Anchor | ||||
---|---|---|---|---|
|
Table of Contents
- Human Resources SecurityGetting Started | Human Resources SecurityOverview | Human Resources Security | Human Resources SecurityStandards
- Prior to Employment (ISO 7.1)
- During Employment (ISO 7.2)
- Termination and Change of Employment (ISO 7.3)
Anchor | ||||
---|---|---|---|---|
|
Tip | ||
---|---|---|
| ||
As cited in a variety of sources, people are often described as the weakest link in any security system. It is important to build security into the entire Human Resource (HR) process, from pre-employment, during employment, and through termination, to ensure that policies and procedures are in place to address security issues. Consistent training throughout the entire process ensures that employees and contractors are fully aware of their roles and responsibilities and understand the criticality of their actions in protecting and securing both information and facilities. In collaboration with Human Resources staff, evaluate HR department policies and procedures to verify whether institutional supervisors and employees:
|
Human Resources SecurityTop of page
Anchor | ||||
---|---|---|---|---|
|
Overview
Employees handling personal data in an organization need to receive appropriate awareness training and regular updates in an effort to safeguard the data entrusted to them. Appropriate roles and responsibilities assigned for each job description need to be defined and documented in alignment with the organization's security policy. The institution's data must be protected from unauthorized access, disclosure, modification, destruction or interference. The management of human resources security and privacy risks is necessary during all phases of employment association with the organization. Training to enhance awareness is intended to educate individuals to prevent data disclosure, recognize information security problems and incidents, and respond according to the needs of their work role.
...
- Prior to Employment: This topic includes defining roles and responsibilities of the job, defining appropriate access to sensitive information for the job, and determining depth of candidate's screening levels - all in accordance with the company's information security policy. During the phase, contract terms should also be established.
- During Employment: Employees with access to sensitive information in an organization should receive periodic reminders of their responsibilities and receive ongoing, updated security awareness training to ensure their understanding of current threats and corresponding security practices to mitigate such threats.
- Termination and Change of Employment: To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination/separation of an employee with access to such information. This also includes the return of any assets of the organization that was held by the employee.
Human Resources Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Prior to Employment (ISO 7.1)
Panel | ||
---|---|---|
| ||
Objective: To develop a comprehensive process that includes identification of job roles and responsibilities, identify the corresponding candidate screening level for those roles and responsibilities and establish terms and conditions of employment. |
...
Human Resources Security Top of page
Anchor | ||||
---|---|---|---|---|
|
During Employment (ISO 7.2)
Panel | ||
---|---|---|
| ||
Objective: To ensure that employees are aware of and understand their roles and responsibilities; to ensure that they understand information security threats and; to ensure they have the necessary knowledge to mitigate those threats. |
...
- A process for official disciplinary actions for security breaches should be established and promulgated to the institution's employees.
Human Resources Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Termination and Change of Employment (ISO 7.3)
Panel | ||
---|---|---|
| ||
Objective: To develop an orderly exit process to ensure that access is removed and assets returned in an expedited time frame. |
...
Additionally, there should be a process that ensures access to information assets are removed at the time of termination.
Human Resources Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Resources
Panel | ||
---|---|---|
| ||
EDUCAUSE Resources EDUCAUSE Resource Center Pages
HEISC Toolkits/Guidelines
Initiatives, Collaborations, & Other Resources
|
Human Resources Security Top of page
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-12: An Introduction to Computer Security - The NIST Handbook | APO01.06 | Req 6 | ID.GV-2 | 45 CFR 164.308(a)(3) |
Human Resources SecurityTop of page
...
Questions or comments? Contact us.
...