Personnel Security Risk: Discipline or Regret? You Decide
It has been said that you can suffer the pain of discipline or you can suffer the pain of regret – the choice is yours.
If personnel intentionally act in conflict with security controls that have been adopted by an organization, the non-compliant actions should prompt some level of disciplinary response. Failure to do so will create a situation you may come to regret later. The idea of a disciplinary process is the focus of pitfall #19 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Punitive actions are not ideal, but if “bad” behavior is not corrected, it is likely to continue, putting organizations at risk unnecessarily. A documented disciplinary process needs to be implemented. Organizations need to ensure the same types of situations are handled in a comparable manner to preclude unfair treatment of personnel.
Your organization should implement, communicate, maintain, and provide training on a formal disciplinary process for a personnel security risk that violate controls contained in security policies, plans, and procedures, or commit a security incident or breach. Managers should be notified after any formal sanction process is initiated. This should include identifying the individual sanctioned along with the reason for the sanction.
Once a disciplinary process has been developed, it should be referenced within each security policy, standard, procedure, and other control documents. All appropriate personnel should be aware of the potential discipline associated with not following prescribed controls.
Referencing the disciplinary statement in policies or other control documents does not need to be an exhaustive exercise. An example of a statement that can be used by your organization is, “All personnel are required to comply with the controls contained within this document. Failure to comply may result in disciplinary actions, up to and including termination of employment, contract, or any other agreement.” Your version of this statement can easily be added to existing or new policies, or other control documents that identify program or process requirements.