||Upon discovery of an unsanctioned device on the organizational network, Service Providers, Network Operators, and Public Safety should investigate to determine ownership and purpose/use of the device. Where possible, this phase should be non-alerting (i.e., log reviews, monitoring of network traffic, review of abuse complaints for suspect IP address) to determine if the use is non-malicious or malicious/suspect. If use is determined to be non-malicious, employ available administrative tools to correct behavior and educate user. Conduct review of policies to determine: If additional staff education regarding acceptable use of network/computing resources is requiredIf processes should be redesigned / additional assets allocated to provide a sanctioned replacement of the capability. Was the user attempting to overcome the absence of a legitimate and necessary service the organization was not currently providing so that s/he could perform their job? If the use is deemed malicious/suspect, coordinate with legal counsel: Based on counsel's advice, consider collecting additional data for the purposes of assessingDepending on the scope of the misuse, consider a referral to law enforcement.