Page History

As cited in a variety of sources, people are often described as the weakest link in any security system. It is important to build security into the entire Human Resource (HR) process, from pre-employment, during employment, and through termination, to ensure that policies and procedures are in place to address security issues. Consistent training throughout the entire process ensures that employees and contractors are fully aware of their roles and responsibilities and understand the criticality of their actions in protecting and securing both information and facilities.

In collaboration with Human Resources staff, evaluate HR department policies and procedures to verify whether institutional supervisors and employees:

1. Review and acknowledge understanding (documented) of your institution’s Acceptable Use policy.

2. Require contractors, part-time staff, and student workers to review and comply with the Acceptable Use Policy and sign NDA’s or confidentiality agreements if appropriate given their levels of access to institutional information.

3. Understand the HR disciplinary process for policy violations.

4. Comply with HR requirements for new hire background checks.

5. Develop job descriptions which include information security responsibilities and adequate separation of duties where applicable.

6. Complete information security awareness training.

7. Provide HR and IT the most current statuses of staff, faculty, and part time staff employed by the university to assist with account provisioning and terminations.

8. Return institutional assets as required by HR policies/procedures when terminating employment.

Objective: To develop a comprehensive process that includes identification of job roles and responsibilities, identify the corresponding candidate screening level for those roles and responsibilities and establish terms and conditions of employment.

Objective: To ensure that employees are aware of and understand their roles and responsibilities; to ensure that they understand information security threats and; to ensure they have the necessary knowledge to mitigate those threats.

Objective: To develop an orderly exit process to ensure that access is removed and assets returned in an expedited time frame.

EDUCAUSE Resources

EDUCAUSE Resource Center Pages

• Acceptable and Responsible Use Policies
• Certification, Education, Training, and Tutorials
• Executive Security Awareness
• Security Awareness
• Training
• User Training

HEISC Toolkits/Guidelines

• CISO Job Description Template
• Collaborating with Faculty
• Cybersecurity Awareness Resource Library
• National Cyber Security Awareness Month (NCSAM) Resource Kit
• Top Information Security Concerns for HR Leaders & Process Participants – Protecting Your HR Assets
• Top Information Security Concerns for Researchers
• Top Information Security Concerns for Campus Executives & Data Stewards

Initiatives, Collaborations, & Other Resources

• Mitigating Top EDU Human Risks (video - 47 min.)
• ThinkingCIO blog: Recognizing and Handling Safety Issues (October 2015)
• Virginia Tech Policy and Procedures for Conviction and Driving Record Investigation