one incident can trigger several at once

Cheat sheet

  • Classify the investigation type before touching evidence
  • There are exactly five investigation types: administrative, criminal, civil, regulatory, industry-standards
  • Administrative investigations use the lowest bar: internal management judgment
  • Civil cases are decided on a preponderance of the evidence
  • Criminal cases require proof beyond a reasonable doubt, the highest standard
  • The standard of proof rises with what the subject stands to lose
  • Regulatory and industry-standards investigations sit at agency- or framework-defined levels, not a new higher bar
  • PCI DSS is the industry-standards example, not a government regulation
  • Chain of custody is the unbroken documented record proving evidence was not altered
  • Chain-of-custody rigor scales with the standard of proof; criminal is strictest
  • Preserve evidence to the highest standard that might plausibly apply
  • Employers gain search authority through acceptable-use policy and warning banners, not a warrant
  • When an incident may be a crime, preserve evidence and involve counsel before remediating
  • Forensic technique is shared across types; only the legal process differs
  • Civil parties exchange evidence through discovery, not seizure
  • The five types are not mutually exclusive and can run in parallel
  • Acquire forensic evidence with a write blocker and verify with a hash

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response Whitepaper
  2. NIST Glossary: chain of custody Whitepaper