Publication Summary¶
| Title | HR Security Policy |
|---|---|
| Author(s) | Alessandro Cardinali |
| Issued by | CEO |
Version doc. Review freq. |
0.1 Yearly |
| Date of issue | December 11, 2023 |
| Owner | Alessandro Cardinali |
| Document status | Draft – Final Draft - Final |
| Approval Date | n/a |
| Classification | Internal |
Change Log
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | December 11, 2023 | First draft document HR Security Policy | |
| 1.0 | December 20, 2023 | ||
Contents
1 Introduction 8
2 HR security policy 9
2.1 Prior to employment 9
2.1.1 Background checks 9
2.1.2 Employment contracts 9
2.2 During employment 9
2.2.1 Management responsibilities 9
2.2.2 Information security awareness 10
2.2.3 Disciplinary process 10
2.3 Termination and change of employment 10
2.3.1 Change of role 10
2.3.2 Termination 11
Introduction¶
As a professional organisation and a responsible employer, [Organization Name] takes the subject of information security very seriously. People are our most important asset, but unfortunately represent one of the major vulnerabilities from an information security perspective, as they are often the target of malicious activities such as phishing and other forms of social engineering.
In order to manage this exposure and keep our people and our information safe, [Organization Name] has defined a policy which describes the controls required and the rules that must be followed with regard to human resources.
This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.
The following policies and procedures are relevant to this document:
HR security policy¶
Prior to employment¶
Background checks¶
Appropriate background verification checks will be carried out on all candidates for employment prior to their starting work with the organization.
The specific screening activities that should be applied in any particular case will depend on a number of risk factors including, but not limited to, the following:
-
The classification of information they will have access to
-
If the role will have access to financial assets
-
The level of potential to cause harm to the organization
-
Level of involvement in technology
-
Whether driving a motor vehicle is required
-
If likely to come into contact with minors
-
Any other factors that are deemed by management to be relevant to the ongoing security of the organization
A judgement must be made in each case about the appropriate level of background verification to be applied. This must reach a balance between being sufficiently rigorous to protect the organization without placing an undue burden of time, cost, or effort on the recruitment process.
Employment contracts¶
Employment contracts, including those with contract staff, must specify relevant requirements for information security, including a commitment to comply with [Organization Name] policies in this area. Roles that have access to classified information will also be required to sign a Non-Disclosure Agreement (NDA).
See the accompanying document Guidelines for Inclusion in Employment Contracts.
During employment¶
Management responsibilities¶
It is important that all employees with management responsibility ensure that [Organization Name] information security-related policies and procedures are followed by staff (both internal employees and contractors) within their supervision at all times. Any instances of non-compliance must be identified and addressed through normal management channels, including disciplinary action where appropriate.
Information security awareness¶
Information security awareness training will be provided to all employees and contractors to a level of detail appropriate to their job role. This will include information about [Organization Name] policies and procedures and the specific risks and threats relevant to the employee or contractor’s area of work.
Awareness training will be delivered as part of new starter inductions and updates to relevant information communicated to all employees and contractors when appropriate, and in a timely manner.
Disciplinary process¶
Instances where a clear breach of information security policy or procedure has been committed by an employee will be subject to [Organization Name] disciplinary procedures. In serious cases, where the organization has been put at significant risk as a result of the employee’s actions, termination of employment may be considered.
In less serious cases, the provision of additional information security awareness training may be appropriate as one of the actions to address the situation.
Termination and change of employment¶
Change of role¶
In situations where an employee experiences a temporary or permanent change of job role, including reassignment, secondment and sabbatical, those information security responsibilities from their previous role (for example for confidentiality) that will continue must be defined and emphasised to the employee.
Any failure on the part of the employee to observe their continuing responsibilities for information security may be subject to disciplinary action.
Termination¶
Where an employee’s position with the organization is terminated on a permanent basis, the information security responsibilities and duties that must continue to be observed post-employment will be defined in writing and communicated to the employee.
It must be stated to the terminated employee that any failure on their part to observe their continuing responsibilities for information security may be subject to legal action.