Facebook Icon   Linkedin Icon   Twitter Icon   YouTube Icon

The Importance of Policies and Procedures in
Improving Security Awareness

Written by David G. Patterson, CHS-III, MEA, CPP, PSP

This article offers suggestions stemming from the author's recent research indicating that CSO's are most concerned with problems relating to their employees from such crimes as violence, fraud, theft, unethical conduct, and drugs and alcohol in the workplace. Often these problems are caused by failure to implement clear policies and procedures, generating behavior that undermines organizational authority, jeopardizes organizational efficiency, and often results in lawsuits due to premises liability, negligence, foreseeability, etc. Organizations need a robust security program with strong policies and procedures to channel employee behavior, create an honest employee culture, and provide legal structure.

Statement of the Problem

Many studies have shown that employees are a company's greatest asset while also the source of their greatest problems. One survey that pinpointed the concern was the survey report by ASIS. The top threats to companies are as follows:

  • general increases in crime and theft,
  • employee lay-offs and furloughs,
  • increases in theft of physical property,
  • increases in workforce violence,
  • increases in theft of intellectual property,
  • fraud-embezzlement or misuse of funds,
  • increases in general employee dissatisfaction, and damage to company physical property (ASIS, 2009).

Of the top eight threats to companies, more than half can be traced back to employees; however, many companies fail to recognize that employees are a major problem and fail to take a proactive approach to the problem. Most companies just live with the problem and react when an incident occurs. The reasons for this vary, but companies often feel that these are isolated incidents caused by a few problem employees or that there is no perceived benefit in pursuing the perpetrators. Most companies try to avoid hiring potential problem employees and detect and investigate employee losses on their own. As long as they catch (and fire) the thief and get some kind of restitution, such as recovering what the employee stole or having insurance cover the loss, companies feel they have done all they can. There is also a fear of negative publicity, although this aspect is changing. Employers are realizing the benefits of letting other employees know that these crimes will be detected and will not be tolerated.

To illustrate the severity of the problem, here are a few examples:

  • The median loss caused by the occupational fraud cases in the study was $140,000. More than one-fifth of these cases caused losses of at least $1 million.
  • Theft occurs in 95% of American companies.
  • Coffin documented that up to three-quarters of all employees steal from their workplace at least once (Coffin, 2003).
  • 40% to 70% of applicants lie on their applications for employment.
  • Game playing on office computers actually costs businesses about $50 billion a year and middle managers are the biggest perpetrators.
  • Homicide is currently the fourth-leading cause of fatal occupational injuries in the United States. According to the Bureau of Labor Statistics Census of Fatal Occupational Injuries (CFOI), of the 4,547 fatal workplace injuries that occurred in the United States in 2010, 506 were workplace homicides. Homicide is the leading cause of death for women in the workplace (Davis, 2009).

If you ignore problem employees or handle workplace problems ineffectively, you will soon have an employee turnover problem because your good employees will go elsewhere.

Negligence can apply to the hiring, supervision, and retention of an individual employee if a violent act by that person is foreseeable.

Factors Contributing to the Problem

Douglas Watson (Watson, 2000) documented in his doctoral thesis that the four factors that most influence employee behaviors in the workplace are as follows:

  • the individual's culture,
  • the corporate culture,
  • corporate policies and procedures, and
  • other employee attitudes.

Looking at these factors, which ones can we influence to reduce the employee problems in our company? We can easily see that an individual's culture plays an important part in forming his or her behavior in the organization, but this is not something we can control. However, the other three factors can very much be influenced by the company and are directly related to policies, standards and procedures, and training.

The objective we hope to achieve with policies and procedures is to get our employees to believe that having an ethical corporate culture is good for the company and themselves. The company security function can best accomplish this objective by in several ways:

  • Developing a robust ethical corporate culture by getting a complete buy-in from top management.
  • Implementing sound corporate policies and procedures that support the corporate culture and provide the basis for a secure work environment.
  • Implementing an effective communications and training program to train employees on policies and procedures so they understand and abide by them. In this step we must retrain the employees to embrace the company culture despite their own individual cultural background.
  • Consistently enforcing our policies and procedures by rewarding those who abide by them and punishing those who do not.

Without proper program documentation, training, exercises, and enforcement, employees can become confused and overreact; lawsuits may result from inconsistent application, security officers may not know how to respond, valuable time may be wasted, and problems often occur. A review of lawsuits showed several cases where firms were sued for millions of dollars for a variety of issues, including failure to provide proper training for monitoring security systems, failure to have enough security officers on duty, failure to have adequate security patrols during certain hours, failure to conduct pre-employment screening to weed out employees with violent backgrounds, improperly retaining employees who have violated standards of conduct, and other issues that could be traced to lack of or enforcement of policies and procedures. Regulatory authorities have taken action against companies who violate various acts, such as the Financial Services and Markets Act of 2000. One company was fined over $10 million for not taking reasonable care to establish and maintain effective systems and controls for countering the risks of bribery and corruption associated with making payments to non-authorized, overseas third parties who assisted the company in winning business from overseas clients (Westinghouse Air Brake Technologies Corporation, 2008).

The remainder of this report will be devoted to recommendations on how to develop meaningful policies and procedures, gain buy-in from your employees to create an ethical corporate culture, and deal with employee problems legally and effectively.


Security Governance
Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly. Our research has shown that through their emerging capabilities in the area of security governance and risk management, many companies are taking proactive steps to ensure that their investments in security controls directly support their objectives for the business. A consistent, company-wide view of security risks that integrates both physical security and IT security is an essential element of this strategy. By combining superior security governance and risk management with an integrated approach to logical and physical security, companies gain an advantage for competing in the global economy with a distinct advantage through an optimized IT infrastructure and better protection for their digital, physical, and human assets.

Security Program
A security program is a system of individuals, processes, policies, standards, and procedures developed to protect its assets and ensure that the company adheres with all applicable federal and state laws, industry regulations, and private contracts governing the actions of the organization. A security program is not merely a piece of paper or a binder on a shelf; it is not a quick fix to the latest hot problem; it is not a collection of hollow words. An effective security program must be a living, ongoing process that is part of the fabric of the organization. A security program must be a commitment to an ethical way of conducting business and a system for helping employees to do the right thing. On a very basic level a security program is about education, definition, prevention, detection, collaboration, and enforcement.

Physical Protection Systems
A Physical Protection System (PPS) integrates people, procedures, and equipment for the protection of assets or facilities against theft, sabotage, or other malevolent human attacks. The functions of PPS are detection, delay, and response (Garcia, 2001).

Security Policy
A security policy is a general statement of management's intent regarding how the organization manages and protects assets. A policy is a guiding principle or rule used to set direction and guide decisions to achieve rational outcomes in an organization. It is used as a guide to decision making within the framework of objectives, goals, and management philosophies as determined by senior management. Policies exist to make sure that decisions fall within certain boundaries, leading to a consistent and fair approach. Policies are compulsory and supported by standards and procedures.

Security policies are office rules used to support management philosophies and set the tone for a security-minded culture. Security policies are also used to set a standard for projecting your company image or to communicate regulations that apply to all personnel. Policies are most effective when they are issued and supported by top management as a result of interpreting the company mission and vision statements and regulations. Policies are used to implement laws, industry standards, and common practices.

Security Standard
A policy is more effective when standards are also developed. Security standards address what must be accomplished in specific terms, containing the means by which to implement one or more security policies. Standards are compulsory and supported by procedures.

Security Procedure
A security procedure is a set sequence of mandatory activities that perform a specific security task or function. Procedures are normally designed as a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. Once implemented, security procedures provide a set of established actions for conducting the security affairs of the organization, which will facilitate training, process auditing, and process improvement. Procedures implement the consistency needed to decrease variation in security processes, which increases control of security within the organization. Decreasing variation is also a good way to eliminate waste, improve quality, and increase performance within the security department.

The Difference Between Policies and Procedures
A policy is a guiding principle used to set direction in an organization. A procedure is a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. Together, policies and procedures are used to empower a company with the direction and consistency necessary for successful implementation of security processes.

Importance of Security Documentation
Security policies, standards, and procedures are used to translate the company's business philosophies into action by utilizing sound security principles. Well-designed security documentation for businesses is an invaluable communication tool for efficiently running operations within the security department and bridging the gap between interrelated departments in the company. Policies, standards, and procedures improve decision making by having an authoritative source for guidance and for answering questions. Well-developed and documented security policies and procedures ensure compliance with national and local laws, regulatory agencies affecting business, government contracting authorities, independent certification organizations, and company standards of conduct. Policies, standards, and procedures serve as a quality control mechanism for the security organization. This helps ensure optimum operations and consistent delivery of the finest security services. This program documentation provides the leadership, organizational structure, and processes that ensure the following for the company:

  • Strategic security direction is clear
  • Security risks are managed appropriately
  • Business objectives are balanced with security risks and are ultimately achieved
  • Organizational security resources are used responsibly and effectively
  • Security program effectiveness is measured

Benefits Derived from a Strong Security Program
There are many benefits to a company when they implement an effective security program. The following benefits are some of the most important:

  • Implementing a strong security program demonstrates to other companies that your company has integrity. One of a company's greatest assets is its reputation; it is very difficult to repair once it is damaged. An effective security program can help preserve and enhance a company's reputation by preventing fraud and abuse. If policies are issued from executive levels, policies help convince employees and customers that the company is committed to security. Increasingly, as a result of business continuity planning, companies are requesting proof of sufficient levels of security from companies they partner with in doing business.
  • Security documentation reinforces employees' support of the corporate culture. Many employees have an inherent sense of honesty and welcome a means to report improper conduct without reprisal. A call to an anonymous hotline addresses this need and may identify issues that raise both ethical and legal concerns. When employees see an affirmative response to reports of wrongdoing, companies strengthen the relationship of trust with their loyal employees and deter future illegal activity.
  • Implementation of a comprehensive security program improves employees' security awareness regarding fraud, unethical behavior, and misuse of company assets. An effective program provides ongoing training of employees, monitors their understanding of policies and procedures, and implements the measures to discipline those personnel who violate the company's code of conduct or other security rules.
  • Product and service quality is enhanced by an effective security program. The company's mission sets forth the vision of providing products and/or services of value. Security policies and procedures, continuous security awareness training of employees, thorough investigations, and timely responses to violations and deficiencies enhances the company's ability to deliver products or services of the highest quality which in turn leads to higher profits.
  • An effective security program reduces a company's exposure to civil damages and penalties as well as criminal and administrative sanctions. An effective security program implements procedures for promptly and efficiently responding to problems as they arise. Through early detection and reporting, a company can minimize the losses from false claims, penalties and sanctions imposed by regulatory bodies, fines and repercussions for violating contracts, and losses and expenses due to lawsuits.
  • An effective security program may mitigate sanctions imposed by the government when violations do occur. Even though companies have implemented security programs, some employees may engage in conduct that violates applicable statues and regulations. The Organizational Sentencing Guidelines of the U.S. Sentencing Commission provide for a reduction in criminal fines in cases where an organization has implemented an effective program to prevent and detect violations of the law. Government agents place substantial weight on the existence of an effective security program that predates an incident and resulting investigation.
  • An effective corporate security program may protect corporate directors from personal liability. The fiduciary duties of corporate directors require that they keep themselves adequately informed concerning the operations and finances of the company. An effective security program designed to assure compliance with applicable legal requirements has been recognized as meeting this duty of care. Avoidance of penalties and fines should be a major incentive for organizations to implement a security program. If a government entity finds an organization guilty of fraud and abuse, the penalties can be severe and loss of business and damage to reputation will most assuredly result.
  • Security documentation improves communications. Security program documentation serves to translate the company's business philosophies and desires into action. Well-designed policies and procedures are an invaluable communication tool for efficiently running operations within departments and gaining cooperation between departments.
  • Policies and procedures improve consistency and reduce training time. Policies and procedures will be a functional guide for training new and existing employees and will help prevent difficulties in performing duties due to lack of understanding or inconsistent approaches from personnel changes.
  • Program documentation improves productivity. Policies and procedures speed up the decision making of managers by having a handy, authoritative source for answering questions.
  • Well-written policies and procedures support internal audits. Internal audits are useful tools for pinpointing problem areas and uncovering criminal conduct by employees. These audits should be conducted soon after the program is fully implemented to ensure that the processes put in place are serving their purposes and functioning correctly and so that changes can be made before the undesirable practices become habit and difficult to change. Furthermore, audits may uncover security documentation that needs to be modified or changed completely because it is not serving the intended purposes.
  • Documentation provides historical records. Security documentation prepared and updated as recommended will serve as a historical record of what practices were in place in a company during a specified time period. This may be very important in a litigation case where a company is being sued for wrongdoing. Evidence that a company had certain policies and procedures and training in place at a particular time may help avoid negligence charges.

The Security Solution Hierarchy

Many companies believe that the solution to their security problems are through technology and manpower, but in reality, management should implement low cost solutions that support behavior modification, such as implementing policies and procedures, training managers and employees on security matters, and developing frequent security awareness communications programs. Higher cost solutions should be applied, only after less costly solutions have been exhausted and significant risk remains. This is illustrated on the Security Source Online (SSO) website as shown in the figure on the right (Nesbitt, 2007). While it is imperative that the organization has policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not enforcing it. Another axiom says, "don't enforce policies you don't have." In other words, if you don't have a policy regarding use of the company telephones, don't try to take action against an employee for improper use of the telephone.

Content of Documentation

No security documentation should be implemented until you have done a complete threat and risk assessment of your company. A qualified and objective professional should conduct security assessments. Often the use of a qualified security consultant achieves the best result because of his or her independent perspective; one of the biggest advantages of using a qualified security consultant is their objectivity. If you decide to contract with a security consultant, be sure the consultant has no ties to the security product industry, including contract guard services and security equipment manufacturers.

Once you have assessed the threats and vulnerabilities your organization faces, you consider what steps can be taken to improve your physical security. You then create security policies by putting these steps in writing. The resulting documentation will serve as a basis for the security program. All managers and key employees involved with security should be required to review, improve, and implement these security program documents. Security plan documentation is aimed at reducing your overall risk. It will therefore have at least four objectives, based on your risk assessment:

  • Reducing the level of threats you are experiencing.
  • Reducing your vulnerabilities.
  • Improving your employee preparedness for threats.
  • Maximizing your ability to respond to incidents.

Standards of Conduct

The standards of conduct, first and foremost, demonstrate the company's ethical attitude and its emphasis on compliance with all applicable laws and regulations. The code of conduct is meant for all employees and contractors of the company. This includes management, vendors, suppliers, and independent contractors. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by standards of the code of conduct. The code of conduct provides a process for proper decision-making. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper conduct. Managers should be encouraged to refer to the code of conduct whenever possible, even incorporating elements into performance reviews, and compliance with standards of conduct must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty—up to and including dismissal—for serious violations must be mentioned to emphasize the organization's commitment. All employees must receive, read, and understand the standards and attest in writing that they have done this.

Recommended Security Policies, Standards, and Procedures for Best Practices

In addition to the standards of conduct, three types of security policies, standards, and procedures should be developed by every organization: framework, all employee, and security specific. All three types of policies, standards, and procedures are essential to a security program so that rules to which employees will be held accountable and the method for enforcing rules are clearly documented.

1. Framework Policies, Standards, and Procedures
The framework documentation creates the structure of how the security organization is staffed and how the security program operates. In addition, framework policies also provide other business practices like the employee selection process, background-screening requirements for new employees, the company's workplace violence policy, and the business continuity plan.

2. All Employee Policies, Standards, and Procedures These documents define the applicable laws, security regulations, and rules that apply to all employees and how to operate compliantly within those rules. They also indicate the applicable risk areas to an organization and describe appropriate and inappropriate behaviors with regard to those risk areas. These documents should cover such subjects as the use of company computers, telephones, and other company assets and how the company monitors employees' actions. These documents set the tone for the corporate culture and should be strict but flexible, designed to meet the employer's needs, restrict employee actions, diminish the employee's expectation of privacy, and consistently be enforced. These documents are the most important ones for building a strong corporate culture.

While most common laws may recognize the right of an individual to take legal action for an offense known generally as "invasion of privacy," such actions historically have not provided employees with additional protections. Courts have found that employers' monitoring of their employees' electronic transmissions involving e-mail, the Internet, and computer file usage on company-owned equipment is not an invasion of privacy. Invasion of privacy claims against an employer generally require employees to demonstrate, among other things, that they had a "reasonable expectation of privacy" in their communications. Courts have consistently held, however, that privacy rights in such communications do not extend to employees using company-owned computer systems, even in situations where employees have password-protected accounts.

3. Security Specific Policies, Standards, and Procedures These documents provide detailed instructions to security employees for accomplishing specific security duties. These are extremely important as security system installation, operation, and monitoring are integral to the security program. Security systems such as electronic access control, intrusion alarm, closed circuit TV (CCTV), and monitoring systems are designed to detect events that are not expected in a facility, provide alarms to alert personnel monitoring security systems, assist them in determining the cause of the alarm, and then provide the ability to dispatch an appropriate security response. Access Control Systems should alarm if an unauthorized person tailgates behind an authorized person through a door or turnstile into a facility. Intrusion detection systems should alarm if an intruder opens a door or window at the wrong time or without presenting a valid ID card or code. For each alarm point, security personnel assigned to monitor alarms should have detailed operating procedures describing what actions to take to assess the alarms (David G. Patterson, 2005). Companies are expected to exercise reasonable care in training and supervising their employees in design, installation, operation, and monitoring of security. There are numerous lawsuits concerning poor security personnel practices, negligent training, and negligent supervision.

Structure of Documentation

Companies should establish a consistent structure and format for all policies, standards, and procedures. Companies should also establish a configuration management system to ensure that all documentation is in the same format, is updated annually (at least), and is located on the company intranet where all employees can find and read. Some companies have achieved good results using social media constructs such as blogs, wikis, and Microsoft Office SharePoint Server (MOSS). A wiki is a website that allows the easy creation and editing of any number of interlinked web pages. They are particularly efficient as a central repository for company policies and procedures. Everything can be kept in the wiki, making it easy for employees to revise documents and eliminating the need of emails to circulate these materials.

MOSS is also a robust collaboration tool and accessible organization-wide allowing users to view all files and emails that pertain to specific policies and procedures.

Each document should have the following sections:

  • Name – The name of the document
  • Number – A number assigned by category and chronological order (e.g. Framework (F), All Employee (AE), Security Specific (SS))
  • Classification (depends on company document classification scheme)
  • Version number and date – Current version number and release date
  • Reason for issuance (initial release of reason for the revision)
  • Type – Policy, standard, or procedure
  • Purpose – The purpose of the specific document
  • Scope – What personnel or what processes the document applies to
  • Statements – Policy, standard, or procedure statements and main instructions
  • Compliance – List of who is responsible for complying with the document and the consequences for non-compliance
  • Enforcement – Date when the policy, standard, or procedure went into effect and description of how it will be tested
  • Page numbers – All pages should be numbered
  • Issuing authority – Executive-level signature

If only a page or section is changed, a new revision should be issued for the entire document reflecting the date of the change. Don't replace only changed pages. The security manager should maintain a log showing the name, number, creation date, and revision dates of all documents. In case of litigation, it is important that that all versions of the documents are retained in the files and logs so the security manager can easily demonstrate what business practices were in effect at the time of any claims or incidents.

Security program documentation must be living documents, not just a binder on a shelf. They must become integral to the day-to-day operation of the organization. That is what a judge will look for in a litigation case. How are the policies and procedures applied throughout the year? Are they incorporated into employee performance reviews? Are they reviewed and updated according to a schedule and on time? Are employees trained on them?

Security Awareness Education
Security awareness education and training go hand in hand with your policies and procedures and strengthen your company's security program by demonstrating to employees that management supports the program enough to provide training. Listed below are three suggested types of training:

  • 1. A general session on security awareness for all new employees. These training sessions are meant to heighten awareness among all employees and communicate and emphasize the organization's commitment to ethical business behavior, which affects all employees. A minimum of one to three hours for basic training in security awareness should be provided for all employees. All new employees should receive a copy of the standards of conduct. The employees should also be trained on how to find the company's security policies and procedures. Many companies now include all the policies and procedures on the company intranet so all employees can easily view them. At the end of general training, every regular, temporary, and contracted employee should be required to sign and date a statement that confirms his or her knowledge of and commitment to the standards of conduct and the company's security rules. This signed statement should be retained in the employee's personnel files. Companies that require their employees to read and sign a statement every year are most successful in gaining compliance.
  • 2. Refresher training periodically for employees. Specifically focus on refresher training in areas where problems have happened in the past, explaining how crimes have been committed, what signs to watch for, and methods for reporting employee dishonesty.
  • 3. Initial and refresher training for security organization employees regarding their duties. Refresher training should particularly address changes to policies and procedures. Provide longer, more intensive training sessions to employees in certain areas of responsibility, such as those operating security systems.

Monitoring Security Awareness and Maintaining Consistency

Your employees are an excellent source of knowledge about what is really going on in the company. Approached in the right way, they will help identify problem employees and weaknesses in controls and make suggestions for improvement. If management responds to their feedback by changing procedures and rewarding them accordingly, employees will recognize their benefit for participating in the process of improving their organization and will continue to find ways to contribute. Periodically send out questionnaires to a sampling of employees for feedback on your program and conduct focus group interviews. Ask them openly about risks they see to the company, their daily activities, the policies and procedures, and whether they observe areas for improvement. Ask employees to be truthful about whether all employees actually follow the policies and procedures or if they find ways to ignore them. Our research concludes that the best method to catch fraud and other crimes committed by company employees is through tips received by other employees. One of the keys is to make sure employees that support you with suggestions are rewarded.

Data collection and tracking the performance of your security program are very important because they provide you with the ability to accomplish trend analysis and measure progress of the security organization in achieving its goals. Consider the following techniques:

  • Analyze security incident reports for trends that show improvements or deterioration of security organization performance over a given period.
  • Review of internal and external complaints filed against the company or against the security organization.
  • Pose security-related questions to departing employees in exit interviews to identify problems with peer employees or managers.

Enforcement and Discipline

Employees will be much more supportive of the company terminating an employee for a violation of company policy than letting them go for no reason. The place to start with enforcement is back at the beginning with the standards of conduct and the policies and procedures. One of the framework documents should set forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers, and employees for failing to comply with the organization's security program documentation and applicable statues and regulations.

That policy should include five main points:

  • 1. Noncompliance will be punished.
  • 2. Failure to report noncompliance will be punished.
  • 3. An outline of disciplinary procedures from reprimand to dismissal.
  • 4. The parties responsible for actions at each level.
  • 5. Assurance that discipline will be fair and consistent.

Failure to detect or report an offense is a serious act of noncompliance and equally as deserving of discipline as the actual misconduct. Compliance with policies, standards, and procedures is an active, ongoing process that is everyone's responsibility. Security managers should consult closely with their human resources (HR) and legal departments. There are probably existing disciplinary policies and procedures already in place that can serve as a guide in developing new ones. The HR and legal colleagues should advise that you should not discipline employees without having properly informed them of the rules.

The first step towards enforcement is distributing standards of conduct and other policies, standards, and procedures and educating employees about them. The training should include the consequences of noncompliance. Punishment for noncompliance can range from oral warnings, written warnings, suspension, privilege revocation, termination, or financial penalties. Many organizations use this type of progressive discipline.

The first step in this process should be a supervisor's conference. The purpose of the supervisor's conference is to make sure the employee understands the problem and is committed to correcting the inappropriate behavior. Depending on the situation, the next step might be a conference with a higher level of management, or it could be a written warning. The written warning is the more severe next step, and it emphasizes the seriousness of the situation and stresses the urgency of modified behavior. It should also state that the employee will face further disciplinary action, up to and including termination, if the problem behavior continues. Subsequent steps might include suspension without pay or infliction of a probationary period where the employee is advised to correct the behavior within a certain time period, e.g. 30 days, or face termination. The final step is termination once all other options have been exhausted. The severity of the infraction will determine the steps. Certainly, any step beyond the basic supervisor's conference should involve the HR and legal departments and the workplace violence team including a security representative (if one has been established). Proper and thorough documentation will be essential.

The following is a typical disciplinary action chain. These steps may be repeated more than once or skipped depending on the level and severity of the offense:

  • Verbal warning
  • Written warning
  • Suspension
  • Fine(s)
  • Termination

Punishment should be commensurate with the offense. There are offenses, such as blatant acts of fraud, that warrant immediate termination, but most infractions will likely be relatively minor and most likely unintentional. These may best be handled with education or additional training. Education should never be labeled as punishment. When put in a positive and supportive context, it can efficiently correct noncompliant behavior. Be sure your policies and procedures include remedial steps such as additional training. Discipline is only a part of the enforcement equation. Objectives and plans for individuals and departments should include security initiatives. Achievement of those plans, especially when rewarded, is a positive reinforcement that encourages support for and enforcement of the security program. Performance appraisals should include security elements and allow supervisors to recognize favorable or improved security performance. Your security program will be better enforced if you also find ways to reinforce through positive means and not just disciplinary measures.


ASIS. (2009). Results of 2009 Survey: Impacts of Current Economic Environment on Security. Alexandria, VA: ASIS.
Coffin, B. (2003). Breaking the Silence on While Collar Crime. Risk Management Magazine.
David G. Patterson, C. P. (2005). Implementing Physical Protection Systems: A Practice Guide. Alexandria: ASIS Press.
Davis, G. (2009, September 17). Associated Content. Retrieved October 13, 2009, from Associated Content: http:\\www.associatedcontent.com
Garcia, M. (2001). The Design and Evaluation of Physical Protection Systems. Burlington: Butterworth-Heinemann.
Nesbitt, W. (2007, February 3). The Security Solution Hierarchy. Retrieved August 27, 2009, from Security Source: http:\\www.securitysourceonline.com
Watson, D. (2000). Ethics and Corporate Investigations. ACFE Fraud Symposium. Dhahran, Saudi Arabia: Saudi Aramco.
Westinghouse Air Brake Technologies Corporation, Litigation Rel No. 20457 (SEC Feb 14, 2008).

About the Author

David G. Patterson, MEA, CPP, PSP, CHS-III is a Principal Partner in Patterson & Associates Global Consulting Services located in San Francisco, California, and has over 30 years of international experience as a corporate safety and security consultant for Fortune 500 companies, schools, and governments. He is a recognized author and lecturer with the ASIS International Council on Physical Security in the areas of anti-terrorism, security systems integration, safety, workplace violence, and business continuity planning. He has also served on the faculty for the Physical Security Professional (PSP) Certification program and has developed online courses for this program.

icons fonts

Copyright © 2017 American Board for Certification in Homeland Security, CHS®. All Rights Reserved.
2750 East Sunshine St. Springfield, MO 65804   -  1 (877) 219-2519