Security Policy Sanction Procedure (OP-PROC-008)
1. Purpose
To describe the formal process for documenting violations of information security policies and applying consistent, fair, and appropriate disciplinary actions.
2. Scope
This procedure applies to all members of the workforce, including employees, contractors, and temporary staff, who are found to be in violation of the company’s established information security policies.
3. Overview
This procedure ensures that security policy violations are handled in a structured and predictable manner. It outlines the steps for identifying a violation, conducting an investigation, determining a commensurate disciplinary action in consultation with Human Resources, and formally documenting the outcome.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | Manager or Security Officer | Identifies a potential violation of an information security policy through a report, an audit finding, or a security alert. |
| 2 | Security Officer & Manager | Conduct an investigation to gather facts and evidence related to the potential violation. This may involve reviewing logs, interviewing individuals, and analyzing data. |
| 3 | Security Officer, Manager, & HR | Review the findings of the investigation to confirm whether a policy violation occurred. |
| 4 | Manager & HR | In consultation with the Security Officer, determine the appropriate disciplinary action. The sanction shall be commensurate with the severity of the violation, its impact, and the employee’s history. |
| 5 | Manager & HR | Formally document the violation and the resulting sanction using a standard disciplinary action form. The documentation is stored in the employee’s confidential HR file. |
| 6 | Manager | Communicates the decision and the sanction to the employee. |
5. Standards Compliance
This section maps the procedure steps to specific controls from relevant information security standards.
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-6 | HIPAA Security Rule | 45 CFR § 164.308(a)(1)(ii)(C) |
6. Artifact(s)
A formal disciplinary action form or memo detailing the policy violation, the findings of the investigation, and the applied sanction. This document is stored in the employee’s confidential personnel file.
7. Definitions
Sanction: A penalty or disciplinary action imposed for violating a policy or rule.
Commensurate: Corresponding in size, extent, amount, or degree; proportionate.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Manager | Responsible for identifying and reporting potential violations and for communicating disciplinary actions. |
| Security Officer | Responsible for investigating potential security policy violations. |
| Human Resources (HR) | Responsible for ensuring the sanction process is fair, consistent, and legally compliant, and for maintaining official records. |