ISO 27001:2022 A 6.4 Disciplinary process

Uncategorized 4 Minutes

Disciplinary Process talks about the need for organisations to put in place some form of disciplinary process to serve as a deterrent so that personnel will not commit information security violations. Information security violation is a breach of the rules or laws governing the proper handling of information. Information security policies are established by organisations to protect confidential, proprietary and personal data, such as customer records and credit card numbers. Information security policies also include computer security policies that help ensure the safety and integrity of data stored on computers. Information security violations include but are not restricted to:

  • Browsing computer or paper records without appropriate authorization and a legitimate business reason
  • Information lost or compromised
  • Loss or theft of equipment containing organizational information
  • Repeated incidents of unattended or lost smart cards
  • Using unencrypted memory sticks
  • Using customer or employee personal data or information without appropriate authorization and a legitimate business reason
  • Disclosing customer or employee personal data or information without appropriate authorization and a legitimate business reason
  • Disclosing computer passwords
  • Sending the information insecurely outside the organization
  • Sending sensitive personal data or identifiable personal information to the wrong person or customer
  • Unauthorized disclosure of organizational information to third parties e.g. the press.

This Disciplinary process should be formally communicated and a suitable penalty designed for employees and other relevant interested parties who commit an violation. If an employee violates an organisation’s information security policy, he or she could be subject to disciplinary action or termination from employment. In some cases, a company may choose not to terminate an employee who breaks its computer usage policy, but instead take other appropriate measures to prevent future violations of company policy.

A 6.4 Disciplinary process

Control

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Purpose

To ensure personnel and other relevant interested parties understand the consequences of information security policy violation, to deter and appropriately deal with personnel and other relevant interested parties who committed the violation.

ISO 27002 Implementation Guidance

The disciplinary process should not be initiated without prior verification that an information security policy violation has occurred .
The formal disciplinary process should provide for a graduated response that takes into consideration factors such as:
a) the nature (who, what, when, how) and gravity of the breach and its consequences;
b) whether the offence was intentional (malicious) or unintentional (accidental);
c) whether or not this is a first or repeated offence;
d) whether or not the violator was properly trained.
The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions.

Other information

Where possible, the identity of individuals subject to disciplinary action should be protected in line with applicable requirements. When individuals demonstrate excellent behavior with regard to information security, they can be rewarded to promote information security and encourage good behavior.

There should be a formal disciplinary process for employees who have committed a security breach. A security breach happen where there has been a deliberate attempt, whether successful or not, to compromise organizational assets such as information, people, IT, premises, or any accident resulting in loss of assets. A formal disciplinary process must be established by the organization in relation to employees who have violated the organization’s security policies and procedures and, for retention of evidence. Disciplinary processes should aim to be a deterrent to employees who might otherwise be inclined to disregard security policies and procedures. Where appropriate, discipline should be in line with the relevant employment act conditions. For employees not covered under this, discipline should be in line with contract terms and conditions. Where it is formally stated that some activity is not allowed, but informally action is not generally taken against the activity (e.g. banning the distribution of jokes via e-mail), any subsequent disciplinary action that is taken in this regard may be subject to legal challenge and may, therefore, be unenforceable. Disciplinary action should accurately reflect the nature of the breach of policy. Minor infringements are to be expected and should be dealt with through cautions and user security awareness education. Repeated minor infringements may be symptomatic of an inappropriate policy or control, and should entail a re-assessment of its suitability. Repeated minor infringements not due to an inappropriate policy or control, or a major breach of security, maybe more suitably dealt with by formal sanctions such as termination of access (temporary or permanent) or legal action. The nature of appropriate disciplinary action should be determined by the workforce management function, in consultation with security officers and with legal officers if legal action is contemplated. Control includes:

  • a reasonable evidentiary standard to initiate investigations (reasonable suspicion that a breach has occurred);
  • appropriate investigatory processes, including specification of roles and responsibilities, standards for the collection of evidence and chain of custody of evidence;
  • disciplinary proceedings that observe reasonable requirements for due process and quality of evidence;
  • a reasonable evidentiary standard to determine fault, that ensures correct and fair treatment for persons suspected of a breach;
  • sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offence, whether or not the violator was appropriately trained, whether or not the violator exercised due care or exhibited negligence;
  • an overall process that functions both as deterrent and sanction.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply