pham minh man. hr security prior to employment during employment termination and change of...
TRANSCRIPT
Human Resource Security
ISO/IEC 27001:2013Pham Minh Man
Agenda HR security Prior to employment During employment Termination and change of employment Summarize
HR security – A.7 Human resources security should reduce the risk
of theft, fraud or misuse of information facilities by employees, contractors and third-party users.
Extend to all the persons within and external to the organization that do (or may) use information or information processing facilities.
Be defined and documented in accordance with the organization's information privacy and security policies.
3 states: before, during, and after employment
Prior to employment – A.7.1 Objective: To ensure that employees and
contractors understand their responsibilities and are suitable for the roles for which they are considered
Screening – A.7.1.1 Terms and conditions of employment –
A.7.1.2
Control: Background verification checks on all candidates for employment should be carried out in accordance with relevant law, regulations, and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks
Screening – A.7.1.1
Verification should take into account all relevant privacy, protection of personally identifiable info, and employment based legislation, and should, where permitted, include:◦ Satisfactory character references◦ Applicant’s curriculum vitae◦ Academic and professional qualifications◦ Independent identity verification( passport,..)◦ Others: credit review or criminal report review
Screening – A.7.1.1- Implementation
When an individual is hired for a specific information security role, organizations should make sure the candidate:◦ Has necessary competence to perform security
role( government, Ward People’s committee,…)◦ Can be trusted to take on the role( relationship,
good CV,….)◦ More verification when a job having access to
confidential data( financial data,…)
Screening – A.7.1.1- Implementation(Cont.)
The procedures should define criteria and limitations for verification reviews( who can enough eligible to screen people, how, when, and why)
The agreement between the organization and the contractor specify responsibility for conducting the screening and the notification procedures need to be followed if screening has not been completed or if the results give cause for doubt or concern
Information on all candidates are collected and handled in any appropriate legislation existing in the relevant jurisdiction. Depending on legislation, the candidates should be informed before screening activities
Screening – A.7.1.1- Implementation(Cont.)
Terms and conditions of Employment – A.7.1.2 Elements of a contract which define the relation
between an employer and an employee, including information on conditions of employment, contracts of employment including fixed term, short term and temporary contracts, contractual change, probationary periods, notice periods and restrictive covenants,…
Control: The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security
Terms and conditions of Employment – A.7.1.2 - Implementation
Contractual obligations reflects org’s policies for IS to clarify and state:◦ Employees given access to confidential information
should sign a confidentiality or non-disclosure agreement before being given access to information processing facilities(A.13.2.4- Confidentiality or non-disclosure agreements)
◦ Employee’s or contractor’s legal responsibilities and rights( copyright laws – A.18.1.2 or data protection legislation- A.18.1.4)
◦ Responsibilities for classification of information, and management of organizational assets associated with information, information processing facilities, and information services,….(A.8)
Terms and conditions of Employment – A.7.1.2 – Implementation( cont.)
◦ Responsibilities for handling information received from other companies or external parties
◦ Disciplinary/actions taken when disregards the security requirements (A.7.2.3)
IS roles and responsibilities should be communicated with candidates during pre-employment process
Ensure employee and contractor agree to the term and conditions concerning IS appropriate to the nature and extent of access they will have to the organization’s assets( Information system, services)
Terms and conditions of Employment – A.7.1.2 – Implementation( cont.)
Responsibilities should continue for a defined period after the end of employment
Code of conduct may be used to state employee’s and contractor’s information security responsibilities, and reputable practices expected by org
External parties associated with contractor can be required into contractual arrangements on behalf of the contracted individual
During employment – A.7.2 Objectives: Ensure that employees and
contractors are aware of and fulfill their information security responsibilities.
Management responsibilities – A.7.2.1 Information security awareness, education,
and training – A.7.2.2 Disciplinary process – A.7.2.3
Control: Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.
Management responsibilities should include ensuring that employees and contractors:◦ Are properly briefed their role and responsibilities
before granted access to confidential information or system.
◦ Are provided with guidelines to state information security expectations of their role in org
Management responsibilities – A.7.2.1
◦ Are motivated to fulfill the information security policies
◦ Achieve a level of awareness on information security of their role and responsibilities(A.7.2.2)
◦ Follow terms and conditions of employment( A.7.1.2)
◦ Continue to have appropriate skills, qualification, and are educated regularly
◦ Are provided anonymous reporting channel to report violations of information security policies of procedures.
Management responsibilities – A.7.2.1- implementation
If employees and contractors are not made aware of their responsibilities, they can cause remarkable damages to an organization motivated people are likely to be more reliable and cause fewer incidents
Poor management can cause personnel feeling undervalued impact negatively to organization( neglect information security or misuse of assets)
Management responsibilities – A.7.2.1- implementation(Cont.)
Control: All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function
Awareness programs should make employee aware of their responsibilities for information security
Information security awareness, education, and training – A.7.2.2
Those programs should be established in line with the organization’s policies and procedures taking into consideration org’s information to be protected and the controls implemented to protect information
Awareness programs should include awareness-raising activities such as “information security day”, and issuing booklets or newsletters
Information security awareness, education, and training – A.7.2.2 - Implementation
Activities in awareness programs should be repeated and cover new employees and contractors. The programs should be updated regularly, and be built on lessons learnt from information security incidents
Awareness training should be performed as required. It can use different delivery media including classroom-based, web-based, distance learning and others
Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)
Education and training should also cover general aspects:◦ Commitment of management to information
security◦ The need to be familiar with and comply with
information security rules and obligations defined in policies, standards, laws, contract, and agreement
◦ Basic information security procedures and baseline control
Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)
◦ Personal accountabilities for own action or inaction, and general responsibilities towards securing and protecting information
◦ Contact point and resources for additional information and advice on information security matters
Information security education and training should take place periodically. Initial education and training to person transferring new position or role totally different with information security requirements should take place before role becomes active
Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)
Organization should develop education and training program which is suitable and relevant to roles, responsibilities, and skills
When developing awareness program, it is important not only focus on “what” and “how”, but also “why” employees understand deeply information security, potential impact, ….
Assessment should be conducted at the end of course to test knowledge transfer to employee
Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)
Control: Formal and communicated disciplinary process in place to take action against employees who have committed an information security breach
Implementation:◦ Should not be started without prior verification
that the breach has occurred( A.16.1.7- collect evidences)
◦ Should ensure correct and fair treatment for employees who are suspected of committing breaches of information security
Disciplinary process – A.7.2.3
◦ Should take into consideration factors such as the nature and gravity of the breach and its impact on business, first or repeat offence, the violator was properly trained, relevant legislation, business contracts,…
◦ Disciplinary process should also be used as a deterrent to prevent employees from violation information security policies and procedures
◦ Deliberate( on purpose) breach may require immediate actions
◦ Process can be used as motivation or incentive if positive sanction are defined for remarkable behavior with regards to information security
Disciplinary process – A.7.2.3 – Implementation(cont.)
Objectives: Protect organization’s interests as part if the process of changing or terminating employment
Termination or change of employment responsibilities – A7.3.1
Termination and change of employment – A.7.3
Control: information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor, and enforced
Termination and change of employment – A.7.3.1
Communication of termination responsibilities includes on-going information security requirements, legal responsibilities, responsibilities contained within any confidential agreement(A.13.2.4-confidentiality or non-disclosure agreement), and terms and conditions of employment continuing for a defined period after the end of employment
Changes of responsibilities or employment are managed as termination of current responsibilities or employment combined with the initiation of new one
Termination and change of employment – A.7.3.1 - Implementation
HR function is generally responsible for the overall termination process and works together with supervising manager of internal person leaving to manage information security aspects
Contractors provided through external parties, the termination process is undertaken by external parties in accordance with contract between organization and external parties
Inform employees, customers, and contractors of changes.
Termination and change of employment – A.7.3.1 - Implementation
Summarize( video) Before employment:
◦ Verify background, inform to candidate and secure candidate information
◦ State responsibilities, terms and conditions of employment carefully and clearly in the contract
During working period:◦ Manage responsibilities and follow policies and
procedures of organization. Motivate people◦ Have information security awareness, education, and
training regularly◦ Disciplinary process take actions against policies and
procedures violation Termination and change of employment:
◦ Define in the agreement for a defined period after termination or change and enforce people to follow.
ISO/IEC, 2013, “Information technology – Security techniques – Information security management systems – Requirements”, Annex A, Human resource security, pp.11.
ISO/IEC, 2013, “Information technology – Security techniques – Code of practice for information security controls”, Human resource security,no.7, pp. 9-13.
[Video source]CertificationEurope,2012, “ISO 27001 Human Resources Security (Part 11/18)”, https://www.youtube.com/watch?v=N8ZGPD4eVZU
[Online source]MILLER-School of medicine university of Miami, “Human resources security”, ‘objectives’ & ‘scope’ & ‘roles and responsibilities’, https://www.youtube.com/watch?v=N8ZGPD4eVZU
References
[online source]ControlCase, 2012, “Information Security Management System ISO/IEC 27001:2005”, slide 3, What is ISO/IEC 27001 standard, http://www.slideshare.net/ControlCase/isms-presentation-oct-202012
[online source] ISO/IEC, 2013, “ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls(second edition)”, Human resource security, section 7, http://www.iso27001security.com/html/27002.html#Foreword
[online source]CIPD, “Terms and Conditions of Employment”, http://www.cipd.co.uk/hr-topics/terms-conditions-employment.aspx
[online source]Ibec, “During employment”, https://www.ibec.ie/IBEC/ES.nsf/vPages/Employment_law~during-employment?OpenDocument#.VjBMlUajLgZ
References