We are in the process of updating our organization's security policies and have found that we have no clear way of declaring an employee a security risk and no procedures for taking away system access privileges. Do we specify that a certain number of violations under our security policy determines that one is a security risk? Do we use personnel policy or some combination? It is not easy to terminate an employee in my organization. What about the handling of an employee who has been declared a security risk, but has not yet been terminated?
You have discovered something that is lacking in many organizations. Unfortunately, there is no easy answer.
First off, not every violation of your policy is equally serious. Someone that is simply wasting time surfing the Web for personal business is probably violating your policy, but you wouldn't fire them for a first offense. However, someone that broke into your personnel files and got a copy of the salary list for the company and e-mailed it to all employees would probably be out the door in a hurry.
I would suggest that your policy simply state that violations of your security policies can result in discipline ranging from reprimand through termination. It is then up to management and the personnel department to handle, just like any other violation of non-computer company policy.
If someone has been declared a security risk, they should have all access suspended immediately.
As with all policies that affect personnel issues, you should consult with your General Counsel before implementing any new policy.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Security Policy & Infrastructure
News & Analysis: Destruction from the inside out
Executive Security Briefing: Employees -- Your best defense or your greatest vulnerability