A formal accountability process that includes disciplinary actions is implemented for personnel who fail to comply with established security policies and procedures
Context and Guidance: A disciplinary process is an essential administrative control for enforcing organisational resilience policies. Awareness of the disciplinary process provides staff an additional incentive to comply with the organisation’s resilience policies and ensures fair and appropriate treatment in the event that wrongdoing is suspected. From the organisation’s perspective, a formalised disciplinary process provides a preplanned response to suspected infractions of cybersecurity policy that is designed to address all relevant concerns while protecting the organisation to the fullest extent possible. The disciplinary process should be formalised and documented. It should ensure fair treatment of staff in compliance with all applicable regulations and agreements, protect the organisation’s interests, and include a range of acceptable responses that correspond to the seriousness of the infraction. Revise the disciplinary process as needed.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-1e, WORKFORCE-1g.