Tips for managing staff within the ICT context:

Legislation and regulation

Make sure you have read and understood the Data Protection Act and European Convention on Human Rights (especially Article 8). These have an important bearing on the way in which incidents can be investigated. What you cannot be doing is accessing people's computers when they haven't got an expectation that it might happen, and how and why it might happen. If you let them know through a policy that something's liable to happen, they don't have an expectation of privacy, and it's much more difficult for them to complain.

Policy

Have a comprehensive organisation policy in place covering the (mis)use of computers. This should form part of the staff handbook.

Definitions

Define precisely what you mean by terms such as 'acceptable' or 'misuse'. The more detail you provide, the less room there is for interpretation and legal argument.

Induction

Make sure new staff and volunteers are taken through the policies, and sign a form acknowledging that they have read and understood the document. Should an incident occur, you will need to be able to show that an employee or volunteer was fully aware of the policy and the consequences of breaching it.

Exit interview

It is good practice to take leavers through a 'check-out' list during an exit interview, making sure they have returned all company property including electronic files and documents (emails and files kept on their local computer should either be deleted or archived centrally having being discussed with the leaver).

Incident management

Make sure you understand your role and responsibilities if you are invesstigating an incident.   Incident handling needs to be highly co-ordinated and controlled to be effective - every minute counts.

Incident scenarios

Think about appropriate responses to different scenarios and pre-plan checking with colleagues that the procedure is correct.  Just going through the process will help design your policies and procedures. It's vital that things are handled correctly from the start - a case of suspected fraud, for example, will need to be dealt with in a different way to finding pornographic material on a on a computer.

Confidentiality

Investigations need to be kept completely confidential until they are complete. The premature leak of information may lead to people jumping to the wrong conclusions and could seriously impede the successful conclusion of the investigation.

Continuity

Keep records of what you do at all times. If a case goes to court, you will need to be able to back up your version of events.

Call in the experts

If required, computer forensics experts can be brought in, the sooner the better. Computers are a 'crime scene' like any other, and only expert investigators should be allowed to gather evidence.