Date: Thu, 28 Mar 2024 10:24:37 +0000 (UTC) Message-ID: <90715413.6089.1711621477890@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6088_391281508.1711621477889" ------=_Part_6088_391281508.1711621477889 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
As cited in a variety of sources, people are often described as the weak= est link in any security system. It is important to build security into the= entire Human Resource (HR) process, from pre-employment, during employment= , and through termination, to ensure that policies and procedures are in pl= ace to address security issues. Consistent training throughout the entire p= rocess ensures that employees and contractors are fully aware of their role= s and responsibilities and understand the criticality of their actions in p= rotecting and securing both information and facilities.
In collaboration with Human Resources staff, evaluate HR dep= artment policies and procedures to verify whether institutional supervisors= and employees:
Review and acknowledge understanding (documented) o= f your institution=E2=80=99s Acceptable Us= e policy.
Require contractors, part-time staff, and student w= orkers to review and comply with the Acceptable Use Policy and sign NDA=E2= =80=99s or confidentiality agreements if appropriate given their levels of = access to institutional information.
Understand the HR disciplinary process for policy v= iolations.
Comply with HR requirements for new hire background= checks.
Develop job descriptions which include information = security responsibilities and adequate separation of duties where applicabl= e.
Provide ongoing information security awareness trai= ning opportunities for staff, faculty, and students.
Provide HR and IT with the most current status of s= taff, faculty, student workers, and part-time staff employed by the institu= tion to assist with account provisioning and terminations.
Return institutional assets as required by HR= policies/procedures when terminating employment.
Top of page
Employees handling personal data in an organization need to receive appr= opriate awareness training and regular updates in an effort to safeguard th= e data entrusted to them. Appropriate roles and responsibilities assigned f= or each job description need to be defined and documented in alignment with= the organization's security policy. The institution's data must be protect= ed from unauthorized access, disclosure, modification, destruction or inter= ference. The management of human resources security and privacy risks is ne= cessary during all phases of employment association with the organization. = Training to enhance awareness is intended to educate individuals to prevent= data disclosure, recognize information security problems and incidents, an= d respond according to the needs of their work role.
Safeguards include the following:
The objective of Human Resources Security is to ensure that all employee= s (including contractors and any user of sensitive data) are qualified for = and understand their roles and responsibilities of their job duties and tha= t access is removed once employment is terminated. The three areas of Human= Resources Security are:
Top of page
Objective: To develop a comprehensive process that includes identificati= on of job roles and responsibilities, identify the corresponding candidate = screening level for those roles and responsibilities and establish terms an= d conditions of employment.
Prior to hiring or contracting employees or companies, security roles an= d responsibilities should be clearly articulated in job descriptions or wel= l defined in contract terms and conditions. These roles and responsibilitie= s should be defined in accordance with the institution's security policies.=
Careful attention should be paid to validation of references and the app= ropriate level of background checks as determined by the security roles and= responsibilities of the position or contract. Consideration should be give= n that the receipt of affirmative references and the successful completion = of a background check at a level commensurate with the position's roles and= responsibilities be a condition of hire.
Top of page
Objective: To ensure that employees are aware of and understand their ro= les and responsibilities; to ensure that they understand information securi= ty threats and; to ensure they have the necessary knowledge to mitigate tho= se threats.
Top of page
Objective: To develop an orderly exit process to ensure that access is r= emoved and assets returned in an expedited time frame.
Responsibilities for performing employee terminations must be clearly de= fined and assigned to ensure actions are taken as quickly as possible. A ch= ecklist listing actions to be taken and the person responsible for the exec= ution of that action allows for quick identification of any missed steps. (= CSO offers this brief checklist for a secure employee depart= ure.)
Specifically, there should be a process that validates that all the inst= itution's assets are returned at termination.
Additionally, there should be a process that ensures access to informati= on assets are removed at the time of termination.
Top of page
EDUCAUSE Resources
EDUCAUSE Resource Center Pages
HEISC Toolkits/Guidelines
Initiatives, Collaborations, & Other Resour= ces
Top of page
27002:2013 Information Security Manag=
ement |
800-12: An Introduction to C=
omputer Security - The NIST Handbook |
APO01.06 |
Req 6 |
ID.GV-2 |
45 CFR 164.308(a)(3) |
Top of page
Questions or= comments? Contact us.
Except wher= e otherwise noted, this work is licensed under a Creative Commons Attributi= on-NonCommercial-ShareAlike 4.0 International License (= CC BY-NC-SA 4.0).