Human Resource Security

ISO/IEC 27001:2013Pham Minh Man

Agenda HR security Prior to employment During employment Termination and change of employment Summarize

HR security – A.7 Human resources security should reduce the risk

of theft, fraud or misuse of information facilities by employees, contractors and third-party users.

Extend to all the persons within and external to the organization that do (or may) use information or information processing facilities.

Be defined and documented in accordance with the organization's information privacy and security policies.

3 states: before, during, and after employment

Prior to employment – A.7.1 Objective: To ensure that employees and

contractors understand their responsibilities and are suitable for the roles for which they are considered

Screening – A.7.1.1 Terms and conditions of employment –

A.7.1.2

Control: Background verification checks on all candidates for employment should be carried out in accordance with relevant law, regulations, and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks

Screening – A.7.1.1

Verification should take into account all relevant privacy, protection of personally identifiable info, and employment based legislation, and should, where permitted, include:◦ Satisfactory character references◦ Applicant’s curriculum vitae◦ Academic and professional qualifications◦ Independent identity verification( passport,..)◦ Others: credit review or criminal report review

Screening – A.7.1.1- Implementation

When an individual is hired for a specific information security role, organizations should make sure the candidate:◦ Has necessary competence to perform security

role( government, Ward People’s committee,…)◦ Can be trusted to take on the role( relationship,

good CV,….)◦ More verification when a job having access to

confidential data( financial data,…)

Screening – A.7.1.1- Implementation(Cont.)

The procedures should define criteria and limitations for verification reviews( who can enough eligible to screen people, how, when, and why)

The agreement between the organization and the contractor specify responsibility for conducting the screening and the notification procedures need to be followed if screening has not been completed or if the results give cause for doubt or concern

Information on all candidates are collected and handled in any appropriate legislation existing in the relevant jurisdiction. Depending on legislation, the candidates should be informed before screening activities

Screening – A.7.1.1- Implementation(Cont.)

Terms and conditions of Employment – A.7.1.2 Elements of a contract which define the relation

between an employer and an employee, including information on conditions of employment, contracts of employment including fixed term, short term and temporary contracts, contractual change, probationary periods, notice periods and restrictive covenants,…

Control: The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security

Terms and conditions of Employment – A.7.1.2 - Implementation

Contractual obligations reflects org’s policies for IS to clarify and state:◦ Employees given access to confidential information

should sign a confidentiality or non-disclosure agreement before being given access to information processing facilities(A.13.2.4- Confidentiality or non-disclosure agreements)

◦ Employee’s or contractor’s legal responsibilities and rights( copyright laws – A.18.1.2 or data protection legislation- A.18.1.4)

◦ Responsibilities for classification of information, and management of organizational assets associated with information, information processing facilities, and information services,….(A.8)

Terms and conditions of Employment – A.7.1.2 – Implementation( cont.)

◦ Responsibilities for handling information received from other companies or external parties

◦ Disciplinary/actions taken when disregards the security requirements (A.7.2.3)

IS roles and responsibilities should be communicated with candidates during pre-employment process

Ensure employee and contractor agree to the term and conditions concerning IS appropriate to the nature and extent of access they will have to the organization’s assets( Information system, services)

Terms and conditions of Employment – A.7.1.2 – Implementation( cont.)

Responsibilities should continue for a defined period after the end of employment

Code of conduct may be used to state employee’s and contractor’s information security responsibilities, and reputable practices expected by org

External parties associated with contractor can be required into contractual arrangements on behalf of the contracted individual

During employment – A.7.2 Objectives: Ensure that employees and

contractors are aware of and fulfill their information security responsibilities.

Management responsibilities – A.7.2.1 Information security awareness, education,

and training – A.7.2.2 Disciplinary process – A.7.2.3

Control: Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Management responsibilities should include ensuring that employees and contractors:◦ Are properly briefed their role and responsibilities

before granted access to confidential information or system.

◦ Are provided with guidelines to state information security expectations of their role in org

Management responsibilities – A.7.2.1

◦ Are motivated to fulfill the information security policies

◦ Achieve a level of awareness on information security of their role and responsibilities(A.7.2.2)

◦ Follow terms and conditions of employment( A.7.1.2)

◦ Continue to have appropriate skills, qualification, and are educated regularly

◦ Are provided anonymous reporting channel to report violations of information security policies of procedures.

Management responsibilities – A.7.2.1- implementation

If employees and contractors are not made aware of their responsibilities, they can cause remarkable damages to an organization motivated people are likely to be more reliable and cause fewer incidents

Poor management can cause personnel feeling undervalued impact negatively to organization( neglect information security or misuse of assets)

Management responsibilities – A.7.2.1- implementation(Cont.)

Control: All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function

Awareness programs should make employee aware of their responsibilities for information security

Information security awareness, education, and training – A.7.2.2

Those programs should be established in line with the organization’s policies and procedures taking into consideration org’s information to be protected and the controls implemented to protect information

Awareness programs should include awareness-raising activities such as “information security day”, and issuing booklets or newsletters

Information security awareness, education, and training – A.7.2.2 - Implementation

Activities in awareness programs should be repeated and cover new employees and contractors. The programs should be updated regularly, and be built on lessons learnt from information security incidents

Awareness training should be performed as required. It can use different delivery media including classroom-based, web-based, distance learning and others

Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)

Education and training should also cover general aspects:◦ Commitment of management to information

security◦ The need to be familiar with and comply with

information security rules and obligations defined in policies, standards, laws, contract, and agreement

◦ Basic information security procedures and baseline control

Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)

◦ Personal accountabilities for own action or inaction, and general responsibilities towards securing and protecting information

◦ Contact point and resources for additional information and advice on information security matters

Information security education and training should take place periodically. Initial education and training to person transferring new position or role totally different with information security requirements should take place before role becomes active

Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)

Organization should develop education and training program which is suitable and relevant to roles, responsibilities, and skills

When developing awareness program, it is important not only focus on “what” and “how”, but also “why” employees understand deeply information security, potential impact, ….

Assessment should be conducted at the end of course to test knowledge transfer to employee

Information security awareness, education, and training – A.7.2.2 – Implementation(Cont.)

Control: Formal and communicated disciplinary process in place to take action against employees who have committed an information security breach

Implementation:◦ Should not be started without prior verification

that the breach has occurred( A.16.1.7- collect evidences)

◦ Should ensure correct and fair treatment for employees who are suspected of committing breaches of information security

Disciplinary process – A.7.2.3

◦ Should take into consideration factors such as the nature and gravity of the breach and its impact on business, first or repeat offence, the violator was properly trained, relevant legislation, business contracts,…

◦ Disciplinary process should also be used as a deterrent to prevent employees from violation information security policies and procedures

◦ Deliberate( on purpose) breach may require immediate actions

◦ Process can be used as motivation or incentive if positive sanction are defined for remarkable behavior with regards to information security

Disciplinary process – A.7.2.3 – Implementation(cont.)

Objectives: Protect organization’s interests as part if the process of changing or terminating employment

Termination or change of employment responsibilities – A7.3.1

Termination and change of employment – A.7.3

Control: information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor, and enforced

Termination and change of employment – A.7.3.1

Communication of termination responsibilities includes on-going information security requirements, legal responsibilities, responsibilities contained within any confidential agreement(A.13.2.4-confidentiality or non-disclosure agreement), and terms and conditions of employment continuing for a defined period after the end of employment

Changes of responsibilities or employment are managed as termination of current responsibilities or employment combined with the initiation of new one

Termination and change of employment – A.7.3.1 - Implementation

HR function is generally responsible for the overall termination process and works together with supervising manager of internal person leaving to manage information security aspects

Contractors provided through external parties, the termination process is undertaken by external parties in accordance with contract between organization and external parties

Inform employees, customers, and contractors of changes.

Termination and change of employment – A.7.3.1 - Implementation

Summarize( video) Before employment:

◦ Verify background, inform to candidate and secure candidate information

◦ State responsibilities, terms and conditions of employment carefully and clearly in the contract

During working period:◦ Manage responsibilities and follow policies and

procedures of organization. Motivate people◦ Have information security awareness, education, and

training regularly◦ Disciplinary process take actions against policies and

procedures violation Termination and change of employment:

◦ Define in the agreement for a defined period after termination or change and enforce people to follow.

ISO/IEC, 2013, “Information technology – Security techniques – Information security management systems – Requirements”, Annex A, Human resource security, pp.11.

ISO/IEC, 2013, “Information technology – Security techniques – Code of practice for information security controls”, Human resource security,no.7, pp. 9-13.

[Video source]CertificationEurope,2012, “ISO 27001 Human Resources Security (Part 11/18)”, https://www.youtube.com/watch?v=N8ZGPD4eVZU

[Online source]MILLER-School of medicine university of Miami, “Human resources security”, ‘objectives’ & ‘scope’ & ‘roles and responsibilities’, https://www.youtube.com/watch?v=N8ZGPD4eVZU

References

[online source]ControlCase, 2012, “Information Security Management System ISO/IEC 27001:2005”, slide 3, What is ISO/IEC 27001 standard, http://www.slideshare.net/ControlCase/isms-presentation-oct-202012

[online source] ISO/IEC, 2013, “ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls(second edition)”, Human resource security, section 7, http://www.iso27001security.com/html/27002.html#Foreword

[online source]CIPD, “Terms and Conditions of Employment”, http://www.cipd.co.uk/hr-topics/terms-conditions-employment.aspx

[online source]Ibec, “During employment”, https://www.ibec.ie/IBEC/ES.nsf/vPages/Employment_law~during-employment?OpenDocument#.VjBMlUajLgZ

References