HRS-006 Disciplinary Process for Security Violations
Description
A formal disciplinary process is documented and communicated to all personnel, covering the consequences of information security policy violations. The process is applied consistently and proportionately, and investigations are conducted before sanctions are applied.
Rationale
Deterrence of intentional security violations requires credible consequences. A documented and communicated disciplinary process demonstrates organizational commitment to security policy enforcement and provides legal protection in disciplinary proceedings.
Framework Mappings (4)
| HRS-09 | Personnel Roles and Responsibilities | partial |
| 6.4 | Disciplinary process | full |
| PS-8 | Personnel Sanctions | full |
| CC1.5 | COSO Principle 5: Enforces Accountability | partial |
Evidence (2)
Disciplinary policy defining consequences of information security policy violations and the process for consistent, proportionate enforcement.
Example: Employee Disciplinary Policy or Code of Conduct (Confluence / HRIS policy library), with a section on information security violations, describing: violation categories, proportionate consequence tiers (informal warning through to termination), the investigation process, and appeal rights.
Test: Request the disciplinary policy. Verify: (1) information security policy violations are explicitly included as a violation category, (2) consequence tiers are defined proportionate to severity, (3) an investigation requirement (before sanctions are applied) is stated, (4) the policy has been communicated to all staff — confirm via training completion or acknowledgement record, (5) approval date is within the last 12 months.
Anonymized disciplinary case records or HR log confirming the process was applied to at least one security policy violation in the last 12 months, or a management attestation if no violations occurred.
Example: Anonymized HR case log entry (HRIS / case management system) showing: case type (security policy violation), investigation completed, outcome applied, and case closure date — or a signed management attestation that no reportable violations occurred in the period.
Test: Request either an anonymized log of security-related disciplinary cases from the last 12 months, or a signed management attestation of no violations. Verify: (1) if cases exist, the investigation step precedes any sanction, (2) the outcome is proportionate to the violation severity, (3) the process followed matches the documented disciplinary procedure.
Questions (2)
Does your organization have a formal, documented disciplinary process that covers information security policy violations and is communicated to all personnel?
The process should define tiered consequences proportionate to severity, require investigation before sanctions are applied, and include an appeal mechanism.
Can your organization provide evidence (e.g. anonymized case records or a management attestation) that the disciplinary process has been applied to a security policy violation in the last 12 months?
The existence of a process is insufficient on its own — evidence of either use or a credible attestation of non-use demonstrates the process is known and active.