A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

You are going to confirm and verify that an information security policy violation has actually occurred before you take any action.

Under the guidance of a HR professional you are going to consider a reasoned and proportionate response that take into account all legal and regulatory requirements and obligations.

Consider:

• The nature of the event
• The intent – was it intentional or unintentional
• The frequency – was it a first time or a repeat offence
• Was the person aware of what was required and can you prove that
• Was the person trained and can you prove that

It isn’t just a negative approach. It can be a great way to enhance the culture and adherence to policy by rewarding, in whatever form is appropriate to you, positive behaviors in relation to information security. From monetary rewards to formal recognition in meetings to ‘information security star of the month’ are all examples of what we have seen work well.

The types of disciplinary actions that can be taken vary depending on the severity of the offense.

Some common disciplinary actions include

• verbal warnings,
• written warnings
• suspension,
• and termination.

The disciplinary process is usually administered by the organization's human resources department. However, in some cases, the disciplinary process may be administered by the employee’s manager or supervisor.

Ensure that this process is documented and clear for all involved

The steps involved in the disciplinary process vary depending on the organization. However, some common steps include:

• Investigation of the incident
• Review of the employee’s file
• Meeting with the employee to discuss the incident
• Issuance of a written warning or other disciplinary action
• Follow-up to ensure that the employee has corrected the behavior

The employee has the right to:

• Be informed of the allegations against them
• Be present at any disciplinary meeting
• Respond to the allegations
• Be represented by a union representative or other advocate
• Appeal the disciplinary decision

The employer has the responsibility to:

• Investigate the incident thoroughly
• Review the employee’s file
• Meet with the employee to discuss the incident
• Issue a written warning or other disciplinary action that is fair and consistent with the organization's policies and procedures
• Follow up to ensure that the employee has corrected the behavior

The consequences of not following the disciplinary process can vary depending on the organization. However, some common consequences include:

• Increased employee turnover
• Decreased employee morale
• Decreased productivity
• Increased legal liability

Some of the challenges of implementing a disciplinary process include:

• Dealing with employee emotions
• Avoiding bias
• Ensuring that the process is fair and consistent
• Documenting the process