Human Resources Security:

Prior to employment

The objective of this category is to ensure that employees, contractors and third-party users understand their responsibilities, and are suitable for the roles for which they are considered, in order to reduce the risk of theft, fraud or misuse of facilities.

Roles and responsibilities

Security roles and responsibilities of employees, contractors and third-party users should be defined and documented in accordance with the organization's information security policy.

Control includes requirements to:

• Act in accordance with the organization's information security policy, including execution of processes or activities particular to the individual's role
  
• Protect all information assets from unauthorized access, use, modification, disclosure, destruction or interference
  
• Report security events, potential events, or other risks to the organization and its assets
  
• Assign responsibility to the individual for actions taken or, where appropriate, responsibility for actions not taken, consistent with the sanctions policy
  

Screening

Appropriate background verification checks, also known as "screening" or "clearance" for all candidates for employment, contractor status, or third party user status, should be carried out in.

Control includes checks that are:

• Commensurate with the organization's business needs, and with relevant legal-regulatory-certificating requirements
  
• Take into account the classification(s)/sensitivity(ies) of the information to be accessed, and the perceived risks
  
• Take into account all privacy, protection of personal data and other relevant employment legislation
  
• Include, where appropriate, components such as identity verification, character references, CV verification, criminal and credit checks
  

Terms and conditions of employment

Employees, contractors, and third party users should agree to and sign a statement of rights and responsibilities for their affiliation with the organization, including rights and responsibilities with respect to information security.

Control includes, in the signed agreement:

• Information about the scope of access and other privileges the person will have, with respect to the organization's information and information processing facilities
  
• Information about the person's responsibilities, under legal-regulatory-certificating requirements and organizational policies, specified in that or other signed agreements (see below)
  
• As appropriate, information about responsibilities for classification of information and management of organizational information facilities that the person may use
  
• As appropriate, information about handling of sensitive information, both internal to the organization and that received from or transferred to outside parties
  
• Information about responsibilities that extend outside the organization's boundaries (e.g., for mobile devices and teleworking)
  
• Information about the organization's responsibilities for handing of information related to the person him or herself, generated in the course of an employment, contractor or other third party relationship
  
• Actions that can be anticipated, under the organization's disciplinary process, as a consequence of failure to observe security requirements
  

This control may include provision of an organizational code of conduct or code of ethics to the employee, contractor or third party. It may also include a requirement to sign, prior to being given access or other privileges to information or information processing facilities, a separate:

• Confidentiality or non-disclosure agreement
  
• Acceptable use of assets agreement
  

During employment

This category aims to ensure that employees, contractors, and third party users are aware of information security threats and concerns, of their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.

Management responsibilities

Management should require employees, contractors and third party users to apply security controls in accordance with established policies and procedures of the organization.

Control includes:

• Appropriately informing all employees, contractors and third party users of their information security roles and responsibilities, prior to granting access to sensitive information or information systems (see Terms and Conditions of Employment policy)
  
• Providing all employees, contractors and third parties with guidelines and or rules that state the security control expectations of their roles within the organization
  
• Achieving an appropriate level of awareness of security controls among all employees, contractors and third parties, relevant to their roles and responsibilities, and an appropriate level of skills and qualifications, sufficient to execute those security controls
  
• Assuring conformity to the terms and conditions of employment related to security
  
• Motivating adherence to the security policies of the organization, such as with an appropriate sanctions policy
  
• Mitigating the risks of a failure to adhere to policies, by ensuring that all persons have appropriately-limited access to the organization's information and information facilities
  

Information security awareness, education and training

All employees of the organization, and, where relevant, contractors and third party users, should receive appropriate awareness training in and regular updates of organizational policies and procedures relevant to their job functions.

Control includes:

• A formal induction process that includes information security training, prior to being granted access to information or information systems
  
• Ongoing training in security control requirements, legal-regulatory-certificating responsibilities, and correct procedures generally, suitable to each person's rules and responsibilities
  
• Periodic reminders that cover both general security topics and specific issues of relevance to the organization given its history of security incidents
  
• Other appropriate efforts to raise and maintain awareness of security issues
  

Disciplinary process

There should be a formal disciplinary process for employees who have committed a security breach.

Control includes:

• A reasonable evidentiary standard to initiate investigations (reasonable suspicion that a breach has occurred)
  
• Appropriate investigatory processes, including specification of roles and responsibilities, standards for collection of evidence and chain of custody of evidence
  
• Disciplinary proceedings that observe reasonable requirements for due process and quality of evidence
  
• A reasonable evidentiary standard to determine fault, that ensures correct and fair treatment for persons suspected of a breach
  
• Sanctions that appropriately take into consideration factors such as the nature and gravity of the breach, its impact on operations, whether it is a first or repeat offense, whether or not the violator was appropriately trained, whether or not the violator exercised due care or exhibited negligence
  
• An overall process that functions both as deterrent and sanction
  

Termination or change of employment

Control objective:

To ensure that employees, contractors and third party users exit the organization, or change employment responsibilities within the organization, in an orderly manner.

Termination responsibilities

Responsibilities for performing employment termination or change of employment should be clearly defined and assigned.

Control includes:

• Changes of responsibilities and duties within the organization are processed as a termination (of the old position) and re-hire (to the new position), using standard controls for those processes unless otherwise indicated
  
• Other employees, contractors and third parties are appropriately informed of a person's changed status
  
• Any post-employment responsibilities are specified in the terms and conditions of employment, or a contractor's or third party's contract
  

Return of assets

All employees, contractors and third parties should return all of the organization's assets in their possession upon termination of the employment relationship or contract.

Control includes:

• Formalization of the process for return (e.g., checklists against inventory)
  
• Inclusion in this requirement of the organization's hardware, software and data of any kind
  
• Where the employee, contractor or third party uses personal equipment, secure erasure of software and data belonging to the organization
  

Removal of access rights

Access rights to information and information systems should be removed upon termination of the employment or contractual relationship.

Control includes:

• Changes of employment or contractual status include removal of all rights associated with prior roles and duties, and creation of rights appropriate to the new roles and duties
  
• Removal or reduction of access rights prior to the termination, where risks indicate this step to be appropriate (e.g., where termination is initiated by the organization, or the access rights involved highly sensitive information or facilities)
  

References

ISO-27002:2005 8.1.1
ISO-27002:2005 8.1.2
HIPAA 164.308(a)(3)(ii)(B)
PCI-DSS:2005 12.7
ISO-27002:2005 8.1.3
ISO-27002:2005 8.2.1
ISO-27002:2005 8.2.2
HIPAA 164.308(a)(5)
ISO-27002:2005 8.2.3
HIPAA 164.308(a)(1)(ii)(C)
ISO-27002:2005 8.3.1
HIPAA 164.308(a)(3)(ii)(B-C)
ISO-27002:2005 8.3.2
ISO-27002:2005 8.3.3

See Also

• ISO 17799/27002 - Code of Practice for Information Security Management