Skip navigation

You’ve just completed writing you information security policy and within that policy you place the “cut-and-paste” standard statement that indicates what the consequences are if the policy is violated.  This statement, which normally reads “Failure to comply with this policy will result in disciplinary action up to termination if severity of non-compliance dictates” is a very broad statement.  Such a broad statement can lead to those “grey areas” where employees don’t understand the boundaries specific repercussions for policy violation.  This is where more specific documented guidance would be beneficial to your organization and its employees.

Whenever you are dealing with the human aspect of an organization, it is best to look to you human resource department and if possible, your legal department to see what does and doesn’t violate your company rules as well as state and federal labor laws.  A good disciplinary policy always follows a hierarchy of severity.  This allows for personnel to make mistakes and learn from their mistakes without affecting their career.  Let’s face it, we are all not perfect and everyone makes a mistake once-in-awhile so establishing a policy where employees are dealt the most serious disciplinary action for their first offense is going to result in a hostile work environment.  My suggestion is to instead, have a policy where disciplinary action levels of severity increase and are dictated by offense and number offenses.  Here is an example of a hierarchal discipline structure:

  1. Letter counseling from management – provides feedback on what they have done wrong and how it violates policy.
  2. Letter of reprimand – Employee is warned and official notice is included in their personnel file.  Also, action will have a negative consequences when it comes to performance reviews and promotion
  3. Privileges revoked for a certain period of time provided that they are not critical to individual’s job function.  Also recommend remedial training to address policy infraction
  4. Suspension without pay – Used for multiple infractions and based on severity of violation.  Employees would be suspended for a period of time without pay.
  5. Termination – Self-explanatory Need to make sure all options have been utilized/documented and employee rights are not violated.  This is where HR and Legal would get involved

Of course, this is only an example of a hierarchy disciplinary action plan instead of the generic disciplinary statement typically seen within a security policy.  Each organization is going to be different and it is best to tailor a policy that fits your needs as well as the needs of management.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: