Example of Human Resource Security Policy

Uncategorized 6 Minutes

Purpose

The purpose is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. The employees and contractors are aware of and fulfill their information security responsibilities. To protect the organisation’s interests as part of the process of changing or terminating employment.

Scope

The scope is to define the functioning of the XXX focusing on the manpower & IT that is used to run the XXX. This policy applies to all those personnel working in the XXX as staff, contractors and also covers the aspect where any staff who requires access to XXX’s information systems or information of any type or format (paper or electronic).

Human Resource Security Policy

3.1 Screening

  • As per ISMS HR Procedure, Screening of the candidate shall be carried out for all candidates
  • Information on all candidates being considered for positions within the XXX is collected and handled in accordance with Indian legislation existing in the Pune jurisdiction. Depending on applicable legislation, the candidates are informed beforehand about the screening activities.

3.2 During Employment

  • All staff/contractors are to follow Clear Desk and Clear Screen Policy.
  • Management responsibilities shall include ensuring that staff and contractors:
    • Are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems
    • Are provided with guidelines to state information security expectations of their role within the XXX
    • Are motivated to fulfill the information security policies of the XXX
    • Achieve a level of awareness on information security relevant to their roles and responsibilities within the XXX
    • Conform to the terms and conditions of employment/association, which includes the XXX’s security policy and methods of working
    • Continue to have the appropriate skills and qualifications and are educated on a regular basis.
  • If staff and contractors are not made aware of their information security responsibilities, they can cause considerable damage to the XXX. Motivated personnel are likely to be more reliable and cause fewer information security incidents.

3.3 Terms And Conditions Of Employment

  • The agreement with staff and contractors states their and the XXX’s responsibilities for the functioning within the XXX and in relation to information security.
  • The agreements for staff or contractors reflect the XXX’s policies for the functioning of information security in addition to clarifying and stating:
    • That all staff and contractors who are given access to confidential information are also briefed upon the guidelines of information security.
    • Responsibilities for the clarification of information and management of XXX’s assets associated with information, information processing facilities and information services handled by the staff or contractor.
    • Responsibilities of the staff or contractor for the handling of information received from Interested parties;
    • Actions to be taken if the staff or contractor disregards the XXX’s security requirements.
    • Information security roles and responsibilities should be communicated to job candidates during the pre-employment process.
  • The XXX ensures that staff and contractors agree to terms and conditions concerning information security, appropriate to the nature and extent of access they will have to the XXX’s assets associated with information systems and services.
  • Where appropriate, responsibilities controlled within the terms and conditions of employment should continue for a defined period after the end of the employment.
  • A Non- Disclosure Agreement (NDA) shall be signed by all staff, contractors.

3.4 Information Security Awareness And Training

  • All employees of the XXX and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in XXX policies and procedures, as relevant for their job function.
  • Awareness, education and training can be part of, or conducted in collaboration with, other training activities, for example general IT or general security training. Awareness, education and training activities shall be suitable and relevant to the individual’s roles, responsibilities and skills.
  • An assessment of the employees/contractors understanding is conducted at the end of an awareness, education and training course to test knowledge transfer.

3.5 Compliance With Rules And Regulations

  • By signing the Appointment letter an employee is deemed to have expressed his/her acceptance of all the policies, rules, regulations, terms and conditions framed from time to time by the concerned authorized officers.
  • During employment, the terms of employment of employee/ contractors shall be governed by the policies and rules framed from time to time covering, among others, Discipline, Code of Conduct etc.

3.6 Confidentiality And Non-Disclosure

Whether information in written or verbal, or contained in computer hardware or software, disk, hard disk, tape or other media, this information is of substantial value, highly confidential and is not known to the general public. Such Information is being provided and disclosed to the staff, contractor solely for use in connection with his/her employment or work of the XXX. NDA is to be signed by all employee/ contractors. Signing to be followed as per Procedure.

3.7 Alteration In The Terms Of Employment

  • • XXX reserves the right to make reasonable changes to the duties of an employee, contractor according to the needs of the operation including, relocating/shifting such staff’s workplace and / or transferring such staff to serve at any other location of the XXX.
  • • The XXX reserves the right to make reasonable changes to any terms or conditions of employment of any staff with prior notice.

3.8 Termination and Change Of Employment

  • Information security responsibilities and duties that remains valid after termination or change of employment is defined, communicated to the staff or contractor and enforced.
  • Changes of responsibility or employment are managed as the termination of the current responsibility or employment combined with the initiation of the new responsibilities or employment.
  • The Human Resources function is generally responsible for the overall termination process and shall work together with the supervising Dept in change of the person leaving to manage the information security aspects of the procedures. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the XXX and the external party.
  • Establishment Department shall inform employee or contractors of changes to personnel and operating arrangements.

3.9 Disciplinary Action

  • There shall be a formal and communicated disciplinary process in place to take action against employee who have committed an information security breach.
  • Disciplinary action shall be taken by the management depending upon the severity of the event.

3.10 Discharge/Dismissal/Termination

The services of employee may be terminated after giving him one month’s prior notice as per the terms of appointment / service agreement, if any, or payment of basic salary, in lieu thereof or for that matter clearance of any pending salary or financial reimbursements and terminate him immediately after settlement of the same.

3.11 Staff Exit Policy

  • Processes are implemented to ensure that all access rights of users of XXX’s information systems are removed in a timely manner upon termination or suspension of their employment, contract or agreement.
  • Processes and responsibilities are agreed upon and implemented to enable emergency suspension of a user’s access when that access is considered a risk to the XXX or its systems as defined. Establishment Dept. fill user’s clearance certificate & get it signed by their reporting Dept in charge before user’s last working day.

Enforcement

Any staff, contractor who is found to have violated the policies may be subject to disciplinary action, up to, including termination of employment or legal case against the staff, depending on the degree of the offense committed.

Sample Employment Contractual Agreement

Employee Information and Technology Security Agreement
I acknowledge that [name of organization]’s information and technology security policies, guidelines, and procedures have been made available to me for review and consideration. I also certify that I have been given ample opportunity to have any and all questions about my responsibilities addressed. I am, therefore, aware that I am accountable for information and technology security procedures as they govern the acceptable performance of my job. I understand that failure to abide by any and all policies, guidelines, and procedures can result in organizational, civil, or criminal action and/or the termination of my employment.
Signature: ______________________________ Printed Name: ______________________________
Job Title: ___________________________________ Date: ______/_____/______
Contractor/Consultant/Outsider Information and Technology Security Agreement
I acknowledge that [name of organization] has provided me with adequate time to review and consider the information and technology security policies, guidelines, and procedures it deems applicable to responsibilities I am undertaking on behalf of [name of organization], regardless of my employment status. I also certify that I have been given ample opportunity to have any and all questions about my responsibilities addressed. I am, therefore, aware that I am accountable for those information and technology security procedures as they relate to my work for, or on the behalf of, [name of organization]. I understand that failure to abide by any and all policies, guidelines, and procedures can result in organizational, civil, or criminal action and/or the termination of my relationship with [name of organization].
Signature: __________________ Printed Name: __________________
Affiliation: _______________________ Date: /__
Employment contractual agreement

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply