compliance controls are associated with this Policy definition 'Implement formal sanctions process' (5decc032-95bd-2163-9549-a41aba83228e)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
PS-8 |
FedRAMP_High_R4_PS-8 |
FedRAMP High PS-8 |
Personnel Security |
Personnel Sanctions |
Shared |
n/a |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6.
Control Enhancements: None.
References: None. |
link |
2 |
| FedRAMP_Moderate_R4 |
PS-8 |
FedRAMP_Moderate_R4_PS-8 |
FedRAMP Moderate PS-8 |
Personnel Security |
Personnel Sanctions |
Shared |
n/a |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6.
Control Enhancements: None.
References: None. |
link |
2 |
| hipaa |
0109.02d1Organizational.4-02.d |
hipaa-0109.02d1Organizational.4-02.d |
0109.02d1Organizational.4-02.d |
01 Information Protection Program |
0109.02d1Organizational.4-02.d 02.03 During Employment |
Shared |
n/a |
Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). |
|
20 |
| hipaa |
0135.02f1Organizational.56-02.f |
hipaa-0135.02f1Organizational.56-02.f |
0135.02f1Organizational.56-02.f |
01 Information Protection Program |
0135.02f1Organizational.56-02.f 02.03 During Employment |
Shared |
n/a |
The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures, and notifies defined personnel (e.g., supervisors) within a defined time frame (e.g., 24 hours) when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. Further, the organization includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action. |
|
4 |
| hipaa |
1306.06e1Organizational.5-06.e |
hipaa-1306.06e1Organizational.5-06.e |
1306.06e1Organizational.5-06.e |
13 Education, Training and Awareness |
1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action. |
|
11 |
| hipaa |
1501.02f1Organizational.123-02.f |
hipaa-1501.02f1Organizational.123-02.f |
1501.02f1Organizational.123-02.f |
15 Incident Management |
1501.02f1Organizational.123-02.f 02.03 During Employment |
Shared |
n/a |
Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The organization documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident. |
|
11 |
| hipaa |
1503.02f2Organizational.12-02.f |
hipaa-1503.02f2Organizational.12-02.f |
1503.02f2Organizational.12-02.f |
15 Incident Management |
1503.02f2Organizational.12-02.f 02.03 During Employment |
Shared |
n/a |
A contact in HR is appointed to handle employee security incidents and notify the CISO or a designated representative of the application of a formal employee sanctions process, identifying the individual and the reason for the sanction. |
|
11 |
| hipaa |
1504.06e1Organizational.34-06.e |
hipaa-1504.06e1Organizational.34-06.e |
1504.06e1Organizational.34-06.e |
15 Incident Management |
1504.06e1Organizational.34-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Management approves the use of information assets and takes appropriate action when unauthorized activity occurs. |
|
16 |
| hipaa |
1525.11a1Organizational.6-11.a |
hipaa-1525.11a1Organizational.6-11.a |
1525.11a1Organizational.6-11.a |
15 Incident Management |
1525.11a1Organizational.6-11.a 11.01 Reporting Information Security Incidents and Weaknesses |
Shared |
n/a |
The organization takes disciplinary action against workforce members that fail to cooperate with federal and state investigations. |
|
6 |
| ISO27001-2013 |
A.7.2.3 |
ISO27001-2013_A.7.2.3 |
ISO 27001:2013 A.7.2.3 |
Human Resources Security |
Disciplinary process |
Shared |
n/a |
There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. |
link |
2 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
| NIST_SP_800-53_R4 |
PS-8 |
NIST_SP_800-53_R4_PS-8 |
NIST SP 800-53 Rev. 4 PS-8 |
Personnel Security |
Personnel Sanctions |
Shared |
n/a |
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6.
Control Enhancements: None.
References: None. |
link |
2 |
| NIST_SP_800-53_R5 |
PS-8 |
NIST_SP_800-53_R5_PS-8 |
NIST SP 800-53 Rev. 5 PS-8 |
Personnel Security |
Personnel Sanctions |
Shared |
n/a |
a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and
b. Notify [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. |
link |
2 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
| SOC_2 |
CC1.5 |
SOC_2_CC1.5 |
SOC 2 Type 2 CC1.5 |
Control Environment |
COSO Principle 5 |
Shared |
The customer is responsible for implementing this recommendation. |
• Enforces Accountability Through Structures, Authorities, and Responsibilities —
Management and the board of directors establish the mechanisms to communicate
and hold individuals accountable for performance of internal control responsibilities
across the entity and implement corrective action as necessary.
• Establishes Performance Measures, Incentives, and Rewards — Management and
the board of directors establish performance measures, incentives, and other rewards
appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the
achievement of both short-term and longer-term objectives.
• Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance
— Management and the board of directors align incentives and rewards with the
fulfillment of internal control responsibilities in the achievement of objectives.
• Considers Excessive Pressures — Management and the board of directors evaluate
and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
• Evaluates Performance and Rewards or Disciplines Individuals — Management and
the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and Page 17
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
provide rewards or exercise disciplinary action, as appropriate |
|
4 |