Back

Implement a sanctions process for personnel who fail to comply to the organizational compliance program.


CONTROL ID
01442
CONTROL TYPE
Behavior
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Code of Conduct., CC ID: 04897

This Control has the following implementation support Control(s):
  • Notify designated personnel when a formal personnel sanctions process is initiated., CC ID: 10632


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For users who send e-mails or receive e-mails from outside the organization or browse improper websites, the organization should take appropriate actions. (T42-1.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is also necessary to make all officers and employees (including outsourcee's staff) conduct security education with respect to operations, and to make them fully aware of their responsibilities and duties, as well as of the punishments involved, etc. (P139.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Organizations should have a formal disciplinary process in place to deal with employees who violate security policies and procedures. (§ 2.8.24, Australian Government ICT Security Manual (ACSI 33))
  • A person must not aid, abet, procure, or counsel a violation of sections 16(1) or 16(6). (§ 16(9)(a), Australian Government Spam Act 2003)
  • A person must not influence, whether by promises, threats, or otherwise, a violation of sections 16(1) or 16(6). (§ 16(9)(b), Australian Government Spam Act 2003)
  • A person must not be directly or indirectly, knowingly concerned in, or a party to a violation of sections 16(1) or 16(6). (§ 16(9)(c), Australian Government Spam Act 2003)
  • A person must not conspire with others to violate sections 16(1) or 16(6). (§ 16(9)(d), Australian Government Spam Act 2003)
  • A person must not abet, aid, counsel, or procure a violation of section 17(1). (§ 17(5)(a), Australian Government Spam Act 2003)
  • A person must not be directly or indirectly, knowingly concerned in, or a party to violations of section 17(1). (§ 17(5)(c), Australian Government Spam Act 2003)
  • A person must not influence, by promises, threats, or otherwise, a violation of section 17(1). (§ 17(5)(b), Australian Government Spam Act 2003)
  • A person must not conspire with other to violate section 17(1). (§ 17(5)(d), Australian Government Spam Act 2003)
  • A person must not abet, aid, counsel, or procure a violation of section 18(1). (§ 18(6)(a), Australian Government Spam Act 2003)
  • A person must not influence by promises, threats, or otherwise, a violation of section 18(1). (§ 18(6)(b), Australian Government Spam Act 2003)
  • A person must not directly or indirectly, knowingly concerned in, or be a party to a violation of section 18(1). (§ 18(6)(c), Australian Government Spam Act 2003)
  • A person must not conspire with others to violate section 18(1). (§ 18(6)(d), Australian Government Spam Act 2003)
  • A person must not abet, aid, counsel, or procure a violation of section 20(1). (§ 20(5)(a), Australian Government Spam Act 2003)
  • A person must not influence, by promises, threats, or otherwise, a violation of section 20(1). (§ 20(5)(b), Australian Government Spam Act 2003)
  • A person must not be directly or indirectly knowingly concerned in or a party to a violation of section 20(1). (§ 20(5)(c), Australian Government Spam Act 2003)
  • A person must not conspire with others to violate section 20(1). (§ 20(5)(d), Australian Government Spam Act 2003)
  • A person must not abet, aid, counsel, or procure a violation of section 21(1). (§ 21(3)(a), Australian Government Spam Act 2003)
  • A person must not influence, by promises, threats, or otherwise, a violation of section 21(1). (§ 21(3)(b), Australian Government Spam Act 2003)
  • A person must not be directly or indirectly knowingly concerned in or a party to a violation of section 21(1). (§ 21(3)(c), Australian Government Spam Act 2003)
  • A person must not conspire with others to violate section 21(1). (§ 21(3)(d), Australian Government Spam Act 2003)
  • A person must not abet, aid, counsel, or procure a violation of section 22(1). (§ 22(3)(a), Australian Government Spam Act 2003)
  • A person must not influence, by promises, threats, or otherwise, a violation of section 22(1). (§ 22(3)(b), Australian Government Spam Act 2003)
  • A person must not be directly or indirectly knowingly concerned in or a party to a violation of section 22(1). (§ 22(3)(c), Australian Government Spam Act 2003)
  • A person must not conspire with others to violate section 22(1). (§ 22(3)(d), Australian Government Spam Act 2003)
  • If a department is found to be non-compliant, does the organization have a policy for disciplinary action? (Table Row I.23, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. (§ 3 Principle 5 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • The calculation for this metric should be stated as the u. (Pg 1-I-13, Pg 4-II-9, Pg 11-I-8, Pg 15-V-3, Pg 22-I-16 thru Pg 22-I-23, Protection of Assets Manual, ASIS International)
  • A formal disciplinary or sanction policy shall be established for employees who have violated security policies and procedures. Employees shall be made aware of what action might be taken in the event of a violation, and disciplinary measures must be stated in the policies and procedures. (GRM-07, Cloud Controls Matrix, v3.0)
  • A formal disciplinary or sanction policy shall be established for employees who have violated security policies and procedures. (IS-06, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. (A.7.2.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • A formal disciplinary process should exist for employees who have committed a security breach. The breach should be verified before any action is taken against the employee. The process should have a graduated response based on several factors: impact on business; if the employee is a first or repea… (§ 8.2.3, ISO 27002 Code of practice for information security management, 2005)
  • Employees of the organization and, where relevant, third-party contractors should be made aware of disciplinary processes and consequences with respect to breaches of information security. (§ 7.2.2 Health-specific control ¶ 2, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Where dilemmas turn into conflicts or disputes, alternative dispute resolution mechanisms should be considered over formal litigation where possible. Disputes should be resolved ethically and effectively. (§ 6.7.3.4 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. (§ 7.2.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation. (§ 6.4 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. (CC1.5 ¶ 1 COSO Principle 5:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • A sanctions process is defined, and applied as needed, when an employee violates the entity's privacy policies or when an employee's negligent behavior causes a privacy incident. (CC 1.5 ¶ 4 Bullet 1 Takes Disciplinary Actions, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate. (CC1.5 ¶ 3 Bullet 5 Evaluates Performance and Rewards or Disciplines Individuals, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization's cybersecurity policy integrates with an appropriate employee accountability policy to ensure that all personnel are held accountable for complying with cybersecurity policies and procedures. (GV.PL-1.2, CRI Profile, v1.2)
  • The organization's cybersecurity policy integrates with an appropriate employee accountability policy to ensure that all personnel are held accountable for complying with cybersecurity policies and procedures. (GV.PL-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Procedures exist to provide that noncompliance issues with the security policies are promptly addressed and corrective measures are implemented on a timely basis. (Security Prin. and Criteria Table § 3.9, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that noncompliance issues with system availability and related security policies are promptly addressed and corrective measures are implemented on a timely basis. (Availability Prin. and Criteria Table § 3.12, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that noncompliance issues with system processing integrity and related security policies are promptly addressed and corrective measures are implemented on a timely basis. (Processing Integrity Prin. and Criteria Table § 3.13, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to provide that noncompliance issues with confidentiality and related security policies are promptly addressed and corrective measures are implemented on a timely basis. (Confidentiality Prin. and Criteria Table § 3.15, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should take disciplinary actions, when appropriate, to ensure employees understand violations of expected behavior will not be tolerated. (Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The organization should have an implemented recourse and formal escalation process for reviewing and approving the recourse for individuals. (Table Ref 10.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should discipline individuals who cause privacy breaches or privacy incidents. (Table Ref 10.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate. (CC1.5 Evaluates Performance and Rewards or Disciplines Individuals, Trust Services Criteria)
  • The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. (CC1.5 COSO Principle 5:, Trust Services Criteria)
  • Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate. (CC1.5 ¶ 2 Bullet 5 Evaluates Performance and Rewards or Disciplines Individuals, Trust Services Criteria, (includes March 2020 updates))
  • The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. (CC1.5 ¶ 1 COSO Principle 5:, Trust Services Criteria, (includes March 2020 updates))
  • The entity has established workforce conduct standards, implemented workforce candidate background screening procedures, and conducts enforcement procedures to enable it to meet its commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement: security, … (CC1.4, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • If an employer takes adverse action against an employee, the employer must write and disclose a summary containing a description of what the action is based on without identifying the sources who provided the information (§ 611, Fair and Accurate Credit Transactions Act of 2003 (FACT Act))
  • If an employer takes adverse action against an employee, the employer must write and disclose a summary containing a description of what the action is based on without identifying the sources who provided the information. (§ 603(x), § 615(a), Fair Credit Reporting Act (FCRA), July 30, 2004)
  • Title IX of the Public Health Service Act (42 U.S.C. 299b-22), § 922(e)(1)(A), is amended to state that a provider, based upon the fact that the individual in good faith reported information to the provider with the intention of having the information reported to a patient safety organization, may … (§ 2(a)(5), Patient Safety And Quality Improvement Act Of 2005, Public Law 109-41, 109th Congress)
  • Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). I… (III.7.c., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from Switzerland is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied wit… (iii.7.c., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Where the organization has chosen self-assessment, such verification must demonstrate that its privacy policy regarding personal information received from the EU is accurate, comprehensive, readily available, conforms to the Principles, and is completely implemented (i.e., is being complied with). I… (III.7.c., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Procedures and policies must be developed for administrative actions against employees who violate the NISPOM Manual. (§ 1-304, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Sanctions shall be taken against workforce members who fail to comply with the security policies and procedures. (§ 164.308(a)(1)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • If necessary, group plan health documents must be corrected to include adequate separation between the plan sponsor and the group health plan. Plan documents must provide effective mechanisms to resolve noncompliance issues by the persons described in § 164.504(f)(2)(iii)(A). (§ 164.504(f)(2)(iii)(C), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must implement and document procedures for applying sanctions to employees who fail to comply with the privacy policies and procedures. This does not apply to actions that are covered and meet the conditions of § 164.502(j) or § 164.530(g)(2). (§ 164.530(e), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate. (§ 164.308(a)(1)(ii)(C), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Standard: Sanctions. A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This standard does not apply to a member o… (§ 164.530(e)(1), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The agency shall develop a formal sanctions process for use when personnel fail to comply with the Information Security policies and procedures. (§ 5.12.4, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Implications of noncompliance. (§ 5.2.1.1 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures. (§ 5.12.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures. (§ 5.12.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Management holds employees accountable for complying with the information security program. (Domain 1: Assessment Factor: Training and Culture, CULTURE Baseline 2 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., FedRAMP Security Controls High Baseline, Version 5)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., FedRAMP Security Controls Low Baseline, Version 5)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must develop a formal sanction policy to discipline individuals who do not follow the information security policies. (§ 5.6.11, Exhibit 4 PS-8, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • § 4.1.6 Bullet 1: Apply a sanction against personnel who fail to comply with the security policies and procedures of the Covered Entity. § 4.1.6 Bullet 2: Create a policy to impose sanctions for noncompliance with the organization's security policy. § 4.1.6 Bullet 3: Implement the sanction policy… (§ 4.1.6 Bullet 1, § 4.1.6 Bullet 2, § 4.1.6 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and (PT-8d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure a process exists for formally sanctioning employees who do not comply with the information security policies and procedures, the sanctions have been communicated to all employees, and that specific responsibilities and actions are def… (AC-13.3, PS-8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must verify processes are implemented to ensure individuals are held accountable for adequately implementing controls to protect the confidentiality of Personally Identifiable Information and the controls are functioning as intended. (§ 4.1 ¶ 2, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must implement a formal accountability process for personnel who fail to comply with the security policies and procedures and identify the disciplinary actions for failing to comply. (SG.PS-8 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must use a formal sanctions process for personnel who fail to comply with the security policies and procedures. (App F § PS-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures. (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures. (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures. (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs a formal sanctions process for individuals failing to comply with established information security policies and procedures. (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and (PT-8d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and (PS-8a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and (PT-8d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced (GV.RR-02, The NIST Cybersecurity Framework, v2.0)
  • Organizational cybersecurity policy is established, communicated, and enforced (Policy (GV.PO), The NIST Cybersecurity Framework, v2.0)
  • Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced (GV.PO-01, The NIST Cybersecurity Framework, v2.0)
  • Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission (GV.PO-02, The NIST Cybersecurity Framework, v2.0)
  • Management should clearly state its commitment to employee competence and support the organization's policy for taking disciplinary actions against personnel. (§ II.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • A list of sanctions, such as suspension, additional training, or termination, to be used as a guideline for disciplining employees who violate access control requirements must be published in the Federal Register by the Under Secretary. The sanctions must be progressive, based on the severity and/or… (§ 44903(g)(1), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • Imposition of disciplinary measures on employees for violating security policies or procedures or other provisions of the comprehensive information security program; (§ 38a-999b(b)(2)(F), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., TX-RAMP Security Controls Baseline Level 1)
  • Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and (PS-8a., TX-RAMP Security Controls Baseline Level 2)