The purpose of the personnel security policy should be to establish controls on the hiring, training, and termination of all personnel (e.g. employees, contractors) to enforce compliance with the information security program. In addition, the organization should committ to providing employees and contractors a safe work environment. This includes a work environment that is free of harassment on the basis of race, color, religion, sex, national origin, age, or disability.
Who is responsible for security?
Every workforce member, contractor, service provider, and vendor is responsible for systems security to the degree that the function requires the use of information and associated systems.
All positions interacting with information resources should be required to undergo formal processes for access granting, change, and termination. Those positions working with especially sensitive information or powerful privilege should be analyzed to determine any potential vulnerability associated with work in those positions.
The security program is intended to safeguard the workforce member as well as information systems and information assets including protected health information.
This includes protecting assets from unauthorized access, disclosure, modification, destruction, or interference. All personnel are expected to execute appropriate security processes or activities to safeguard information systems and assets. Individuals should be assigned responsibility over any and all actions taken or activities that occur under their scope of responsibilities.
All personnel should be provided documented roles/responsibilities over security and assigned critical/sensitive risk designations based upon their roles within the organization commensurate with screening criteria for the job they are assigned. These security roles/responsibilities should be well communicated to them and should be reviewed/revised annually.
All personnel should be briefed on their security roles/responsibilities and ensure each user conforms with the terms of their employment prior to gaining access to information systems.
Assigned security resources should have additional roles/responsibilities defined. All personnel are expected to implement and act in accordance with the organization’s information security policies/procedures. Personnel should report any security events, potential events, or other security risks to their immediate supervisor or security team.
How is it defined?
Through policy, standards, guidelines, and procedures, the personnel security program should formally address the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance requirements.
Hiring Practices
Pre-employment process
The pre-employment process should be reviewed by recruitment to ensure security roles/responsibilities are specifically defined (in writing) and clearly communicated to job candidates.
Each new hire granted access to information and other classified data should undergo a background check. Any past activity that would subject sensitive systems and data to risk due to a workforce member’s past behavior should be cause to terminate the employment relationship.
Effective personnel screening processes should be applied to allow a range of implementation, from minimal procedures to more stringent procedures, based on the results of the risk analysis performed.
Training
Department managers, with Information Technology (IT) or Information Security, should be responsible for providing security orientation and ongoing instruction to new and existing end-users regarding their department’s utilization of information systems. IT should be responsible for informing end-users of pending operational changes and to assist them once the changes are in place.
New Hire Orientation
Each new-hire should complete orientation training to include an overview of security policies and procedures. The security policies should include end-user acceptable use, as well as data handling and disposal training, in addition to other security safeguards. Moreover, these workforce members should receive network training, as well as training for the use of the systems and applications required to perform their job functions.
Security Awareness or Reminders
The security team should provide continue security education using sign-in banners, posters, memos, promotions, letters, and periodic meetings to re-enforce security training concepts. The security awareness training should reflect security concerns and issues that have the potential to compromise the confidentiality, integrity, or availability of sensitive information. The security reminders may also communicate new or on-going security activities and initiatives.
Termination Processes
The following standards should be followed upon the resignation of a personnel, member of Management, IT Staff, and third party service providers:
- IT should remove their access from any systems or applications that processed sensitive information.
- All digital certificates should be revoked.
- Any tokens or smart cards issued to them should be returned.
- Any keys and IDs provided to them during their employment should be returned.
- All physical access to the facilities should be removed immediately.
- They should not be provided any access to their desk or office – any such access, if provided, should be limited and carefully supervised.
IT Staff Resignation or Termination
- A determination should be made by management as to whether to allow the worker to work during the notice period or to have them leave immediately.
- Each of the above termination procedures should be followed.
Suggested reading:
Acceptable Use Policy
Access Control Best Practices
Conclusion
In conclusion, the organization should recognize that all personnel are the greatest resource in maintaining an effective level of security. At the same time, internal threats can create the greatest risks to information security. No security program can be effective without maintaining personnel awareness and motivation.