Implementing Information Security Controls in Personnel Sanctions and Disciplinary Process
It has been said that you can suffer the pain of discipline, or you can suffer the pain of regret – the choice is yours. If personnel intentionally act in conflict with information security controls that your organization has adopted, the non-compliant actions should prompt some level of disciplinary response. Failure to do so is likely to create a situation you will come to regret later. While punitive actions are not ideal, if “bad” behavior is not corrected, it will likely continue. This puts your organization at risk unnecessarily. A documented disciplinary or sanction process for personnel needs to be implemented. Your organization should ensure the same types of situations are handled in a comparable manner to preclude perceived or actual unfair treatment of personnel.
Your organization should implement, communicate, and maintain a formal disciplinary process for personnel that violates information security controls requirements contained within security policies, plans, and procedures. The disciplinary process should also address personnel that commit a security incident or breach. Training on this process should be provided to all personnel. This process should ensure that managers are notified after any sanction process is initiated if they are not already aware. Notifications should include identifying the individual sanctioned and the reason for the sanction.
Disciplinary actions should be based on the nature of the infraction or other act of non-compliance. For example, failing to complete security awareness training within the prescribed time frame should be treated much differently than someone sharing their administrative logon credentials with a user that does not have an authorized administrator account. Likewise, both of these scenarios should be treated differently than a situation involving the theft of organization assets or fraud.
The disciplinary process should not be initiated until it has been verified that a violation has occurred. Additionally, the process should provide for a graduated response that considers factors such as:
- The nature and gravity of the violation or breach and the consequences
- Whether the offense was intentional or accidental
- Whether the occurrence is a first violation of an individual or a repeat offense
- Whether the violator was properly trained
Once a disciplinary process has been developed, it should be referenced within each information security policy, standard, procedure, and other control document. All appropriate personnel should be aware of the potential sanctions associated with not complying with prescribed information security controls.
All of this talk about sanctions and discipline have you down? Consider implementing a rewards program in addition to the sanctions program. A rewards program is a great way to recognize individuals that demonstrate excellent security behaviors. This will help not only promote the information security program but also encourage good security behavior across the organization.