CCI-004521

Employ a formal sanctions process for individuals failing to comply with established information security policies.

Implementation Guidance

Determine if a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures.

Validation Procedures

Examine: [SELECT FROM: Personnel security policy; personnel security procedures; procedures addressing personnel sanctions; access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements); list of personnel or roles to be notified of formal employee sanctions; records or notifications of formal employee sanctions; system security plan; privacy plan; personally identifiable information processing policy; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with personnel security responsibilities; legal counsel; organizational personnel with information security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for managing formal employee sanctions; mechanisms supporting and/or implementing formal employee sanctions notifications].

The controls below (if any) were marked by NIST as being related to CCI-004521.