Work in DFIR for a large UK company, just trying to gauge who should be carrying out searches in purview/ediscovery (sec/admin/HR/legal).
Officially our process is managers go to HR who fill in a form, they send over to us to assess the scope and then gets signed off by multiple sec managers. But this only seems to be for significant investigations.
I’ve noticed in our audit logs that HR seem to run their own searches with some pretty broad parameters that don’t sit well with me.
Thinking about it though I’m not sure who this should actually be on though, seems like an IT/admin function but think there’s a case for forensic disciplines to be applied. Also I’m not sure HR can be considered truly impartial if they are allowed to do it themselves.
Just curious how it’s set up at your organisation?