A7. Human resource security
The crucial task for HR department when it comes to information security is to be proactive rather than reactive. It is indecorous just to rely on your IT departments to make sure staff are educated about data loss and how to prevent it.
HR professionals has to ensure that employees comply with security policies.
The purpose of this standard is to set rules that apply before, during and after the termination of employment
The controls in this section ensures that those people who are under the organization’s control and can affect information security are fit or appropriate for working and know their responsibilities, and that any changes in employment conditions will not hamper information security.
The following terms is used to identifies who within the organization is Accountable, Responsible,Informed or Consulted with regards to the policy.
- Accountable :- The person who has accountability and authority for the policy.
- Responsible :- The person(s) responsible for developing and implementing the policy.
- Consulted :- The person who is consulted prior finalizing the policy implementation.
- Informed :- The person to be informed after policy implementation.
There are 3 areas of human resource security –
Ø Prior to employment – In this roles and responsibilities for the job are defined. Also the access control over sensitive data must be defined. During this phase, contract terms should also be entrenched.
Ø During Employment – Employees who have access to sensitive information should receive periodic reminders regarding their roles and responsibilities.
Ø Termination and change of employment – This phase includes the return of any assets of the organization that was held by the employee. To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination of an employee who has access to such information.
The objective of human resource security is to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.