Sanctions & Disciplinary Policy

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This policy defines how Glassbreak investigates and responds to breaches of its policies — in particular, the Information Security Policy. It exists to protect customer data, workforce members, and the organisation, and to satisfy the administrative-safeguard expectations of frameworks such as HIPAA (45 CFR § 164.308(a)(1)(ii)(C)) and ISO 27001 (Annex A.6.4).

The intent is corrective and proportionate, not punitive. The aim is to restore policy compliance, address harm, and prevent recurrence.

2. Scope

This policy applies to all workforce members (employees, contractors, advisors, interns) in respect of any breach of Glassbreak policy, the terms of their engagement, or the law as it relates to their work for Glassbreak. It applies whether the breach is deliberate or negligent.

3. Categories of violation

3.1 Minor

  • Isolated lapses in policy compliance with no demonstrable harm — for example, an occasional unlocked screen, or sending an unnecessary copy of non-sensitive information over a permitted but suboptimal channel.
  • Late completion of mandatory training.
  • Inadvertent disregard of a procedure that did not put data at risk.

3.2 Material

  • Sharing access credentials with another person.
  • Bypassing or attempting to bypass MFA or other security controls.
  • Storing customer data, signing keys, or production secrets on personal devices or in personal accounts.
  • Repeated minor violations after a documented warning.
  • Failure to report an incident promptly after becoming aware of it.

3.3 Gross

  • Deliberate unauthorised access to customer data, administrative metadata, or audit logs.
  • Deliberate tampering with audit logs.
  • Disclosure of customer information, signing keys, or production secrets to any unauthorised party.
  • Use of access for personal gain, harassment, or any purpose unconnected with the workforce member's Glassbreak role.
  • Knowing misrepresentation of Glassbreak's security posture to customers, auditors, or supervisory authorities.
  • Any act constituting an offence under applicable computer misuse, data-protection, or fraud law in the context of Glassbreak work.
  • Any act that materially endangers customer trust or workforce safety.

4. Investigation

4.1 Initiation

A suspected violation may be raised by any workforce member, a customer, an automated control, or an external researcher. The Security Officer initiates an investigation as soon as reasonably practicable after receipt of a credible report.

4.2 Conduct of investigation

  • The investigation is fact-finding, not adversarial.
  • Evidence is preserved — logs, system snapshots, written communications — with chain-of-custody recorded.
  • The subject of the investigation is informed at the earliest point consistent with preserving evidence and any safeguarding considerations.
  • Where the subject is not informed at the outset, the rationale is recorded.
  • The investigator is independent of the subject and of the line manager where possible. For Gross-category investigations, the Security Officer may engage external counsel or an external investigator.
  • Investigation records are confidential and access is restricted to those with a need to know.

4.3 Right to respond

Before any sanction is imposed, the subject is given:

  • a written summary of the alleged violation and the evidence against them,
  • a reasonable opportunity (normally at least 5 business days) to respond in writing or in person,
  • the option to be accompanied by a trusted colleague or representative at any in-person hearing.

4.4 Suspension during investigation

Where the alleged violation is Material or Gross, the subject may be suspended on full pay (where applicable) pending the outcome of the investigation. Suspension is a neutral act and does not imply guilt. Suspension entails access revocation per the Offboarding Policy section 5.2 (expedited revocation).

5. Sanctions

The Security Officer (in serious cases, with leadership and where appropriate external counsel) selects the proportionate sanction from the following:

5.1 For Minor violations

  • Verbal coaching, recorded in the workforce file.
  • Mandatory re-completion of relevant training.
  • Written reminder of the relevant policy.

5.2 For Material violations

  • Written warning, retained in the workforce file for 12 months.
  • Mandatory completion of additional training.
  • Temporary removal of specific access pending demonstrated re-compliance.
  • Performance-improvement plan with explicit security objectives.
  • Final written warning where the violation follows an earlier written warning.

5.3 For Gross violations

  • Summary termination of employment or contract without notice.
  • Reporting to the relevant supervisory authority where required by data-protection law.
  • Reporting to law enforcement where the conduct constitutes a criminal offence.
  • Civil recovery of damages where loss has been caused to Glassbreak or customers.
  • Notification of affected customers under the Incident Response Policy and the DPA.

6. Records

  • Investigation records, sanction decisions, and outcomes are retained in the workforce file.
  • Records of written warnings are retained for at least 12 months from imposition; records of final warnings and of termination decisions are retained for at least 5 years.
  • Where the conduct constituted a data-protection breach, the breach is recorded in the incident register per the Incident Response Policy.

7. Right of appeal

  • The subject may appeal any sanction in writing within 10 business days of receipt of the decision.
  • Appeals are heard by a person not previously involved in the investigation or decision.
  • The appeal hearing follows the same procedural fairness principles as the original investigation.
  • The outcome of an appeal is communicated in writing and recorded in the workforce file.

8. Reporting concerns

Workforce members are encouraged to raise concerns about possible policy violations promptly. Concerns may be raised with:

  • the workforce member's line manager,
  • the Security Officer at security@glassbreak.io,
  • or, where the concern relates to the Security Officer or to leadership, an independent contact identified in the workforce handbook.

Glassbreak does not tolerate retaliation against any workforce member who raises a concern in good faith. Retaliation is itself a Gross violation of this policy.

9. Customer-facing disclosure

Where a workforce member's conduct caused or may have caused harm to customer data, the matter is investigated under this policy and as an incident under the Incident Response Policy. Customer notification follows the IR policy and the DPA. The identity of the workforce member is not disclosed to customers unless required by law or by the customer's own supervisory authority.

10. Fairness and consistency

  • Sanctions are proportionate to the nature, severity, and intent of the violation, and to the workforce member's history.
  • Mitigating factors (cooperation, immediate self-reporting, lack of prior warnings) and aggravating factors (concealment, repeat offending) are considered explicitly and recorded in the decision rationale.
  • Sanctions are applied consistently regardless of the workforce member's seniority. Senior workforce members are not above this policy.

11. Review

This policy is reviewed at least annually and after every imposed sanction at Material or higher severity. The next scheduled review is 27 May 2027.

12. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.