Is it a violation of the law for an employee to remove confidential records from the workplace without permission, without special controls, and against the policy?
Information security management is a critical subject in managing information flow in organizations. An organization’s information is essential for the smooth running of its functions. Organizations often secure their information and protect it from being accessed by anyone outside the organization. In some instances, information is classified into two categories. These entail private information and public information. The flow and use of information that belongs to organizations are considered a policy issue. The movement of information from an organization is monitored to protect the organization from external exposure (Straub, 2008). This issue is presented in the case of Stratified Custom Manufacturing where the security control system detects an employee leaving the premises with the organization’s documents (Whitman & Mattord, 2011).
According to the case study, the company has an elaborate security management system that is used to safeguard its information. The security management system of the company is used for safeguarding the information flow from the organization. Routine security checks are conducted by the company. They aim at ensuring that employees do not leave the company with the organization’s documents. This means that security screening has a policy backup, which gives it the legal force. According to the company, it is illegal to take out information from the company without the company’s permission. Corporate policies stipulate the guidelines that are used in the access and use of the company’s information. The company’s information is part of the resources of an organization. Therefore, any person who wants to get the company’s information out of the premises has to follow procedures and get permission from the company (Whitman & Mattord, 2011).
A punishment for a policy violation involving removal of confidential records for a “harmless” reason such as catching up on reading them at home
The exposure of confidential information or records containing such information is considered a breach of the information security policy of an organization. Cases of violation of the information management policies of organizations are commonly reported. In the current information and communication technology era, such cases are increasing. It is caused by the fact that information is not only accessed and passed manually. Digital platforms are often used to sneak information out of organizations. Strict regulations and punishments for such offenders could serve as a way of preventing the breach of information security management policies (Vacca, 2010). The first step is enhancing the security systems to track such offenders. Once tracked, the offenders have to be barred from accessing any confidential information belonging to the company. The other method of punishing such people is subjecting them to strict surveillance systems. This includes monitoring them from every place, including their homes. These are slight forms of punishment, which are meant to discourage the breach of rules that are meant to secure companies’ information (Straub, 2008).
How the recommendation would change if the violator used confidential records for a different purpose
According to Workman, Phelps & Gathegi (2013), people have different motives that direct them to acquire an organization’s information. Confidential firm records can be used by people with ill motives. Among the negative motives, including the plan to use the information in swindling money from the organization. This malpractice is common in organizations today. It is reported in a substantial number of organizations. The other form of violating the security information management practices in organizations is by using the information to cover certain faults committed in the organization. These are serious breaches of the organization’s information. It should be handled with the seriousness that it deserves. Employees or any person found committing such practices should be prosecuted. Such a person should be considered a criminal and should face the full force of the law by being arrested and prosecuted. When proved to have committed the crime, the person should be dismissed from the organization. Before dismissal, the person will be compelled to surrender all the pieces of information under his custody. All the company information should be recovered from the person as it may be further used by the accomplices of the accused person (Vacca, 2010).
Straub, D. W. (2008). Information security: Policy, processes and practices. Armonk, NY [u.a.: Sharpe.
Vacca, J. R. (2010). Managing information security. Burlington, MA: Elsevier.
Whitman, M. E., & Mattord, H. J. (2011). Readings and cases in information security: Law and ethics. Boston, MA: Course Technology, Cengage Learning.
Workman, M. D., Phelps, D. C., & Gathegi, J. N. (2013). Information security for managers. Burlington, MA: Jones & Bartlett Learning.