Security Investigations Policy

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Security Investigations Policy

Updated: 23 March 2025

Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization. Many times things we do online will impact people’s lives physically, financially, and emotionally.

  • I will report security concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as discovered. If they are not available and I feel unsafe, I will contact law enforcement.
  • I will not start any safety or security investigation unless I am authorized by HR and Legal.
  • I will support, answer questions, and provide all information and data for all lawful requests for assistance from the authorized investigation lead or team.
  • If I am authorized to lead or support an investigation, I must have the skill set to conduct the investigation, including but not limited to: interviewing, interrogation, report writing, evidence preservation, chain-of-custody management, testifying, link analysis, and mitigation development.
  • I will not be part of an investigation team — as lead or support — if there is a conflict of interest.
  • I will keep all aspects of the investigation confidential except as authorized by Legal and HR.
  • I will make sure the final investigation report discloses all facts and only facts. Opinions will be reserved for closed-door, attorney–client privilege discussions.
  • I will only conduct an authorized investigation on the basis that my role is independent of the subject and scope of the investigation.
  • I will alert Legal and HR if, during the authorized investigation, I discover a conflict of interest, something potentially criminal, or other violations that need to be investigated separately. I will not continue without further authorization.
  • If I am the investigation lead or part of the investigation support team, I will not participate in the role or discussion of deciding the consequences for person(s) found to be in violation of the subject of the investigation.
  • I will promote reporting of violations and concerns in all business activities, including reporting to the organization’s Ethics Hotline.
  • If I am the investigation lead, I will always produce an after-action report (AAR), prevention recommendation report, root cause analysis, or similar report to leadership — separate from the investigation report.
  • I will preserve and protect all evidence artifacts until a chain-of-custody change is required.

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.