PS-08-727 Personnel Sanctions

Personnel Sanctions

Control ID

PS-08-727

Control Name

Personnel Sanctions

Control Category

Personnel Security

Functional Areas

Sub-Areas

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 15, 2018

Agency Implementation

Information security policies and procedures are enforced by Agency rule (Rule 29.01.99.I1) which includes the following statement:

Agency security control standards carry the same force and effect as agency rules, and noncompliance may be considered grounds for disciplinary action up to and including termination of employees.

Risk Statement

Security breaches occur by employees due to lack of formal disciplinary process.

Control Description

The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

Control Example

Designated officials maintain a formal sanction program.

State Implementation

The state organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.

Testing Procedures

Obtain personnel security policy; procedures addressing personnel sanctions; rules of behavior; records of formal sanctions; other relevant documents or records and ascertain if : (I)the organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures. (ii)the personnel sanctions process is consistent with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.