Before we close out this chapter, we want to point out one particularly important procedure, namely how to deal with breaches of policy. It must be very specific. Breaches of many security policies must be a fireable offense. Breaches of others are a lot more minor, and in some cases, only repeated offenses are considered critical. To adequately defend the organization in court , which is where cases of termination due to security policy violations normally end up, an organization probably will need to show that the policy was made clear to the employee, that the treatment is evenhanded, and that it follows generally accepted industry standards. We are not lawyers , and we do not want to pretend to give legal advice. You should include legal counsel in the policy and process definitions to ensure that they follow the legal requirements in your locale. You should also not try to do forensics on your own. Forensics is a very specialized security area that requires expertise. This book is limited to dealing with how to prevent having to do forensics in the first place, not how to do it. If you are interested in forensics, start by reading http://www.cio.com/research/security/incident_response.pdf and http://www.ncjrs.org/pdffiles1/nij/187736.pdf.