Sample New Hire Security Awareness Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=='''Sample New Hire Security Awareness Standard'''==
==Sample End User Computing and Technology Policy==
<br>
The End User Computing and Technology Policy define the Company objectives for establishing specific standards on appropriate business use of the Company's information and telecommunications systems and equipment.
The '''<Your Company Name>''' (the "Company") Security Awareness Policy defines objectives for establishing a formal [[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']], and specific standards for the education and communication of the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']] and associated policies and standards.<br>
<br>
This New Hire Security Awareness Standard builds on the objectives established in the Security Awareness Policy, and provides specific instructions and requirements for providing security awareness education and training for newly hired Company employees.<br>
<br>


=='''I. Scope'''==
=Objectives==
<br>
<br>
All newly hired Company employees who have been granted access to Company information or systems are covered by this standard and must comply with associated guidelines and procedures.<br>
Company information and telecommunications systems and equipment, including Internet, electronic mail, telephone, pager, voice mail and fax, are provided for official and authorized Company business purposes. Any use of such systems and equipment perceived to be illegal, harassing, offensive, or in violation of other Company policies, standards or guidelines, or any other uses that would reflect adversely on Company, can be considered a violation of this policy.<br>
<br>
<br>
Asset Owners refers to the managers of organizational units that have primary responsibility for information assets associated with their functional authority.<br>
The Company reserves the right to monitor, record, or periodically audit use of any of its information and telecommunications systems and equipment. Use of these systems and equipment constitutes expressed consent by those covered by the scope of this policy to such monitoring, recording, and auditing. Actual or suspected misuse of these systems should be reported to the appropriate Company management representative in a timely manner. Specific instructions and requirements for reporting misuse of Company information and telecommunications systems and equipment are provided in the Misuse Reporting Standard.<br>
<br>
<br>
Asset Custodians refers to the managers, administrators and those designated by the Asset Owner to manage, process or store information assets.<br>
Specific instructions and requirements for appropriate business use of the Internet are provided in the [[Sample Internet Acceptable Use Policy:|'''Sample Internet Acceptable Use Policy''']].<br>
<br>
<br>
Electronic Communication Systems refers to all Company information systems and equipment including Electronic Mail Resources, Internet Resources, and Telecommunications Resources.<br>
Specific instructions and requirements for appropriate business use of the Company electronic mail system are provided in the [[Sample Electronic Mail Acceptable Use Standard:|'''Sample Electronic Mail Acceptable Use Standard''']]
.<br>
<br>
<br>
Electronic Mail Resources are defined in the [[Sample Electronic Mail Acceptable Use Standard:|'''Sample Electronic Mail Acceptable Use Standard''']].<br>
Specific instructions and requirements for appropriate business use of telephones, pagers, faxes, and voice mail are provided in the [[Sample Telecommunication Acceptable Use Standard:|'''Sample Telecommunication Acceptable Use Standard''']].<br>
<br>
<br>
Information assets are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
Specific instructions and requirements for appropriate business use of software and programs are provided in the [[Sample Software Acceptable Use Standard:|'''Sample Software Acceptable Use Standard''']].<br>
<br>
<br>
Internet Resources are defined in the [[Sample Internet Acceptable Use Policy:|'''Sample Internet Acceptable Use Policy''']].<br>
Specific instructions and requirements for appropriate business use of personal equipment within the Companies technology resources are provided in the [[Sample BYOD Acceptable Use Standard:|'''Sample BYOD Acceptable Use Standard''']].<br>
<br>
<br>
Telecommunications Resources are defined in the [[Sample Telecommunication Acceptable Use Standard:|'''Sample Telecommunication Acceptable Use Standard''']].<br>
Specific instructions and requirements for appropriate business conduct and reporting procedures are provided in the [[Sample Misuse Reporting Standard:|'''Sample Misuse Reporting Standard''']].<br>
<br>
<br>
=='''II. Requirements'''==
 
<br>
==Document Examples==
A. General<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
::1. Newly hired Company employees will receive the appropriate security awareness training as part of their formal new employee orientation.<br>
<br>
::2. Newly hired Company employees should be oriented or trained in the following security areas:<br>
::*Company commitment to security<br>
::*Company Information Security Policy Framework<br>
::*Company information assets<br>
::*Confidentiality classification categories<br>
::*Information labeling<br>
::*User account and password requirements<br>
::*Remote access and mobile computing<br>
::*Physical access controls and requirements<br>
::*Virus prevention and detection<br>
::*Information Handling<br>
::*Proper use of software and Electronic Communications Systems<br>
::*Misuse Reporting<br>
::*Incident Reporting<br>
::*Help Desk and Information Security contacts<br>
<br>
::3. Newly hired managers should receive the appropriate security awareness training in accordance with the [[Sample Management Security Awareness Standard:|'''Sample Management Security Awareness Standard''']].<br>
<br>
B. Policies<br>
<br>
::1. Information security awareness training for newly hired Company employees should cover the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']] and the following policies:<br>
::*[[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']]<br>
::*[[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']]<br>
::*Acceptable Use Policy<br>
::*[[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']]<br>
<br>
::2. Information security awareness training for newly hired Company employees that are assigned Asset Owner or Asset Custodian responsibilities should also cover the following Company policies:<br>
::*[[Sample Asset Management Policy:|'''Sample Asset Management Policy''']]<br>
::*[[Sample Vulnerability Assessment and Management Policy:|'''Sample Vulnerability Assessment and Management Policy''']]<br>
::*[[Sample Threat Assessment and Monitoring Policy:|'''Sample Threat Assessment and Monitoring Policy''']]<br>
<br>
C. Standards<br>
<br>
::1. Information security awareness training for newly hired Company employees should cover the following standards:<br>
::*[[Sample Information Classification Standard:|'''Sample Information Classification Standard''']]<br>
::*[[Sample Information Labeling Standard:|'''Sample Information Labeling Standard''']]<br>
::*[[Sample Access Control Standard:|'''Sample Access Control Standard''']]<br>
::*[[Sample Physical Access Standard:|'''Sample Physical Access Standard''']]<br>
::*[[Sample Anti-Virus Standard:|'''Sample Anti-Virus Standard''']]<br>
::*[[Sample Information Handling Standard:|'''Sample Information Handling Standard''']]<br>
::*[[Sample Internet Acceptable Use Policy:|'''Sample Internet Acceptable Use Policy''']]<br>
::*[[Sample Electronic Mail Acceptable Use Standard:|'''Sample Electronic Mail Acceptable Use Standard''']]<br>
::*[[Sample Telecommunication Acceptable Use Standard:|'''Sample Telecommunication Acceptable Use Standard''']]<br>
::*[[Sample Software Acceptable Use Standard:|'''Sample Software Acceptable Use Standard''']]<br>
::*[[Sample Misuse Reporting Standard:|'''Sample Misuse Reporting Standard''']]<br>
::*[[Sample Ongoing Security Awareness Standard:|'''Sample Ongoing Security Awareness Standard''']]<br>
::*[[Sample Security Awareness Accessibility Standard:|'''Sample Security Awareness Accessibility Standard''']]<br>
<br>
::2. Newly hired Company employees that have been granted remote access to Company information or systems to meet an approved business need or perform prescribed job responsibilities should receive information security awareness training that also covers the Remote Access Standard.<br>
<br>
::3. Information security awareness training for newly hired Company employees that are assigned Asset Owner or Asset Custodian responsibilities should also cover the following Company standards:<br>
::*Integrity Protection Standard<br>
::*Encryption Standard<br>
::*Availability Protection Standard<br>
::*Life Cycle Management Standard<br>
::*Configuration Management Standard<br>
::*System Development Life Cycle Standard<br>
::*Change Control Standard<br>
::*Vulnerability Assessment Standard<br>
::*Vulnerability Management Standard<br>
::*Threat Assessment Standard<br>
::*Threat Monitoring Standard<br>
<br>
=='''III. Responsibilities'''==
<br>
The Chief Information Security Officer (CISO) approves the New Hire Security Awareness Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the New Hire Security Awareness Standard.<br>
<br>
Company management is responsible for ensuring employees within their area of responsibility cooperate with Company security awareness and training efforts; ensuring that newly hired employees within their area of responsibility receive the proper Information Security awareness and training in accordance with the [[Sample Security Awareness Policy:|'''Sample Security Awareness Policy''']] and associated standards and guidelines; and ensuring the effective communication of relevant security issues with the Information Security Department.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the New Hire Security Awareness Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the New Hire Security Awareness Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the New Hire Security Awareness Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The New Hire Security Awareness Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>
<br>
<gallery>
Image:End User Computing and Technology Policy.png|End User Computing and Technology Policy page one of six.
Image:End User Computing and Technology Policy(1).png|End User Computing and Technology Policy page two of six.
Image:End User Computing and Technology Policy(2).png|End User Computing and Technology Policy page three of six.
Image:End User Computing and Technology Policy(3).png|End User Computing and Technology Policy page four of six.
Image:End User Computing and Technology Policy(4).png|End User Computing and Technology Policy page five of six.
Image:End User Computing and Technology Policy(5).png|End User Computing and Technology Policy page six of six.
</gallery>

Latest revision as of 14:58, 21 January 2014

Sample End User Computing and Technology Policy

The End User Computing and Technology Policy define the Company objectives for establishing specific standards on appropriate business use of the Company's information and telecommunications systems and equipment.

Objectives=


Company information and telecommunications systems and equipment, including Internet, electronic mail, telephone, pager, voice mail and fax, are provided for official and authorized Company business purposes. Any use of such systems and equipment perceived to be illegal, harassing, offensive, or in violation of other Company policies, standards or guidelines, or any other uses that would reflect adversely on Company, can be considered a violation of this policy.

The Company reserves the right to monitor, record, or periodically audit use of any of its information and telecommunications systems and equipment. Use of these systems and equipment constitutes expressed consent by those covered by the scope of this policy to such monitoring, recording, and auditing. Actual or suspected misuse of these systems should be reported to the appropriate Company management representative in a timely manner. Specific instructions and requirements for reporting misuse of Company information and telecommunications systems and equipment are provided in the Misuse Reporting Standard.

Specific instructions and requirements for appropriate business use of the Internet are provided in the Sample Internet Acceptable Use Policy.

Specific instructions and requirements for appropriate business use of the Company electronic mail system are provided in the Sample Electronic Mail Acceptable Use Standard .

Specific instructions and requirements for appropriate business use of telephones, pagers, faxes, and voice mail are provided in the Sample Telecommunication Acceptable Use Standard.

Specific instructions and requirements for appropriate business use of software and programs are provided in the Sample Software Acceptable Use Standard.

Specific instructions and requirements for appropriate business use of personal equipment within the Companies technology resources are provided in the Sample BYOD Acceptable Use Standard.

Specific instructions and requirements for appropriate business conduct and reporting procedures are provided in the Sample Misuse Reporting Standard.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.