The disciplinary process must identify the individuals investigated for information security breaches. The documentation of the violation occurs with the detection of non-conformities or control devices such as software
The questions we will answer to organize the disciplinary process in the company are essentially four:
- What hypotheses does the disciplinary process open?
- What does the violation actually consist of?
- How to conduct the investigation?
- How to impose the sanctions?
The assumptions of the disciplinary process for information security
For control 7.2.3 Disciplinary process taken from Annex A of ISO 27001, a formal and communicated disciplinary process must be established to take action against personnel who have committed an information security breach.
During the development of the management system, already following the issuance of the information security policies, it is necessary as soon as possible to establish and communicate to all personnel that the disciplinary process starts on the occasion of:
- Acts carried out with the intention of violating the confidentiality, integrity and availability of information
- Violations in the application of the controls required by management and safety procedures
What is the violation?
In the information security management system, it may not be appropriate to use complex legal arguments to explain to staff what should not be done. The effectiveness of the system must have priority over everything and therefore it is advisable to explain, in a very practical way, the circumstances in which a violation occurs.
We therefore suggest explicitly communicating to staff that acts and violations may be found by the audit activity or by the monitoring carried out by the log management software which can report:
- Unauthorized access attempts
- Attempts to disseminate information
- Attempts to delete information and data
- Unauthorized software installation attempts
- Attempts to steal data by copying to removable media
- Attempts to steal data by sending to remote destinations
- Other similar anomalies
Conducting the investigation
Documentation of violations is the basis of the entire disciplinary process. The anomaly, dangerous behavior, inappropriate acts or acts contrary to the policy and management system attributable to the person must be collected (documented) and explained in order to conduct:
- An investigation that aims to ascertain the absence of other dangers related to abnormal circumstances
- A disciplinary process aimed at punishing the act performed and preventing its repetition and its emulation
The system administrator has a very important role in conducting the investigation of an information security breach. Above all from a technical point of view, this role must be involved in the assessment and documentation relating to:
- The act of detection of non-compliance (anomaly)
- The description of the non-conformity (anomaly)
- The processes involved
- Damage to devices
- The damage to the information
- The analysis of the causes and the investigative hypotheses
- The actions to be taken
The penalties for the staff
Attention: the disciplinary process must be prepared in compliance with Articles 2103, 2106, 2118 and 2119 of the Civil Code, of Law no. 300/1970 (so-called “Workers’ Statute”) and the current CCNL (National Collective Workers Agreements) adopted by the company.
The sanctions that can be applied to employees, in ascending order of severity, in the event of violation of the rules of the information security management system, can be:
- Conservative employment relationship:
- Verbal warning
- Written warning
- Fine
- Suspension from work and from pay
- Termination of the employment relationship:
- Dismissal
