Policy Enforcement

[Scott Sweren <ssweren () UDEL EDU>]

I am interested to know what others do to enforce information security policies in a highly distributed environment 
where the security office may not have direct authority in the practical sense to impose sanctions.  For violations 
that are particularly egregious and/or violate criminal law the response is fairly simple in that the HR process for 
termination can be invoked.  I am more interested in lesser offenses that do not warrant considering termination.

We are examining our response procedures to policy violations and want to strike a balance for imposing a real 
deterrent to violating policy while maintaining the autonomy (or at least perceived autonomy) of the the distributed 
groups so the security office does not look like "Big Brother".  I am not looking for the process followed with 
students but that used with faculty and staff.  I know faculty bargaining agreements and other labor agreements can 
factor into what can be done.

Some questions I am interested in knowing your responses to are:

- How did you get the authority to impose the sanctions?

- How is your process perceived?

- Do you always hold a person responsible or are there scenarios where a department or group can be held accountable 
instead or in addition to a person?

- With a group accountability, do you have financial penalties that touch their budget or something else?

- If you have financial penalties, where does the money go?

- Do you have an appeals process?

Any input is appreciated.

Thanks,

Scott

Scott Sweren
Information Security Officer
University of Delaware
ssweren () udel edu