Back

Take disciplinary actions against individuals who violate the Code of Conduct.


CONTROL ID
06435
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Code of Conduct., CC ID: 04897

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Penal measures for violation of policies and the process to be followed in the event of violation (Critical components of information security 1) 2) h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should have a formal disciplinary process for dealing with violations of Information Security policies and procedures. (Control: 0124 Bullet 4, Australian Government Information Security Manual: Controls)
  • A process for performing disciplinary measures is implemented and communicated to the employees in order to make the consequences of violations of the applicable policies and instructions as well as legal provisions and laws transparent. (Section 5.3 HR-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Who is responsible to enforce disciplinary actions? (Table Row I.23, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Recover from undesirable conduct, events, and conditions; correct identified weaknesses; execute necessary discipline; recognize and reinforce desirable conduct and deter future undesired conduct or conditions. (OCEG GRC Capability Model, v 3.0, P1.3 Establish Responsive Actions and Controls, OCEG GRC Capability Model, v 3.0)
  • Apply consistent discipline to individuals at fault and provide necessary retraining. (OCEG GRC Capability Model, v. 3.0, P8.5 Discipline and Retrain, OCEG GRC Capability Model, v 3.0)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and implement corrective action as necessary. (§ 3 Principle 5 Points of Focus: Enforces Accountability through Structures, Authorities, and Responsibilities, COSO Internal Control - Integrated Framework (2013))
  • A method should be established to ensure individuals understand that disciplinary actions may be taken against them if they violate the information security policy and supporting acceptable usage policies. (CF.01.01.09, The Standard of Good Practice for Information Security)
  • A method should be established to ensure individuals understand that disciplinary actions may be taken against them if they violate the information security policy and supporting acceptable usage policies. (CF.01.01.09, The Standard of Good Practice for Information Security, 2013)
  • appropriate disciplinary action shall be taken against personnel who violate the organization's compliance obligations, policies, processes and procedures. (§ 7.2.2 ¶ 1 c), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • appropriate disciplinary action shall be taken against personnel who violate the organization's compliance obligations, policies, procedures and processes. (§ 7.2.2 ¶ 1 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 ¶ 3 Bullet 1 Enforces Accountability Through Structures, Authorities, and Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management responding to deviations from standards and behaviors (e.g., terminating personnel or taking other corrective actions for failing to adhere to organizational standards; initiating performance evaluations). (Enforcing Accountability ¶ 3 Bullet 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • In some governance structures, performance targets cascade from the board of directors to the chief executive officer, management, and other personnel, and performance is evaluated at each of these levels. The board of directors evaluates the performance of the chief executive officer, who in turn e… (Holding Itself Accountable ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization sends a clear message of what is acceptable and unacceptable behavior whenever deviations become known. Deviations from standards of conduct must be addressed in a timely and consistent manner (see Example 6.4). (Responding to Deviations in Core Values and Behaviors ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The entity that demonstrates open communication and transparency provides a variety of channels for both management and personnel to report concerns about potentially inappropriate or excessive risk taking, business conduct, or behavior without fear of retaliation or intimidation. The entity also pr… (Keeping Communication Open and Free from Retribution ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • As professionals, members perform an essential role in society. Consistent with that role, members of the American Institute of Certified Public Accountants have responsibilities to all those who use their professional services. Members also have a continuing responsibility to cooperate with each ot… (0.300.020.02, AICPA Code of Professional Conduct, August 31, 2016)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 Enforces Accountability Through Structures, Authorities, and Responsibilities, Trust Services Criteria)
  • The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements. (CC7.4 Application of Sanctions, Trust Services Criteria)
  • Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. (CC1.5 ¶ 2 Bullet 1 Enforces Accountability Through Structures, Authorities, and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements. (CC7.4 ¶ 3 Bullet 2 Application of Sanctions, Trust Services Criteria, (includes March 2020 updates))
  • The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that pr… (§ III.11.e.i., EU-U.S. Privacy Shield Framework Principles)
  • The criminal justice information services systems officer shall enforce system discipline on all system users. (§ 3.2.2(2)(a), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Affect a public or private postsecondary educational institution's existing rights and obligations to protect against and investigate alleged student misconduct or violations of applicable laws and regulations. (§ 99121(c)(1), California Education Code-EDC, Title 3, Division 14, Part 65, Chapter 2.5- Social Media Privacy, § 99120 - 99122)
  • Prohibit a public or private postsecondary educational institution from taking any adverse action against a student, prospective student, or student group for any lawful reason. (§ 99121(c)(2), California Education Code-EDC, Title 3, Division 14, Part 65, Chapter 2.5- Social Media Privacy, § 99120 - 99122)