Human Resources Security

your organization is using a HRIS for managing employees' records, payroll, expense reporting, and other activities.

A good control covers background verification and competence checks on all candidates for employment. These must be carried out in accordance with the relevant laws, regulations, and ethics, and should be proportional to the business requirements, the classification of the information that will be accessed, and the perceived risks associated. For example, staff accessing higher-level information assets that carry more risk may be subject to much more stringent checks than staff who only ever get access to public information or handle assets with a limited threat.

The screening should also take place for contractors (unless their parent organization meets your broader security controls e.g. has their own ISO 27001 and does their background checks.) An auditor will expect to see a screening process with clear procedures being operated consistently each time to also help avoid any preference/prejudice risks too. Ideally, this will be aligned with the overall organization hiring process.

The contractual agreement with employees and contractors must state their and the organization's responsibilities for information security. This is also very important as regards GDPR and the new Data Protection Act 2018. They should reference and cover a whole range of control areas including overall compliance with the ISMS as well as more specifically acceptable use, the return of assets, etc.

The contractual terms and conditions should reinforce this, and the leaver's process and/or contract termination process (including the return of assets) should include a reminder to individuals that they have some responsibilities to the organization even after they have left.

your organization has a formal onboarding process, which is backed by documents and checklists. All this information can be found in the HR section of your organization's Wiki pages.

1. Send formal documents and forms to be signed and accepted (policies, procedures, internal practices or culture, and ethics guide);

2. Send introductory email;

3. Send New Joiner announcement for the entire company, to welcome the new colleague or contractor;

4. Access to your organization systems is made as part of the user onboarding process, initiated by HR:

   • A new ticket is created in the onboarding project;
   • The HR Team must attach the New Joiner Request Form which states the role and additional systems the new joiner must have access granted for;
   • The Security Team picks up the ticket and starts evaluating the access request.

5. The Security Team must:

   • Configure IT and Cloud Services to enforce strong passwords based on the your organization Password Policy;
   • Establish conditions for group membership;
   • Provide clear classification for data and systems;
   • Not grant access to any Production environments by default.

6. Once approved, the accounts are created with temporary passwords and are forced to change their password at first login;

7. Training is started in the SaaS-based tool available for the company. Suitable information security awareness, training, and education shall be provided to your organization's employees, clarifying their responsibilities relating to your organization's information security policies and procedures and all relevant obligations defined in the job description.

Formal performance reviews are conducted annually or after an incident, as stated in the internal Performance Review document.

Steps:

• Feedback is collected from team members;
• Employee is invited to perform self-assessment for their job functions;
• Direct Manager reviews employee self-assessment and feedback from team members.

A disciplinary process shall provide a gradual response taking into consideration factors such as:

• Nature and severity of the security breach;
• Impact on the business;
• If it is a repeated offense;
• Whether or not the violator was properly trained;
• Relevant legislation.

A formal disciplinary action shall be taken in accordance with your organization personnel policies, procedures, guidelines, and instructions memos.

your organization information and infrastructure (e.g., network, systems, and services) shall not be used for purposes other than your organization business needs. Any such fraudulent activities detected shall be dealt as per your organization personnel disciplinary action procedure.

Information security responsibilities and obligations that remain valid after termination or change of employment must be defined, communicated to the employee or contractor, and enforced. Examples include keeping information confidential and not leaving with information that belongs to the organization. Leavers have to return their assets and the process being closed off and documented to demonstrate assets are updated in the asset inventory where appropriate too.

Responsibilities and practices include, but are not limited to:

• Termination processes that ensure removal of access to all information resources;
• Changes of responsibilities and duties inside your organization as a termination (of the old position) and re-hire (to the new position), using transfer policy controls for those processes unless otherwise indicated;
• Processes ensuring that employees are appropriately informed of a person's changed status; and any post-employment responsibilities are specified in the terms and conditions of employment, or contractor's or third party's contract.