Human Resource Management
People play a major role in the implementation of security driven procedures and processes. It is critical that the management of that organisation’s human resource is aware of obligations in relation to security.
Each of the different phases in the employment life-cycle can have an impact on elements of the company’s technology and security framework. This demands alignment between an Information Security Management System and all processes in employment matters. Included are the processes of recruitment of new employees, changes of roles within the organisation, processes around employees leaving the company.
The ISMS should include guidelines and policies for the organisation in the following topics:
- Recruitment / Prior to Employment
- Screening / Employee Checks
- Onboarding / Induction and Training
- Awareness / Ongoing Education
- Change or Termination of Employment
This particular topic is obviously relevant for large organisations with a range of different departments and roles. Many of these will involve the use of technology and the security measures that must be observed. However, even in smaller organisations, the principles behind the ISMS policies on human resources are still valid. In mid-size and small companies, there may be fewer individuals responsible for the functions normally carried out by several different roles. Elevated risks may be present simply because a small number of individuals will access many systems and information sets. So, there will be a need to adapt policies to take account of the smaller scale of the operating environment. Special consideration should be given to how employee education and training can be used to highlight these challenges.
To provide clarity during the recruitment process, recruiting managers naturally need to be familiar with employment legislation, the company’s own HR guidelines and the recruitment process itself. This is essential to allow recruiters to make the best decisions during the recruitment effort. Also important for the recruiter is knowledge of the technology in place within the organisation and how different roles interact with the technology. This knowledge will assist recruiters in considering the security risks associated with each role, so sensible decisions can be made.
To aid the recruiter, initial screening of candidates’ CVs and work history should be carried out. Obviously, it is vital that identity is confirmed. In many organisations, the potential risk of fraud, misuse of facilities and theft discovered during screening can influence the suitability of potential candidates. This is especially important where handling of cash and financial information is part of the role. For some industries, a police check may be necessary to determine whether criminal convictions are present. This may influence the thinking on whether a candidate is suitable for a particular role.
At the employment offer stage, or possibly earlier, reference checks and qualification validation should be done using a standard process. The Terms and Conditions of Employment should include details of security responsibilities for some roles. This is especially important for those roles that involve access to sensitive systems and information.
Onboarding should include training relevant to the role. Training of all new employees must include raising awareness of security and the ISMS policies in place. This should include dealing with security incidents and knowledge of appropriate channels for reporting security related matters.
Change or termination of employment and the disciplinary process should include measures designed to prevent information leakage or malicious damage to data and systems. This should include processes to ensure quick termination of user accounts and privileges and to handle the return of company provided premises access cards, identity cards, technology devices, etc.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.