A.7.2.3 Resolver IT Disciplinary Process

1. Purpose, scope, and users

The purpose of this document is to define the employee disciplinary process with respect to IT acceptable use.

Users of this document are all Resolver employees.

2. Reference documents

  • ISO/IEC 27001 standard, control A.7.2.3

3. Guiding Principle:  IT Sanctions –  Disciplinary Process

If a Resolverite breaches part of our IT acceptable use policy and an incident occurs, it’s serious! We’ll need to investigate and ensure proper action is taken to protect what matters.

STEP ONE: Investigation

  • The Information Security Manager will investigate the reported incident promptly and diligently in a fair and impartial manner.
  • If the investigator finds that a breach has occurred, appropriate action will be taken as well as steps to prevent any recurrence.

STEP TWO: Review IT Acceptable Use and ensure that the Resolverite clearly understands:

  • The IT Acceptable Use Guiding Principle
  • Training and Awareness: has the Resolverite completed updated security awareness training?
  • Potential implications and risk profile of the incident

Following the outlined discussion, the Information Security Manager will provide:

a) documentation of the incident, b) action required, c) timeline for action.

SITUATION: If a Resolverite breaches part of our IT acceptable use policy a second time or does not fully complete the action plan outlined in step two (2).

STEP THREE: Second Conversation:

  • Conduct investigation
  • Information Security Manager and Chief Operating Officer will provide a) documentation of the incident, b) action required, c) timeline for action, d) ramifications for inaction.

SITUATION: a Resolverite breaches part of our IT acceptable use policy a third time or does not fully complete the action plan outlined in step two (2) or three (3).

  • Conduct investigation
  • Chief Operating Officer and Talent Team will provide a) documentation of the incident, b) action required, c) timeline for action, d) ramifications for inaction which may include termination.

This Guiding Principle will be reviewed at least annually to comply with Resolver’s security requirements.

IT Systems Acceptable Use Guiding Principle (1.8) Snapshot:

We trust you to help us take care of our (Resolver, employees, customer, and partner) hardware, networks, systems, and IT services. Compromising our systems in any way is no laughing matter. This Guiding Principle outlines:

  • General use, data ownership, and property
  • Security &  proprietary information
  • Software
  • IT Equipment

Please review this in full.

4. Validity and document management

This document is valid as of  July 2020.

The owner of this document is an HR team who must check and, if necessary, update the document at least once a year.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.