(5) Risk Treatment Ch2

2. Human resource security

2.1 Prior to employment

Background verification checks on all candidates for employment should be carried out in accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security.

For verification checks, take into account all relevant privacy, protection of personally identifiable information and employment-based legislation.
Verification checks can include character references, a verification of the applicant’s curriculum vitae, confirmation of claimed academic and professional qualifications, independent identity verification and a review of criminal records.
When an individual is hired for a specific information security role, make sure that the candidate has the necessary competence to perform the security role and can be trusted to take on the role.
Define criteria and limitations for verification reviews, e.g. who is eligible to screen people and how, when and why verification reviews are carried out.
In case of contractors, an agreement between the organization and the contractor should specify responsibilities for conducting the screening.
The contractual obligations for employees or contractors should reflect the organization’s policies for information security.

2.2 During employment

2.2.1 Management responsibilities

Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

It is vital that management demonstrates support of information security policies, procedures and controls, and acts as a role model.
Make sure management responsibilities ensure that employees and contractors:

a) are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems;
b) are provided with guidelines to state information security expectations of their role within the organization;
c) conform to the terms and conditions of employment, which includes the organization’s information security policy and appropriate methods of working;
d) continue to have the appropriate skills and qualifications and are educated on a regular basis.

2.2.2 Information security awareness, education and training

All employees and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures.

Establish an information security awareness programme to make employees and, where relevant, contractors aware of their responsibilities for information security. The information security awareness programme should be established in line with the organization’s information security policies and relevant procedures.
Make sure that the awareness programme includes a number of awareness-raising activities such as campaigns, booklets or newsletters.
Schedule the activities in the awareness programme regularly, so that the activities are repeated and cover new employees and contractors. Update the awareness programme regularly so it stays in line with organizational policies and procedures, and is built on lessons learnt from information security incidents.
Organize regular information security education and training events. Initial education and training applies to those who transfer to new positions or roles with substantially different information security requirements, not just to new starters and should take place before the role becomes active.
Conduct an assessment of the employees’ understanding at the end of an awareness, education and training course to test knowledge transfer.

2.2.3 Disciplinary process

There should be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Commence the disciplinary process once verified that an information security breach has occurred.
Verify that the formal disciplinary process ensures correct and fair treatment for employees who are suspected of committing breaches of information security. The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat offence, relevant legislation and other factors as required.

2.3 Termination and change of employment

2.3.1 Termination or change of employment responsibilities

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor and enforced.

Make sure that responsibilities and duties still valid after termination of employment are contained in the employee’s or contractor’s terms and conditions of employment.
The communication of termination responsibilities should include on-going information security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement and the terms and conditions of employment continuing for a defined period after the end of the employee’s or contractor’s employment.
It may be necessary to inform employees, customers or contractors of changes to personnel and operating arrangements.