Ideas for Security Policy Sanctions

In order for written information security policies to have “teeth”, there must be consequences for employees that do not follow policies, and this fact must be documented as part of the published policy. The “sanctions” portion of most security policies reads something like this:

“Failure to comply with this policy will result in disciplinary action, up to and including termination.”

While this idea certainly makes sense as a formal statement, it leaves a lot of gray area in the real world of policy implementation and enforcement. And it will likely leave questions in the minds of employees. “Does this mean that everyone who violates a policy gets fired?” “What happens if I violate a policy by accident?” “What offenses would warrant termination?”

When developing written policies, the organization should prepare some internal guidelines for proper sanctions. These should be developed in conjunction with Human Resources and the Legal Department, and considered with regard to consequences for violation of other policies such as Code of Conduct. Certainly, all policy violations are not the same, and some violations present greater legal and market risk that others.

The following are some ideas for possible employee sanctions with increasing levels of severity:

1. Warning from Management -The employee receives a warning from their manager that they were in violation of policy.

2. Official Warning in Personnel File – The employee is warned, and official notice is put in their personnel file. This may have negative consequences during future performance reviews or promotion considerations.

3. Revoking Privileges – Access to certain company resources, such as internet or email, can be revoked for a limited period. (Providing that they are not critical to job functions.) In one organization, the CEO gave everyone in the organization 30 days to read and acknowledge the written security policy. After 30 days, each employee had their email disabled. Within 24 hours all of the offenders had read and acknowledged the policy.

4. Requiring Additional Training – Another sanction is to require the employee to take additional training on security and privacy practices. This must be done on their own personal time, such as during lunch or after business hours.

5. Suspension without Pay – After multiple warnings, or for serious policy violations that may put the company at substantial risk, employees may be suspended for a limited time without pay.

6. Termination – The organization should consider which types of offenses could trigger a termination. If termination is an option, consult with the legal and human resources department to make sure the organization is on solid ground with respect to written policies. Some employees have sued for wrongful termination and won the case when it was shown that the company was lax in its overall deployment and enforcement of security policies.

Of course, you can combine any of these into a type of sanctions “mix” that works for the organization. The important task is to prepare the organization by thinking through the problem and deciding what works best for the employees and management. Once guidelines have been established, they can be communicated to employees as part of their regular security or human resources training activities.

If your organization has come up with some unique and effective ways to encourage compliance with policies, we would like to hear from you.