DESPITE THE BEST EFFORTS to secure a computing environment, no organization is completely safe. Sooner or later you will encounter a security policy violation. It may be a minor violation such as a user attempting to log on too many times after forgetting a password. Or it could be a major incident such as an attacker destroying your organization’s primary database. Either way, learn how to react. When you discover a security violation, you have only one proper response—to follow your plan.

Map out your response to security violations before any occur. In this chapter, you’ll find out how to plan for the inevitable actions that result in security violations. You’ll learn how to recognize violations and how to develop a plan for handling each one. You’ll study up on the Microsoft tools available to collect information and manage a response process. Some violations are more severe and may result in law enforcement involvement or litigation. In this chapter, you will also learn the right ways to collect and protect evidence that is admissible in court.