Personnel Security Policy ? Best Practices
Posted by Superadmin on September 16 2022 06:06:31

Personnel Security Policy – Best Practices

 PUBLISHED DATE:JANUARY 22, 2019
personnel security policy

The purpose of the personnel security policy should be to establish controls on the hiring, training, and termination of all personnel (e.g. employees, contractors) to enforce compliance with the information security program. In addition, the organization should committ to providing employees and contractors a safe work environment. This includes a work environment that is free of harassment on the basis of race, color, religion, sex, national origin, age, or disability.

Who is responsible for security?

Every workforce member, contractor, service provider, and vendor is responsible for systems security to the degree that the function requires the use of information and associated systems.

All positions interacting with information resources should be required to undergo formal processes for access granting, change, and termination. Those positions working with especially sensitive information or powerful privilege should be analyzed to determine any potential vulnerability associated with work in those positions.

The security program is intended to safeguard the workforce member as well as information systems and information assets including protected health information.

This includes protecting assets from unauthorized access, disclosure, modification, destruction, or interference. All personnel are expected to execute appropriate security processes or activities to safeguard information systems and assets. Individuals should be assigned responsibility over any and all actions taken or activities that occur under their scope of responsibilities.

All personnel should be provided documented roles/responsibilities over security and assigned critical/sensitive risk designations based upon their roles within the organization commensurate with screening criteria for the job they are assigned. These security roles/responsibilities should be well communicated to them and should be reviewed/revised annually.

All personnel should be briefed on their security roles/responsibilities and ensure each user conforms with the terms of their employment prior to gaining access to information systems.

Assigned security resources should have additional roles/responsibilities defined. All personnel are expected to implement and act in accordance with the organization’s information security policies/procedures. Personnel should report any security events, potential events, or other security risks to their immediate supervisor or security team.

How is it defined?

Through policy, standards, guidelines, and procedures, the personnel security program should formally address the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance requirements.

Hiring Practices

Pre-employment process

The pre-employment process should be reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates.

Each new hire granted access to information and other classified data should undergo a background check. Any past activity that would subject sensitive systems and data to risk due to a workforce member’s past behavior should be cause to terminate the employment relationship.

Effective personnel screening processes should be applied to allow a range of implementation, from minimal procedures to more stringent procedures, based on the results of the risk analysis performed.

Training

Department managers, with Information Technology (IT) or Information Security, should be responsible for providing security orientation and ongoing instruction to new and existing end-users regarding their department’s utilization of information systems. IT should be responsible for informing end-users of pending operational changes and to assist them once the changes are in place.

New Hire Orientation

Each new-hire should complete orientation training to include an overview of security policies and procedures. The security policies should include end-user acceptable use, as well as data handling and disposal training, in addition to other security safeguards. Moreover, these workforce members should receive network training, as well as training for the use of the systems and applications required to perform their job functions.

Security Awareness or Reminders

The security team should provide continue security education using sign-in banners, posters, memos, promotions, letters, and periodic meetings to re-enforce security training concepts. The security awareness training should reflect security concerns and issues that have the potential to compromise the confidentiality, integrity, or availability of sensitive information. The security reminders may also communicate new or on-going security activities and initiatives.

Termination Processes

The following standards should be followed upon the resignation of a personnel, member of Management, IT Staff, and third party service providers:

IT Staff Resignation or Termination

Suggested reading:
Acceptable Use Policy
Access Control Best Practices

Conclusion

In conclusion, the organization should recognize that all personnel are the greatest resource in maintaining an effective level of security. At the same time, internal threats can create the greatest risks to information security. No security program can be effective without maintaining personnel awareness and motivation.