The Importance of Policies and Procedures for Security

Page 1

The Importance of Policies and Procedures to Improving Security Awareness

Prepared

By

David G. Patterson, MEA, CPP, PSP, CHS –III

Patterson & Associates Consulting

[email protected]

Telephone Office: 415-925-8512

Cell: 415-225-0914

Page 2

Statement of the Problem Many studies have been done to document the fact that employees are a company’s greatest

asset while also the source of their greatest problems. One survey that pinpointed the concern

was the ASIS International 2009 survey “Impacts of Current Economic Environment on Security”

1. General Increases In Crime And Theft 2. Employee Lay-Offs And Furloughs 3. Increases In Theft Of Physical Property 4. Increases In Workforce Violence 5. Increases In Theft Of Intellectual Property 6. Fraud-Embezzlement Or Misuse Of Funds 7. Increases In General Employee Dissatisfaction 8. Damage To Company Physical Property

Of the top eight threats, more than half can be traced back to employees; yet many companies fail to recognize that employees are a major problem and fail to take a proactive approach to the problem. Most companies just live with the problem and react when an incident occurs. The reasons for this vary, but in many cases companies feel these are isolated incidents caused by a few problem employees or they believe there is no perceived benefit to the company in pursuing the perpetrators. Many companies try to avoid hiring potential problem employees, and detect and investigate employee losses on their own. As long as they catch (and fire) the thief and get some kind of restitution such as recovering what the employee stole or have insurance cover the loss, companies feel they have done all they can. One of the major reasons companies don’t prosecute problem employees is the fear of negative publicity, although this aspect is slowly changing as employers are starting to realize that there are benefits in letting other employees in the company know that these types of crimes will be detected and will not be tolerated.

To illustrate the severity of the problem, we will cite a few examples: 1. Survey participants in the annual study done by the Association of Certified Fraud

Examiners (ACFE) estimated that the typical organization loses 5% of its revenues to fraud each year. Applied to the estimated 2011 Gross World Product, this figure translates to a potential projected global fraud loss of more than $3.5 trillion.

2. The median loss caused by the occupational fraud cases in the study was $140,000. More than one-fifth of these cases caused losses of at least $1 million. (ACFE, 2012).

3. Theft occurs in 95% of American companies (Christopher D. A., 2003). 4. Coffin (2003) documented that up to three-quarters of all employees steal from their

workplace at least once. 5. 40% to 70% of applicants lie on their applications for employment. (Marett, 2004) 6. Game playing on office computers actually costs businesses about $50 billion a year and

middle managers are the biggest perpetrators. (Keng Siau, January 2002). 7. Homicide is currently the fourth-leading cause of fatal occupational injuries in the

United States. According to the Bureau of Labor Statistics Census of Fatal Occupational

Page 3

Injuries (CFOI), of the 4,547 fatal workplace injuries that occurred in the United States in 2010, 506 were workplace homicides. Homicide is the leading cause of death for women in the workplace.

8. If you ignore problem employees or handle workplace problems ineffectively, you will soon have an employee turnover problem as your other good employees will go elsewhere. (Dealing with Problem Employees: A Legal Guide, 2007)

9. Negligence can apply to the hiring, supervision, and retention of an individual employee

if a violent act by that person is foreseeable. (Dana Loomis, 2008 )

Factors Contributing to the Problem

Douglas Watson (Watson, 2000) documented in his doctoral thesis that the four factors that

most influence employee behaviors in the workplace are:

The individual’s culture

The corporate culture

Corporate policies & procedures

Other employee attitudes Looking at these factors, which ones can we influence to reduce the employee problems in our

company? We can easily see that an individual’s culture plays an important part in forming an

employee’s behavior in the organization, but this is not something we can control. However,

the other three factors can very much be influenced by what we do as a company and are

directly related to policies, standards, and procedures, and training.

The objective we hope to achieve with policies and procedures are to get our employees to

believe that having an ethical corporate culture is good for the company and is good for the

employees. The company security function can best accomplish this objective are:

Develop a robust ethical corporate culture by getting complete buy-in from top management.

Implement sound corporate policies and procedures that support the corporate culture and provide the basis for a secure work environment.

Implement an effective communications and training program to train employees on policies and procedures so they understand them and abide by them. In this step we must essentially retrain the employees to embrace the company culture despite their own individual cultural background.

Consistently enforce our policies and procedures by rewarding those who abide by them and punishing those who don’t.

Without proper program documentation, training, exercises, and enforcement, employees can become confused and overreact; lawsuits may result from inconsistent application, security officers may not know how to respond, valuable time may be wasted, and problems often

Page 4

occur. A review of lawsuits showed several cases where firms were sued for millions of dollars for a variety of issues such as failure to provide proper training for monitoring security systems, failure to have enough security officers on duty at a site, failure to have adequate security patrols during certain hours, failure to conduct pre-employment screening to weed out employees with violent backgrounds, improperly retaining employees who have violated standards of conduct, and other issues that could be traced to lack of or enforcement of policies and procedures (Sorensen, 2008). Regulatory authorities have taken action against companies who violate various acts such as the Financial Services and Markets Act of 2000. One company was fined over $10 Million for not taking reasonable care to establish and maintain effective systems and controls for countering the risks of bribery and corruption associated with making payments to non authorized overseas third parties who assisted the company in winning business from overseas clients (Amos, 2009).

The remainder of this report will be devoted to recommendations on how to develop

meaningful policies and procedures, gain buy-in from your employees to create an ethical

corporate culture, and deal with employee problems legally and effectively.

Definitions

Security Governance

Security governance is the set of responsibilities and practices exercised by executive

management with the goal of providing strategic direction, ensuring that objectives are

achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's

resources are used responsibly. Our research has shown that through their emerging

capabilities in the area of security governance and risk management, many companies are

taking proactive steps to ensure that their investments in security controls directly support

their objectives for the business. A consistent, company-wide view of security risks integrating

both physical security and IT security is an essential element of this strategy. By combining

superior security governance and risk management with an integrated approach to logical and

physical security, companies gain an advantage for competing in the global economy with a

distinct advantage through an optimized IT infrastructure and better protection for their digital,

physical, and human assets.

Security Program

A security program is a system of individuals, processes, policies, standards, and procedures developed to protect its assets and ensure that the company adheres with all applicable federal and state laws, industry regulations, and private contracts governing the actions of the organization. A security program is not merely a piece of paper or a binder on a shelf; it is not a quick fix to the latest hot problem; it is not a collection of hollow words. An effective security program must be a living, ongoing process that is part of the fabric of the organization. A

Page 5

security program must be a commitment to an ethical way of conducting business and a system for helping employees to do the right thing. On a very basic level a security program is about education, definition, prevention, detection, collaboration, and enforcement.

Physical Protection Systems (PPS)

A Physical Protection System (PPS) integrates people, procedures, and equipment for the

protection of assets or facilities against theft, sabotage, or other malevolent human attacks.

The functions of PPS are detection, delay and response. (Garcia, 2001)

Security Policy

A security policy is a general statement of management’s intent regarding how the organization manages and protects assets. A policy is a guiding principle or rule used to set direction and guide decisions to achieve rational outcomes in an organization. It is used as a guide to decision making within the framework of objectives, goals, and management philosophies as determined by senior management. Policies exist to make sure that decisions fall within certain boundaries, leading to a consistent and fair approach. Policies are compulsory and supported by standards and procedures. Security policies are office rules used to support management philosophies and set the tone for a security-minded culture. Security policies are also used to set a standard for projecting your company image or to communicate regulations that apply to all personnel. Policies are most effective when they are issued and supported by top management as a result of interpreting the company mission and vision statements, and regulations. Policies are used to implement laws, industry standards, and common practices.

Security Standard

A policy is more effective when standards are also developed. Standards address what must be

accomplished in specific terms, containing the means by which to implement one or more

security policies. Standards are compulsory and supported by procedures.

Security Procedure

A security procedure is a set sequence of mandatory activities that performs a specific security task or function. Procedures are normally designed as a series of steps to be followed as a consistent and repetitive approach or cycle to accomplish an end result. Once implemented, security procedures provide a set of established actions for conducting the security affairs of the organization, which will facilitate training, process auditing, and process improvement. Procedures provide a starting point for implementing the consistency needed to decrease variation in security processes, which increases control of security within the organization. Decreasing variation is also a good way to eliminate waste, improve quality, and increase performance within the security department.

Page 6

The Difference between Policies and Procedures

A policy is a guiding principle used to set direction in an organization. A procedure is a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. Together, policies and procedures are used to empower a company with the direction and consistency necessary for successful implementation of security processes.

Importance of Security Documentation Security policies, standards, and procedures are used to translate the company's business

philosophies into action by utilizing sound security principles. Well-designed security

documentation for businesses is an invaluable communication tool for efficiently running

operations within the security department and bridging the gap between interrelated

departments in the company. Policies, standards, and procedures improve decision making by

having an authoritative source for guidance and for answering questions. Well developed and

documented security policies and procedures ensure compliance with national and local laws,

regulatory agencies affecting business, government contracting authorities, independent

certification organizations, and company standards of conduct to ensure compliance with

employee terminations and other administrative actions. Policies, standards, and procedures

serve as a quality control mechanism for the security organization. This helps ensure optimum

operations and consistent delivery of the finest security services. This program documentation

provides the leadership, organizational structure, and processes that ensure the following for

the company:

Strategic security direction is clear

Security risks are managed appropriately

Business objectives are balanced with security risks and are ultimately achieved

Organizational security resources are used responsibly and effectively

Security program effectiveness is measured

Benefits Derived from a Strong Security Program There are many benefits to a company when they implement an effective security program.

The following benefits are some of the most important:

Implementing a strong security program demonstrates to other companies that your company has a strong commitment to integrity. One of a company’s greatest assets is its reputation; it is very difficult to repair once it is damaged. An effective security program can help preserve and enhance a company’s reputation by preventing fraud and abuse. If policies are issued from executive levels, policies help to convince employees and customers that the company is committed to security. Increasingly as a result of business continuity planning, companies are requesting proof of sufficient levels of security from other companies they partner with in doing business.

Page 7

Security documentation reinforces employees’ support of the corporate culture. Many employees have an inherent sense of honesty and welcome a means to report improper conduct without reprisal. A call to an anonymous hotline addresses this need and may identify issues that raise both ethical and legal concerns. When employees see an affirmative response to reports of wrongdoing, companies strengthen the relationship of trust with their loyal employees, and deter future illegal activity.

Implementation of a comprehensive security program improves employee’s security awareness regarding fraud, unethical behavior, and misuse of company assets. An effective program provides ongoing training of employees, monitors their understanding of policies and procedures, and implements the measures to discipline those personnel who violate the company’s code of conduct or other security rules.

Product and service quality is enhanced by an effective security program. The company’s mission sets forth the vision of providing products and/or services of value. Security policies and procedures, continuous security awareness training of employees, thorough investigations, and timely response to violations and deficiencies enhances the company’s ability to deliver products or services of the highest quality which in turn leads to higher profits.

An effective security program reduces a company’s exposure to civil damages and penalties as well as criminal and administrative sanctions. An effective security program implements procedures for promptly and efficiently responding to problems as they arise. Through early detection and reporting, a company can minimize the losses from false claims, penalties and sanctions imposed by regulatory bodies, fines and repercussions for violating contracts, and losses and expenses due to law suits.

An effective security program may mitigate sanctions imposed by the government when violations do occur. Even though companies have implemented security programs, some employees may engage in conduct that violates applicable statues and regulations. The Organizational Sentencing Guidelines of the U.S. Sentencing Commission provide for a reduction in criminal fines in cases where an organization has implemented an effective program to prevent and detect violations of the law. Government agents place substantial weight on the existence of an effective security program that predates an incident and resulting investigation.

An effective corporate security program may protect corporate directors from personal liability. The fiduciary duties of corporate directors require that they keep themselves adequately informed concerning the operations and finances of the company. An effective security program designed to assure compliance with applicable legal requirements has been recognized as meeting this duty of care. Avoidance of penalties and fines should be a major incentive for organizations to implement a security program. If a government entity finds an organization guilty of fraud and abuse, the penalties can be severe and loss of business and damage to reputation will most assuredly result.

Security documentation improves communications. Security program documentation serves to translate the company's business philosophies and desires into action. Well-

Page 8

designed policies and procedures are an invaluable communication tool for efficiently running operations within departments and gaining cooperation between departments.

Policies and procedures improve consistency and reduce training time. Policies and procedures will be a functional guide for training new and existing employees and will help prevent difficulties in performing duties due to lack of understanding or inconsistent approaches from personnel changes.

Program documentation improves productivity. Policies and procedures speed up decision making by managers by having a handy, authoritative source for answering questions.

Well-written policies and procedures support internal audits. Internal audits are useful tools for pinpointing problem areas and uncovering criminal conduct by employees. These audits should be conducted soon after the program is fully implemented to ensure that the processes put in place are serving their purposes and functioning correctly; and also that changes can be made before the undesirable practices become habit and difficult to change. Furthermore, audits may uncover security documentation that needs to be modified or changed completely because it is not serving the intended purposes.

Documentation provides historical records. Security documentation prepared and updated as recommended will serve as a historical record of what practices were in place in a company during a specified time period. This may be very important in a litigation case where a company is being sued for wrongdoing. Evidence that a company had certain policies and procedures and training in place at a particular time may help avoid negligence charges.

The Security Solution Hierarchy Many companies believe that the solution to their security problems are through technology and manpower, but in reality, management should implement low cost solutions which support behavior modification such as implementing policies and procedures, training managers and employees on security matters, and developing frequent security awareness communications programs with their employees. Higher cost solutions should be applied, only after less costly solutions have been exhausted and significant risk remains. This is illustrated on

the Security Source Online (SSO) website as shown in the figure on the left (Nesbitt, 2007). While it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not enforcing it. Another axiom is – don’t enforce policies you don’t have. In other words, if

Page 9

you don’t have a policy regarding use of the company telephones, don’t try to take action against an employee for improper use of the telephone.

Content of Documentation

No security documentation should be implemented until you have done a complete threat and

risk assessment of your company. A qualified and objective professional should conduct

security assessments. Often the use of a qualified security consultant achieves the best result

because of his or her independent perspective. One of the biggest advantages of using a

qualified security consultant is objectivity. If you decide to contract with a security consultant,

be sure the consultant has no ties to the security product industry, including contract guard

services and security equipment manufacturers.

Once you have assessed the threats and vulnerabilities your organization faces, you consider what steps can be taken to improve your physical security. You then create security policies by putting these steps in writing. The resulting documentation will serve as a basis for the security program. All managers and key employees involved with security should be required to review, improve, and implement these security program documents. Security plan documentation is aimed at reducing your overall risk. It will therefore have at least four objectives, based on your risk assessment:

Reducing the level of threats you are experiencing. Reducing your vulnerabilities. Improving your employee preparedness for threats. Maximizing your response to incidents.

Standards of Conduct

The standards of conduct, first and foremost, demonstrate the company’s ethical attitude and its emphasis on compliance with all applicable laws and regulations. The code of conduct is meant for all employees and contractors of the company. This includes management, vendors, suppliers, and independent contractors. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by standards of the code of conduct. The code of conduct provides a process for proper decision-making, for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper conduct. Managers should be encouraged to refer to the code of conduct whenever possible, even incorporating elements into performance reviews, and compliance with standards of conduct must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty — up to and including dismissal — for serious violations must be mentioned to emphasize the organization’s commitment. All employees must receive, read, and understand the standards and attest in writing that they have done this.

Page 10

Recommended Security Policies, Standards, and Procedures for Best Practices

In addition to the standards of conduct, three types of security policies, standards, and procedures should be developed by every organization – framework, all employee, and security specific. All three types of policies, standards, and procedures are essential to a security program so that rules to which employees will be held accountable and the method for enforcing rules are clearly documented.

Framework Policies, Standards, and Procedures

The framework documentation creates the structure of how the security organization is staffed and how the security program operates. In addition, framework policies also provide other business practices like the employee selection process, background-screening requirements for new employees, the company’s workplace violence policy, and the business continuity plan.

All Employee Policies, Standards, and Procedures

These documents define the applicable laws, security regulations, and rules that apply to all employees and how to operate compliantly within those rules. They also indicate the applicable risk areas to an organization and describe appropriate and inappropriate behaviors with regard to those risk areas. These documents should cover such subjects as the use of company computers, telephones, and other company assets and how the company monitors employees’ actions. These documents set the tone for the corporate culture and should be strict but flexible, designed to meet the employer’s needs, restrict employee actions, diminish the employee’s expectation of privacy, and consistently be enforced. These documents are the most important ones for building a strong corporate culture. While most common laws may recognize the right of an individual to take legal action for an

offense known generally as “invasion of privacy,” such actions historically have not provided

employees with additional protections. Courts have found that employers’ monitoring of their

employees’ electronic transmissions involving e-mail, the Internet, and computer file usage on

company-owned equipment is not an invasion of privacy. Invasion of privacy claims against an

employer generally require employees to demonstrate, among other things, that they had a

“reasonable expectation of privacy” in their communications. Courts have consistently held,

however, that privacy rights in such communications do not extend to employees using

company-owned computer systems, even in situations where employees have password-

protected accounts. (Harada, 2002)

Page 11

Security Specific Policies, Standards, and Procedures

These documents provide detailed instructions to security employees for accomplishing specific

security duties. These are extremely important as security system installation, operation, and

monitoring are integral to the security program. Security systems such as electronic access

control, intrusion alarm, closed circuit TV (CCTV), and monitoring systems are designed to

detect events that are not expected in a facility, provide alarms to alert personnel monitoring

security systems, assist them in determining the cause of the alarm, and then provide the

ability to dispatch an appropriate security response. Access Control Systems should alarm if an

unauthorized person tailgates behind an authorized person through a door or turnstile into a

facility. Intrusion detection systems should alarm if an intruder opens a door or window at the

wrong time or without presenting a valid ID card or code. For each alarm point, security

personnel assigned to monitor alarms should have detailed operating procedures describing

what actions to take to assess the alarms. Companies are expected to exercise reasonable care

in training and supervising their employees in design, installation, operation, and monitoring of

security. There are numerous lawsuits concerning poor security personnel practices, negligent

training, and negligent supervision. (Nemeth, 2005)

Structure of Documentation Companies should establish a consistent structure and format for all policies, standards, and procedures. Companies should also establish a configuration management system to ensure that all documentation is in the same format, is updated at least annually, and is located on the company intranet where all employees can find it and read it. Some companies have achieved good results using social media constructs such as blogs, wikis, and Microsoft Office SharePoint Server (MOSS). A wiki is a website that allows the easy creation and editing of any number of interlinked web pages. They are particularly efficient as a central repository for company policies and procedures. Everything can be kept in the wiki, making it easy for employees to revise documents and eliminating the need of emails to circulate these materials. MOSS is also a robust collaboration tool, accessible organization-wide allowing users to view all files and emails that pertain to specific policies and procedures. Each document should have the following sections:

Name – The name of the document

Number – Numbers assigned by category and chronological order (e.g. Framework (F), All employee (AE), Security Specific (SS)

Classification (Depends on Company Document Classification Scheme)

Version number and date – Current version number and release date

Reason for issuance (initial release of reason for revision)

Type – Policy, Standard, or Procedure

Purpose – The purpose or intent of the specific document

Scope – What personnel or what processes the document applies to Statement – Policy, Standard, or Procedure statements and main instructions

Page 12

Compliance – Who is responsible for complying with the document and the consequences for non-compliance

Enforcement – Date when the policy, standard, or procedure went into effect and how it will be tested

Page numbers – All pages should be numbered. If only a page or section is changed, a new revision should be issued for the entire document reflecting the date of the change. Don’t replace only changed pages.

Issuing authority - Executive level signature. The security manager should maintain a log showing the name, number, creation date, and revision dates of all documents. In case of litigation, it is important that that all versions of the documents are retained in the files and logs so the security manager can easily demonstrate what business practices were in effect at the time of any claims or incidents. Security program documentation must be living documents, not just a binder on a shelf. They must become integral to the day-to-day operation of the organization. That is what a judge will look for in a litigation case. How are the policies and procedures applied throughout the year? Are they incorporated into employee performance reviews? Are they reviewed and updated according to a schedule and on time? Are employees trained on them?

Security Awareness Education Security awareness education and training go hand in hand with your policies and procedures and strengthen your company’s security program by demonstrating to employees that management supports the program enough to provide training. We suggest three types of training:

1. A general session on security awareness for all new employees - These training sessions are meant to heighten awareness among all employees and communicate and emphasize the organization’s commitment to ethical business behavior, which affects all employees. A minimum of one to three hours for basic training in security awareness should be provided for all employees. All new employees should receive a copy of the standards of conduct. The employees should also be trained on how to find the company’s security policies and procedures. Many companies now include all the policies and procedures on the company intranet where all employees can view them. At the end of general training, every regular, temporary, and contracted employee should be required to sign and date a statement that confirms his or her knowledge of and commitment to the standards of conduct and the company’s security rules. This signed statement should be retained in the employee’s personnel files. Companies that require their employees to read and sign a statement every year are most successful in gaining compliance.

2. Refresher training periodically for employees in areas of high risk where problems have happened in the past, explaining how crimes have been committed, what signs to watch for, and methods for reporting employee dishonesty.

Page 13

3. Special initial and refresher training for security organization employees regarding their duties. Refresher training should particularly address changes to policies and procedures. Provide longer, more intensive training sessions to employees in certain areas of responsibility such as those operating security systems

Monitoring Security Awareness and Maintaining Consistency Your employees are an excellent source of knowledge about what is really going on in the company. Approached in the right way, they will help identify problem employees, weaknesses in controls, and suggestions for improvement. If management responds to their feedback by changing procedures and rewarding them accordingly, employees will recognize their benefit for participating in the process of improving their organization and will continue to find ways to contribute even more. Periodically send out questionnaires to a sampling of employees for feedback on your program, and conduct focus group interviews. Ask them openly about risks they see to the company, about their daily activities, the policies and procedures, and whether they observe areas for improvement. Ask employees to be truthful about whether all employees actually follow the policies and procedures or if they find ways to ignore them. Our research concludes that the best method to catch fraud and other crimes committed by company employees is through tips received by other employees. One of the keys is to make sure employees that support you with suggestions are rewarded. Data collection and tracking the performance of your security program are very important because they provide you with the ability to accomplish trend analysis and measure progress of the security organization in achieving its goals. Consider the following techniques:

Analyze security incident reports for trends that show improvements or deterioration of security organization performance over a given period.

Review of internal and external complaints filed against the company or against the security organization.

Pose security-related questions to departing employees in exit interviews to identify problems with peer employees or managers.

Enforcement and Discipline

Employees will be much more supportive of the company terminating an employee for a violation of Company policy, than merely because the Company decided to let them go for no reason. The place to start with enforcement is back at the beginning with the standards of conduct and the policies and procedures. One of the framework documents should set forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers, and employees for failing to comply with the organization’s security program documentation and applicable statues and regulations. That policy should include five main points:

1. Noncompliance will be punished 2. Failure to report noncompliance will be punished 3. An outline of disciplinary procedures from reprimand to dismissal 4. The parties responsible for actions at each level 5. Assurance that discipline will be fair and consistent

Page 14

Failure to detect or report an offense is a serious act of noncompliance and equally as deserving of discipline as the actual misconduct. Compliance with policies, standards, and procedures is an active, ongoing process that is everyone’s responsibility. Security managers should consult closely with their human resources (HR) and legal departments. There are no doubt existing disciplinary policies and procedures already in place which can serve as a guide in developing new ones that will be consistent. The HR and legal colleagues should advise that you should not discipline employees without having properly informed them of the rules. The first step towards enforcement is distributing standards of conduct, and other policies, standards, and procedures, and educating employees about them. The training should include the consequences of noncompliance. Punishment for noncompliance can range from oral warnings, written warnings, suspension, privilege revocation, termination, or financial penalties as appropriate. Many organizations use this type of progressive discipline. The first step in this process should be a supervisor’s conference. The purpose of the supervisor’s conference is to make sure the employee understands the problem and is committed to correcting the inappropriate behavior. Depending on the situation, the next step might be a conference with a higher level of management, or it could be a written warning. The written warning is the more severe next step, and it emphasizes the seriousness of the situation and stresses the urgency of modified behavior. It should also state that the employee will face further disciplinary action, up to and including termination, if the problem behavior continues. Subsequent steps might include suspension without pay or infliction of a probationary period where the employee is advised to correct the behavior within a certain time period, e.g. 30 days, or face termination. The final step is termination once all other options have been exhausted. The severity of the infraction will determine the steps. Certainly, any step beyond the basic supervisor’s conference should involve the HR and legal departments and the workplace violence team including a security representative (if one has been established). Proper and thorough documentation will be essential. Typical disciplinary action chain (steps may be repeated more than once or skipped depending on the level and severity of the offense): • Verbal warning • Written warning • Suspension • Fine(s) • Termination Punishment should be commensurate with the offense. There are offenses, such as blatant acts of fraud, that warrant immediate termination, but most infractions will likely be relatively minor and most likely unintentional. These may best be handled with education or additional training. Education should never be labeled as punishment. When put in a positive and supportive context, it can efficiently correct noncompliant behavior. Be sure your policies and procedures include remedial steps such as additional training. Discipline is only a part of the enforcement equation. Objectives and plans for individuals and departments should include security initiatives. Achievement of those plans, especially when rewarded, is a positive reinforcement that encourages support for and enforcement of the security program. Performance appraisals should include security elements and allow supervisors to recognize

Page 15

favorable or improved security performance. Your security program will be better enforced if you also find ways to reinforce through positive means and not just disciplinary measures.

About the Author Mr. David G. Patterson, MEA, CPP, PSP, CHS-III is a Principal Partner in Patterson & Associates

Global Consulting Services located in San Francisco, California and has over 30 years of

international experience as a corporate safety and security consultant for Fortune 500

companies, schools, and governments. He is a recognized author and lecturer with the ASIS

International Council on Physical Security in the areas of anti-terrorism, security systems

integration, safety, workplace violence, and business continuity planning. He has also served on

the faculty for the Physical Security Professional (PSP) Certification program and has developed

online courses for this program.

Mr. Patterson is a recognized expert in the fields of safety, security, loss prevention, emergency

management, and business continuity. He specializes in the anticipation, recognition, and

prevention of crime committed on properties. He consults with business owners and

managers, school administrators, security managers, and police on how to reduce risks. He is

the author of the book “Implementing Physical Protection Systems – A Practical Guide,” which

is used as a reference text for ASIS International’s PSP certification program and the

International Association of Professional Security Consultants (IAPSC). He also authored a book

entitled "Study Guide for the Physical Security Professional Certification Program." In addition,

he has published numerous magazine articles on security and frequently speaks at seminars

and workshops on current security and business continuity topics.

Page 16

Bibliography ACFE. (2012). 2012 ACFE Report to the Nation on Occupational Fraud. Austin: Association of

Certified Fraud Examiners.

Amos, W. (2009). Final Notice of Requirement to Pay Penalty. London: Financial Services

Authority.

Arthur Gross-Schaefer, J. T.-S. (2000). Ethics Education in the Workplace: An Effective Tool to

Combat Employee Theft. Journal of Business Ethics , 26:89-100.

Board Briefing on IT Governance, 2nd Edition. (2003). Retrieved October 5, 2009, from IT

Governance Institute: http://www.itgi.org

Christopher, D. A. (2003). Small Business Pifering: The Trusted Employee(s). Business Ethics: A

European Review , Volume 12: 284-297.

Coffin, B. (2003, September). Breaking the Silence on White Collar Crime. Risk Management

Magazine .

Dana Loomis, P. (2008 ). Preventing Gun Violence in the Workplace. Alexandria: ASIS .

Daniel Roach, R. J. (2004). The Complete Compliance and Ethics Manual. Minneapolis, MN,

United States of America.

Davis, G. (2009, September 17). Workplace Violence Costs Companies Mondy, Women Their

Lives. Retrieved October 13, 2009, from www.associatedcontent.com:

http://www.associatedcontent.com

Delpo, G. &. (2007). Dealing with Problem Employees: A Legal Guide. Berkeley: Delta Printing

Solutions, Inc.

Harada, D. D. (2002). EMPLOYEE PRIVACY - Computer-Use Monitoring Practices and Policies of

Selected Companies (GAO-02-717). Washington: General Accounting Office.

Hayes, R. (2008). CRISP REPORT: Strategies to Detect and Prevent Workplace Dishonesty.

Alexandria: ASIS International Foundation.

In re Westinghouse Air Brake Technologies Corporation, Litigation Rel. No 20457 (SEC February

14, 2008).

In the Matter of InVision Technologies Violation of FCPA, SEC Rel. No. 19078 (SEC February 14,

2005).

Page 17

Jackson, E. (2008). Corporate Security Policies and Standards: Combining Policies and Standards

Under One Jurisdiction. Continuity Planning & Management. Orlando: CPM Press.

Keng Siau, F. F.-H. (January 2002). Acceptable Internet Use Policy. Communications of the ACM ,

75-77.

Marett, J. G. (2004, May). The truth about lies: reminding interviewers that applicants lie may

help screen out fabrications and exaggerations. HR Magazine .

Muhl, C. J. (2001). The employment-at-will doctrine: Three Major Exceptions. Monthly Labor

Review , 3-5.

Nemeth, C. (2005). Private Security and the Law. Burlington: Elsevier Butterworth-Heinemann.

Nesbitt, W. H. (2007, February 3). The SSO Security Solution Heirarchy. Retrieved August 27,

2009, from Security Source: http://www.securitysourceonline.com

Patterson, D. G. (2005). Implementing Physical Protection Systems: A Practicle Guide.

Alexandria: ASIS Press.

Pinkerton. (2003). Top Security Threats and Management Issues Facing Corporate America.

Pinkerton.

Rotvold, G. (2008). How to create a security culture in your organization. Information

Management .

Sorensen, S. (2008). Physical Security Practice and Premisis Liability. Physical Security Council's

Managing Your Physical Security Program. Sante Fe: ASIS International.

Watson, D. (2000). Ethics and Corporate Investigations. ACFE Fraud Symposium. Dhahran: Saudi

Aramco.

Wells, J. T. (1999, August). A Fistfull of Dollars. Accociating of Certified Fraud Examiners .