Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

Incident Management

Hi everyone, please may anybody help me.


We don`t have a DLP yet, and our documents aren't digitally classified. We have a Security Policy that stablish that the employees can't send internal documents to external mail, but they send. Most of times to work purposes, to print, for example.


Well, about this I have some questions:


1. This can be caracterized as an incident?


2. We have a lot of work to analyse each incident, because we have to analyze the files, call to the manger of the employee, apply formal sanctions. Every time the same response. Are there some better way to deal with this repeatable incident?




Yuri Braz

4 Replies
Newcomer I

Hi Yuri

Thanks for your question.

1. Yes, not adhering to the security policy can be considered an incident
2. Punishing employees does not not teach the organisation the importance
of security. That's why it keeps happening again and again.

I would approach this issue by re-assessing the security policy in relation
to the way the company operates, and validate the risk that the security
policy is meant to reduce.

Simultaneously and most important thing is to ensure that employees are
fully trained in regards to information security. Employee may read every
document when they are hired, but how much do they remember.

Your primary focus should be regular and consistent employee security
awareness training.

I hope this helps.

Community Champion

@yurirbraz wrote:


2. We have a lot of work to analyse each incident, because we have to analyze the files, call to the manger of the employee, apply formal sanctions. Every time the same response. Are there some better way to deal with this repeatable incident?


@James_Waithe Answered your first question and most of the people here in the Community would agree it's a security incident after a policy violation.


Question 2 can be broken down by people, process, and technology. People will almost always take the path of least resistance when trying to solve problems.


  • Train the people in a formal SETA program that covers policy and standards within the org
  • Understand the business processes behind the need to print from anywhere
  • Implement technology to prevent or help facilitate printing from anywhere 
  • Modify the policy to have their Managers sit in the remedial training as well to help keep accountability
Contributor I

Noticed post. Other comments provided some good pointers but there needs to be a tie in with Corporate leadership to include Legal and HR. So basically policy will need to communicate the full expectation vs generalities so when it comes time for an incident and it is behavior related then there should be no reason why on the employees view as to why actions are being taken against them.   Recommend doing some extensive looking at international standards/etc. to basically identify gaps at the management (e.g. policy), operational (procedural/incident), as well as technical levels since from what you provided there seems to be key processes/controls missing. $00.02    

Community Champion

If you want this to be corrected then you need to:

1) Classify this as an incident so you can track metrics on it. What gets measured, gets action taken on it.

2) Ensure you have:

a) Good information security policy that points out expected behavior

b) Good HR policy that points out punishment for violating policy

c) Good forensics that you can prove the violation of policy

d) Good forensic procedures that can withstand a court challenge

e) Periodic reporting to management of the trends of violations of policy


Here is an example. One of the places I worked at had an employee who liked to view pornography at work. The previous CISO would print out a one page document of websites visited and ask HR and legal to fire the employee. A one page document is not enough evidence for either HR or legal to comfortably act on, so they didn't, and assumed the CISO was incompetent with performing investigations. When I came in, I performed a proper investigation. When I was done, what I had prepared and delivered to HR and legal was a stack of documents over one inch thick. I first made sure we had the policies in place (HR **gender** harassment policy, Agency Acceptable Use Policy, Warning banner on the computer was in effect, Annual Cybersecurity training had been taken, etc.). Then I documented where he broke each of those policies (I printed them out and highlighted every section that was violated). I then had a special computer that was on its own standalone Internet connection and went to every website he had gone to and ALSO, every website he attempted to go to but was blocked by our tools. Repeated failed attempts show intent and not just accidental activity. I took screenshots of those websites. Some of the sites that were blocked on the company network but were allowed on the standalone network went to infected websites (yes my special investigative computer had protections on it) I documented how, if this had not been stopped on the company network, we would have gotten infected. I then drafted a document explaining how Internet activity could be tracked to individual IP addresses and that with the right tools someone could determine that someone at our company was visiting these types of sites, which would reflect poorly on the company's image. I laid all of this information out in a neat manner, showing the list of evidence, itemized, categorized, and organized. The very first piece of evidence was a Risk Determination Letter. This one page letter summarized why this individual was a threat to our company. It was broken down into 3 risk areas:

1) Risk to the company reputation. Pornography, and especially the fetishes he was interested in, would really damage the company as it went against our mission. It would have caused a lot of legal headaches for us.

2) Risk to the company network. By using a specially protected computer to perform the investigation I was able to prove that by going to these risky sites that we would have gotten infected.

3) Risk to our clientele. With some of the fetishes he was looking up, including bondage, torture, etc., It put our clients at risk with having someone with those tendencies in a position over vulnerable people.


The next document in the evidence folder was the investigative report that broke down into further detail how we were alerted to this individual, what steps we took to investigate, the evidence found to substantiate (or refute the claim - and yes we did do full investigations that lead to no finding or action. This is important if you want to successfully prosecute later cases.). This was followed up with the investigator's finding on the case. We made sure that the claims in the Risk Determination Letter were substantiated and documented in the investigative file. Then we had a list of all of the evidence which was numbered and organized neatly behind it.


I never said we should fire them for looking at pornography. I recommended firing them for being a great risk to our company. Notice how I framed this. Not firing for breaking a policy, but for being a risk to the company. Keep this in mind when you think of the end result you want. If you can frame it as risk, then it can get more traction. If you just keep complaining that they are breaking the rules, you may not get anywhere.


What I have found effective is that when an employee is caught breaking the rule go to them and talk with them and their supervisor. Find out WHY they did it. Is the business process broken and they have to do it to get work done? Were they just being lazy and didn't want to use VPN? Did they knowingly violate the policy because it was just easier? Did they even know there were rules against it? Did someone show them how to do it wrong? Were they setup by someone who wants to see them fired? There can be many reasons. To truly solve it you must know why they keep doing it. Find out the why first, as there may be a bigger problem that is causing all of this. Explain why breaking the policy is a bad thing and what risk it puts the company in. Explain that this meeting serves as their notice and that future violations will incur stiffer penalties. Make sure you run this by your HR department and they agree and have policies for rule violations and consequences of them.


When you find out your why, see if there is another problem causing this. You say people do it to print, so why is the company printer not working? Is it frequently broken? Is it down? Was it not properly setup on new people's computer? You may have a process problem and not just a policy violation problem. Repeated incidents can often indicate a problem in another area.