The purpose is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. The employees and contractors are aware of and fulfill their information security responsibilities. To protect the organisation’s interests as part of the process of changing or terminating employment.
The scope is to define the functioning of the XXX focusing on the manpower & IT that is used to run the XXX. This policy applies to all those personnel working in the XXX as staff, contractors and also covers the aspect where any staff who requires access to XXX’s information systems or information of any type or format (paper or electronic).
Human Resource Security Policy
- As per ISMS HR Procedure, Screening of the candidate shall be carried out for all candidates
- Information on all candidates being considered for positions within the XXX is collected and handled in accordance with Indian legislation existing in the Pune jurisdiction. Depending on applicable legislation, the candidates are informed beforehand about the screening activities.
3.2 During Employment
- All staff/contractors are to follow Clear Desk and Clear Screen Policy.
- Management responsibilities shall include ensuring that staff and contractors:
- Are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems
- Are provided with guidelines to state information security expectations of their role within the XXX
- Are motivated to fulfill the information security policies of the XXX
- Achieve a level of awareness on information security relevant to their roles and responsibilities within the XXX
- Conform to the terms and conditions of employment/association, which includes the XXX’s security policy and methods of working
- Continue to have the appropriate skills and qualifications and are educated on a regular basis.
- If staff and contractors are not made aware of their information security responsibilities, they can cause considerable damage to the XXX. Motivated personnel are likely to be more reliable and cause fewer information security incidents.
3.3 Terms And Conditions Of Employment
- The agreement with staff and contractors states their and the XXX’s responsibilities for the functioning within the XXX and in relation to information security.
- The agreements for staff or contractors reflect the XXX’s policies for the functioning of information security in addition to clarifying and stating:
- That all staff and contractors who are given access to confidential information are also briefed upon the guidelines of information security.
- Responsibilities for the clarification of information and management of XXX’s assets associated with information, information processing facilities and information services handled by the staff or contractor.
- Responsibilities of the staff or contractor for the handling of information received from Interested parties;
- Actions to be taken if the staff or contractor disregards the XXX’s security requirements.
- Information security roles and responsibilities should be communicated to job candidates during the pre-employment process.
- The XXX ensures that staff and contractors agree to terms and conditions concerning information security, appropriate to the nature and extent of access they will have to the XXX’s assets associated with information systems and services.
- Where appropriate, responsibilities controlled within the terms and conditions of employment should continue for a defined period after the end of the employment.
- A Non- Disclosure Agreement (NDA) shall be signed by all staff, contractors.
3.4 Information Security Awareness And Training
- All employees of the XXX and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in XXX policies and procedures, as relevant for their job function.
- Awareness, education and training can be part of, or conducted in collaboration with, other training activities, for example general IT or general security training. Awareness, education and training activities shall be suitable and relevant to the individual’s roles, responsibilities and skills.
- An assessment of the employees/contractors understanding is conducted at the end of an awareness, education and training course to test knowledge transfer.
3.5 Compliance With Rules And Regulations
- By signing the Appointment letter an employee is deemed to have expressed his/her acceptance of all the policies, rules, regulations, terms and conditions framed from time to time by the concerned authorized officers.
- During employment, the terms of employment of employee/ contractors shall be governed by the policies and rules framed from time to time covering, among others, Discipline, Code of Conduct etc.
3.6 Confidentiality And Non-Disclosure
Whether information in written or verbal, or contained in computer hardware or software, disk, hard disk, tape or other media, this information is of substantial value, highly confidential and is not known to the general public. Such Information is being provided and disclosed to the staff, contractor solely for use in connection with his/her employment or work of the XXX. NDA is to be signed by all employee/ contractors. Signing to be followed as per Procedure.
3.7 Alteration In The Terms Of Employment
- • XXX reserves the right to make reasonable changes to the duties of an employee, contractor according to the needs of the operation including, relocating/shifting such staff’s workplace and / or transferring such staff to serve at any other location of the XXX.
- • The XXX reserves the right to make reasonable changes to any terms or conditions of employment of any staff with prior notice.
3.8 Termination and Change Of Employment
- Information security responsibilities and duties that remains valid after termination or change of employment is defined, communicated to the staff or contractor and enforced.
- Changes of responsibility or employment are managed as the termination of the current responsibility or employment combined with the initiation of the new responsibilities or employment.
- The Human Resources function is generally responsible for the overall termination process and shall work together with the supervising Dept in change of the person leaving to manage the information security aspects of the procedures. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the XXX and the external party.
- Establishment Department shall inform employee or contractors of changes to personnel and operating arrangements.
3.9 Disciplinary Action
- There shall be a formal and communicated disciplinary process in place to take action against employee who have committed an information security breach.
- Disciplinary action shall be taken by the management depending upon the severity of the event.
The services of employee may be terminated after giving him one month’s prior notice as per the terms of appointment / service agreement, if any, or payment of basic salary, in lieu thereof or for that matter clearance of any pending salary or financial reimbursements and terminate him immediately after settlement of the same.
3.11 Staff Exit Policy
- Processes are implemented to ensure that all access rights of users of XXX’s information systems are removed in a timely manner upon termination or suspension of their employment, contract or agreement.
- Processes and responsibilities are agreed upon and implemented to enable emergency suspension of a user’s access when that access is considered a risk to the XXX or its systems as defined. Establishment Dept. fill user’s clearance certificate & get it signed by their reporting Dept in charge before user’s last working day.
Any staff, contractor who is found to have violated the policies may be subject to disciplinary action, up to, including termination of employment or legal case against the staff, depending on the degree of the offense committed.
Sample Employment Contractual Agreement
|Employee Information and Technology Security Agreement|
I acknowledge that [name of organization]’s information and technology security policies, guidelines, and procedures have been made available to me for review and consideration. I also certify that I have been given ample opportunity to have any and all questions about my responsibilities addressed. I am, therefore, aware that I am accountable for information and technology security procedures as they govern the acceptable performance of my job. I understand that failure to abide by any and all policies, guidelines, and procedures can result in organizational, civil, or criminal action and/or the termination of my employment.
Signature: ______________________________ Printed Name: ______________________________
Job Title: ___________________________________ Date: ______/_____/______
|Contractor/Consultant/Outsider Information and Technology Security Agreement|
I acknowledge that [name of organization] has provided me with adequate time to review and consider the information and technology security policies, guidelines, and procedures it deems applicable to responsibilities I am undertaking on behalf of [name of organization], regardless of my employment status. I also certify that I have been given ample opportunity to have any and all questions about my responsibilities addressed. I am, therefore, aware that I am accountable for those information and technology security procedures as they relate to my work for, or on the behalf of, [name of organization]. I understand that failure to abide by any and all policies, guidelines, and procedures can result in organizational, civil, or criminal action and/or the termination of my relationship with [name of organization].
Signature: __________________ Printed Name: __________________
Affiliation: _______________________ Date: /__