View Source


h4. Table of Contents

* *[#Overview]* *\|* *[#Standards]* *\|* *[#Getting Started]* *\|* *[#Resources]*
* *[Pre-Employment|#Prior]* *(ISO 8.1)*
* *[During Employment|#During]* *(ISO 8.2)*
* *[Termination or Change of Employment|#Post]* *(ISO 8.3)*


h4. *Overview*

Employees handling personal data in an organization need to receive appropriate awareness training and regular updates in an effort to safeguard the data entrusted to them. Appropriate roles and responsibilities assigned for each job description need to be defined and documented in alignment with the organization's security policy. The institution's data must be protected from unauthorized access, disclosure, modification, destruction or interference. The management of human resources security and privacy risks is necessary during all phases of employment association with the organization. Training to enhance awareness is intended to educate individuals to prevent data disclosure, recognize information security problems and incidents, and respond according to the needs of their work role.

Safeguards include the following:
* Job descriptions and screening,
* user awareness and training,
* a disciplinary process, and
* an orderly exit process must exist to equip employees to operate securely and use information appropriately, and ensure that access privileges change when a user's relationship with the University changes.

The objective of Human Resources Security is to ensure that all employees (including contractors and any user of sensitive data) are qualified for and understand their roles and responsibilities of their job duties and that access is removed once employment is terminated. The three areas of Human Resources Security are:
* *Pre-Employment:* This topic includes defining roles and responsibilities of the job, defining appropriate access to sensitive information for the job, and determining depth of candidate's screening levels - all in accordance with the company's information security policy. During the phase, contract terms should also be established.
* *During Employment:* Employees with access to sensitive information in an organization should receive periodic reminders of their responsibilities and receive ongoing, updated security awareness training to ensure their understanding of current threats and corresponding security practices to mitigate such threats.
* *Termination or Change of Employment:* To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination/separation of an employee with access to such information. This also includes the return of any assets of the organization that was held by the employee.

[#Top] of page


h4. Standards

|| [ISO|] || [NIST|] || [COBIT|] || [PCI DSS|] ||
| *27002: Information Security Management* \\
*Chapter 8*: Human Resources Security \\
\\ | *800-12*: An Introduction to Computer Security - The NIST Handbook \\
Chapter 3 - Roles and Responsibilities \\
Chapter 10 - Personnel/Users Issues \\
Chapter 13 - Awareness, Training and Education \\
*800-100*: Information Security Handbook: A Guide for Managers \\
*800-50*: Building an Information Technology Security Awareness and Training Program \\
*800-14*: Generally Accepted Principles and Practices for Securing Information Technology Systems \\
\\ | *PO4* \\
*PO7* \\
*PO9* \\ | *Requirement 6* \\
*Requirement 12* \\ |

In addition to the standards listed here, please check out this [cross-referenced matrix|] (developed by Symantec), which outlines IT Controls for security and privacy concerns related to regulatory compliance in the workplace, including ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, PCI DSS, GLBA, NERC standards CIP, and PIPEDA (Canada).

[#Top] of page

{anchor:Getting Started}

h4. Getting Started

As cited in a variety of sources, people are often described as the weakest link in any security system. It is important to build security into the entire Human Resource process, from pre-employment, during employment, and through termination, to ensure that policies and procedures are in place to address security issues. Consistent training throughout the entire process ensures and that employees and contractors are fully aware of their roles and responsibilities and understand the criticality of their actions in protecting and securing both information and facilities.

[#Top] of page


h4. Prior to Employment (ISO 8.1)

Objective: To develop a comprehensive process that includes identification of job roles and responsibilities, identify the corresponding candidate screening level for those roles and responsibilities and establish terms and conditions of employment.
{panel}Prior to hiring or contracting employees or companies, security roles and responsibilities should be clearly articulated in job descriptions or well defined in contract terms and conditions. These roles and responsibilities should be defined in accordance with the institution's security policies.

Careful attention should be paid to validation of references and the appropriate level of background checks as determined by the security roles and responsibilities of the position or contract.  Consideration should be given that the receipt of affirmative references and the successful completion of a background check at a level commensurate with the position’s roles and responsibilities be a condition of hire.

* [Virginia Tech Policy and Procedures for Conviction and Driving Record Investigation|]

[#Top] of page


h4. During Employment (ISO 8.2)

Objective: To ensure that employees are aware of and understand their roles and responsibilities; to ensure that they understand information security threats and; to ensure they have the necessary knowledge to mitigate those threats.

* Employee Orientation for new employees:  All new employees should participate in new employee orientation workshops or be provided with pertinent information including security policies and procedures and potential disciplinary process/actions for any security breaches. Additionally, new employees should be required to sign an acknowledgement indicating that they read and understand the institution’s acceptable use policy, the institution's security policies and any non-disclosures (if applicable).  All managers and supervisors should be expected to emphasize the importance of security to their employees. This is one example of an institution's [Supervisor's Guide to Information & Security Policy|].

- Ongoing Education and Awareness Training:  Institutions should provide relevant information security information delivered on a defined schedule (annually, bi-annually, etc.) appropriate to the employee’s job roles and responsibilities.  All employees should be required to take a general training on basic information security practices and/or acknowledge their basic understanding of the institution’s security policies and procedures.
(on) This includes [community based security awareness|itsg2:Community Based Security Awareness] efforts. Examples: the [Annual C3 (Cyber Ethics, Safety and Security) Conference: An Educational Springboard|itsg2:Annual C3 Conference - An Educational Springboard], the [Washtenaw County Cyber Citizenship Coalition (WC4)|itsg2:Washtenaw County Cyber Citizenship Coalition (WC4)] and [Who's Watching Charlottesville: Community Based Security Awareness|itsg2:Who's Watching Charlottesville - Community Based Security Awareness].

- A process for official disciplinary actions for security breaches should be established and promulgated to the institution's employees.

[#Top] of page


h4. Termination or Change of Employment (ISO 8.3)

Objective: To develop an orderly exit process to ensure that access is removed and assets returned in an expedited time frame.
{panel}Responsibilities for performing employee terminations must be clearly defined and assigned to ensure actions are taken as quickly as possible.  A checklist listing actions to be taken and the person responsible for the execution of that action allows for quick identification of any missed steps.

Specifically, there should be a process that validates that all the institution’s assets are returned at termination.

Additionally, there should be a process that ensures access to information assets are removed at the time of termination.

[#Top] of page


h4. Resources

*Campus Case Studies On This Page*
(on) [Annual C3 (Cyber Ethics, Safety and Security) Conference: An Educational Springboard|itsg2:Annual C3 Conference - An Educational Springboard] \- College Park, Maryland
(on) [Washtenaw County Cyber Citizenship Coalition (WC4)|itsg2:Washtenaw County Cyber Citizenship Coalition (WC4)] \- Washtenaw County, Michigan
(on) [Who's Watching Charlottesville: Community Based Security Awareness|itsg2:Who's Watching Charlottesville - Community Based Security Awareness] \- University of Virginia

*EDUCAUSE Resources*
_EDUCAUSE Resource Center Pages_
* [Certification, Education, Training, and Tutorials|]
* [Executive Security Awareness|]
* [Security Awareness|]
* [Training|]
* [User Training|]

_HEISC Toolkits/Guidelines_

* [Top Information Security Concerns for HR Leaders & Process Participants -- Protecting Your HR Assets|Top Information Security Concerns for HR Leaders & Process Participants]
* [Top Information Security Concerns for Researchers|]
* [Top Information Security Concerns for Campus Executives and Data Stewards|]
* [itsg2:Collaborating with Faculty]
* [itsg2:Community Based Security Awareness] (Hot Topics page)
* [Cyber Security Awareness Resource Library|]
* [National Cyber Security Awareness Month (NCSAM) Resource Kit|]

*Initiatives, Collaborations, &* *Other Resources*
* [Mitigating Top EDU Human Risks|] (video - 47 min.)
* [Virginia Tech Policy and Procedures for Conviction and Driving Record Investigation|]

{panel}[#Top] of page

(?) Questions or comments? (i) [Contact us| Resources Security].

(!) _Except where otherwise noted, this work is licensed under a_ _[Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License|]__._