Skip to main content
Skip table of contents

Non-Compliance Investigation

2025.1

Reviewed: 12/2/2024
Updated: 12/2/2024

Purpose and Scope:

  1. The policy lays out the expectations of each employee of IMPLAN for reporting non-compliance of IMPLAN's policies and procedures.
  2. Individuals that report violations in good faith may not be subjected to intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence.

Controls and Procedures

Non-Compliance Policy:

  1. All such violations should be reported to the Information Security Manager (ISM).
  2. The ISM promptly facilitates a thorough investigation of all reported violations of IMPLAN's security policies and procedures. The ISM may request assistance from others.
    a. Complete an audit trail/log to identify and verify the violation and sequence of events.
    b. Interview any individual that may be aware of or involved in the incident.
    c. All individuals are required to cooperate with the investigation process and provide factual information to those conducting the investigation.
    d. Provide individuals suspected of non-compliance of the Security rule and/or IMPLAN's policies and procedures the opportunity to explain their actions.
    e. The investigator thoroughly documents the investigation as the investigation occurs. This documentation must include a list of all employees involved in the violation.
    f. Violation of any security policy or procedure by workforce members may result in corrective disciplinary action, up to and including termination of employment. Violation of this policy and procedures by others, including business associates, customers, and partners may result in termination of the relationship and/or associated privileges. Violation may also result in civil and criminal penalties as determined by federal and state laws and regulations.
  3. A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response such as whether or not this was a first offense, training, business contracts, etc.
    a. IMPLAN reserves the right to terminate employees in the case of serious cases of misconduct.
    b. A violation resulting in a breach of confidentiality (i.e. release of sensitive data to an unauthorized individual), change of the data integrity requires immediate termination of the workforce member from IMPLAN.
    c. The ISM facilitates taking appropriate steps to prevent recurrence of the violation (when possible and feasible).
  4. In the case of an insider threat, the ISM will set up a team to investigate and mitigate the risk of insider malicious activity. IMPLAN workforce members are encouraged to come forward with information about insider threats, and can do so anonymously.
  5. The ISM maintains all documentation of the investigation, sanctions provided, and actions taken to prevent reoccurrence for a minimum of seven years after the conclusion of the investigation.
  6. When the ISM identifies a violation and begins a formal sanction process, they will notify the Leadership team within 24 hours. That notification will include 1) identifying the individual sanctioned, 2) the reason for the sanction, and 3) specific procedures for service or account restriction / revocation or other disciplinary actions as required.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.