Control 6.4 : Disciplinary Process

Summary

A formal and communicated disciplinary process should be in place to take action against personnel who have committed an information security breach. This ensures that security policies are taken seriously and that there are clear consequences for negligence or malicious intent.

Applicability

In-Scope: Mandatory for establishing the enforceability of all other security controls. It is a key requirement for proving that the organization actively manages internal risks.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Policy Hosting: Ensure the Disciplinary Policy is clearly accessible to all staff on the company SharePoint portal.

• Investigation: Use Microsoft Purview eDiscovery and Audit Logs to collect objective evidence of a policy violation during an internal investigation.

• Access Revocation: Integrate HR systems with Entra ID to automatically suspend or restrict accounts as soon as a disciplinary action (like suspension) is initiated.

Evidence Checklist

• Disciplinary Policy: A documented procedure defining the steps and possible outcomes of a security-related disciplinary action.

• Investigation Reports: Anonymized records of past security investigations and the resulting decisions.

• Acknowledgment: Evidence that employees have been made aware of the consequences of violating security policies.

Practical Audit Advice

Here are some questions the auditor might ask:

• How is the disciplinary process initiated once a security policy violation is detected by the IT or security team?

• Is the disciplinary process applied consistently across all levels of the organization, including top management?

• What measures are in place to ensure that an employee under investigation cannot delete or modify evidence within the Microsoft environment?

• How do you ensure that the disciplinary action taken is proportionate to the severity of the security breach?