Corporate Security

Understanding Differences Between Activity, Incident, Investigation, and Case Management in Corporate Security

Posted March 29, 2023 by Resolver

Building a corporate security program might be overwhelming at first. Where to start? What are the differences between activity and investigation management or incident management vs. case management? When each one is imperative to properly reporting and tracking events, how do you, as a security leader, plan for all?

Activity, incident, investigation, and case management are all related to managing and tracking different types of events or actions within an organization. In the context of corporate security, the definitions of activity, incident, investigation, and case management are similar to their general definitions but with a specific focus on security-related events. The essential difference is the management and reporting of single events (one-to-one) versus the project-level management of multiple incidents—including an incident’s associated activities—and investigations that have been linked together to form a case (one-to-many).

What is activity tracking?

Activity tracking (or activity management) in corporate security refers to the process of managing and tracking routine security-related tasks or processes within an organization. These can include things like managing access control systems, monitoring security cameras, conducting regular security audits, and performing employee training on security best practices. The goal of activity management in corporate security is to ensure that security measures are in place and functioning properly to prevent security incidents.

Activities in the context of corporate security are typically routine duties where no serious event — simply an “incident” — has occurred, though what exactly makes an event an “activity” vs. an “incident” is up to individual organizational policies. Activities track who, what, where, and when but tend to be more resource-centric than incidents. Activity tracking usually includes tracking of response times, officer logs, and total time spent, amongst other details.

However, activities typically carry far less detail than what would be in a full incident or investigation report; generally, the activity report is the first stage report of an event. While activities can be escalated to incidents, incidents don’t always come from only one activity… or even an activity at all. Proper incident management does require, though, that incidents are linked with any associated activities.

What is incident reporting?

Incident management in corporate security refers to the process of managing and resolving security-related incidents within an organization. These can include things like physical security breaches, theft or fraud, workplace violence, or other security incidents. Incident management in corporate security is focused on minimizing the impact of the incident and restoring normal operations as quickly as possible. This is best done through data-driven reporting and analysis that’s

When an incident occurs, whatever it may be (theft, assault, accident, etc.), it elicits a response. The response details are tracked as an activity report. After the response, the event may require a more detailed incident report — a record of the incident’s data, including more extensive detail on who, what, when, where, why, how, and how much. We refer to this data collection and reporting process as “documenting the record of events.” At any point, we can refer to or add to this record of events to form a complete picture of the incident’s details. Each incident contains its own separate record of events, documenting the who, what, when, where, why, how, and how much data for that particular incident only. In Resolver, these details are recorded on individual incident forms that can be customized to your organization’s needs. We recommend keeping them simple, so that the likelihood of incidents being filed increases, netting you more incident data over time so you can make informed decisions.

All this data generally encompasses the initial incident report — in essence, the detailed “story” of a single event. Resolver tracks activity details within incident reports, and unlike activity reports on their own, incident reports can include investigation details.

What is investigation management?

Investigations management refers to the process of managing and resolving security-related incidents within an organization. These can include physical security breaches, cyber attacks, theft or fraud, workplace violence, or other security incidents. Incident management in corporate security is focused on responding quickly and effectively to the incident to minimize its impact and restore normal operations as soon as possible. Incident management is typically a reactive process, responding to unexpected events as they occur.

Many organizations ensure appropriate management of all incidents by employing a tiered or escalated response system. Ground force personnel first respond to the event and provide the initial incident report. Depending on the incident, this report may be passed on to an investigations division and the incident escalated into investigation mode. Investigators then collect incident information beyond the initial details originally recorded. While incidents are generally handled by one responding officer with some assistance from others, there may be multiple investigators assigned to an investigation depending on its size. Where the initial incident report tells the story of an event, the ensuing investigation aims to “solve the puzzle” by determining who was responsible and why it happened.

Investigative data may include:
• Investigation Start and Closed Dates (may differ from those denoting the incident’s duration).
• Assigned Investigators.
• Investigation Metrics (time and dollars spent).
• Investigation Summaries and Interviews (narratives that do not belong in the general Incident Report).
• Investigation Logs (task and expense tracking).
• Investigation Evidence/Property Records (including chain of custody).

In Resolver Core, investigative data is collected under a separate Investigation tab within each incident record, differentiating the standard incident report from an investigation report. For added data segregation, you may also specify which users are allowed access to the Investigation tab. Although each incident and investigation has separate data and is handled by different people, what happens when there are similarities between multiple incidents and investigations?

As multiple incidents occur throughout an organization, common themes, patterns, or links among incidents may be detected. In these instances, it is necessary to link or cross-reference incidents to each other, ensuring their commonalities are not lost amid the data. Therefore, investigation management does not always involve only one investigation of a single incident; it is the monitoring and managing of the investigative details of one or more incidents. This may also be referred to as case management — the management of multiple investigations.

What is case management?

Case management refers to the process of managing an ongoing security-related issue within an organization. These can include things like internal fraud investigations, data breaches, or legal disputes related to security incidents. Case management in corporate security involves tracking the status of the case, assigning tasks to individuals, and ensuring that all relevant information is documented and accessible for legal or regulatory purposes. Case management is typically a proactive process, involving ongoing management of a complex issue over time.
Because case management involves overseeing multiple investigations at once, it requires a high degree of project management. Often, a case involves a series of events that are related but not necessarily alike; these events will, nonetheless, be managed and investigated as a single project or case. For example, a case called “Jeff Brown Restraining Order” may be comprised of a series of incidents of varying types, all involving Jeff Brown; all the events are separate incidents with separate investigative details, but they are all managed as a single investigative unit or project.
Depending on the case, a case manager may be assigned to oversee the group of investigators and agencies involved in each of the incidents, or the case manager may be tasked with singlehandedly taking over all the investigative work. No matter what responsibilities the case manager is assigned, the case data collected must be continually added to the appropriate records to ensure accurate intelligence is generated. In Resolver Core, a case is a compilation of multiple investigations, their associated incidents, and those incidents’ linked activities, if any. When adding a new case, you must give it a name and include relevant details, such as the names of case managers and investigators.

Ensure your incident management software meets your needs

Though differently managed, activities, incidents, investigations, and cases determine not only how data is collected, but what data is collected and the conclusions we can draw from them. Ensuring that multiple data streams from activities, incidents, investigations, and cases are properly recorded, tracked, and analyzed is crucial to properly manage current incidents, and prevent more from occurring.

Our incident management platform tracks activities and incidents through thoughtful automation and documenting necessary information – from the record of events to capturing investigative details — while linking related incidents and investigations to cases for comprehensive review. Data can be viewed and added on a one-to-one or one-to-many basis, allowing for complete activity, incident, investigation, and case management.

Do you want to take control of incidents before they become threats and streamline your security processes? Join an upcoming product showcase and discover how Resolver can transform the way you manage incidents. Get a firsthand look at our innovative platform, see how it works in real-time, and learn how it can benefit your organization. Register now to reserve your spot!

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
BIGipServersj13web-nginx-app_https	session	This cookie name is associated with the BIG-IP product suite from company F5. Usually associated with managing sessions on load balanced servers, to ensure user requests are routed consistently to the correct server. The common root is BIGipServer most commonly followed by a domain name, usually the one that it is hosted on, but not always.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	6 months	This cookie is set by Wix and is used for security purposes.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__resolver-ref	session	This cookie is set by Resolver to ensure visitors receive unique content after submitting a form on our website.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
ADRUM_BT1	past	This cookie is set by AppDynamics and is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
ADRUM_BTa	past	This cookie is set by AppDynamics and used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 2 months 17 days 10 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_4655365_4	1 minute	Set by Google to distinguish users.
_gat_UA-4655365-4	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_ga_VCHH3SM1QW	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_omappvp	11 years	The _omappvp cookie is set by OptinMonster to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie set by OptinMonster, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
sa-user-id	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
sa-user-id-v2	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_uetvid	1 year 24 days	This cookie is set by Bing to store and track visits across websites.