Document Summary
Item | Value |
Organization | Information Dynamics |
Document Name | Human Resource Security policy |
Classification | Internal |
Compliance Reference To: | ISO/IEC 27001:2013 |
Document Revision History
Date | Version | Prepared By |
1st November 2018 | 1.1 | Information Dynamics |
Dec29, 2019 | 1.2 | Arya & Sureshkutty |
Dec 24, 2020 | 1.3 | Arya & Sureshkutty |
Dec 24, 2021 | 1.4 | Vani & Sureshkutty |
Dec 26, 2022 | 1.5 | Ragini & Sureshkutty |
Reviewed By | Version | Date | Signature |
Linda | 1.1 | 30th October 2018 | |
Linda | 1.2 | 29th Dec 2019 | |
Linda | 1.3 | 26th Dec 2020 | |
Linda | 1.4 | 26th Dec 2021 | |
Linda | 1.5 | 26th Dec 2022 |
Purpose
The purpose of this policy is to provide guidance on covering employee security through HR functions. This shall include an employee life cycle in the firm from recruitment to termination of services.
ISO 27001:2013 Domain Reference: A.7 – Human Resource Security
ISO 27001:2013 Reference | |
A.7.1.1 | Screening |
A.7.1.2 | Terms and conditions of employment |
A.7.2.1 | Management responsibilities |
A.7.2.2 | Information security awareness, education and training |
A.7.2.3 | Disciplinary process |
A.7.3.1 | Termination or change of employment responsibilities |
Scope
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
Policy
Security roles and responsibilities of all ID personnel shall be defined and documented as per ISMS policy.
The security roles and responsibilities shall be clearly communicated to job candidates during the pre-employment process.
Background verification checks shall be conducted on all new employees’ users during recruitment or post recruitment.
For the existing employees, background verification will not be carried out
The verification shall be done in accordance with the business requirements and ethics.
As per the business requirements we are not doing the third party background verification checks. We verify only the last 5 years professional experience and last company HR verification regarding the relieving and employee conduct.
The terms and conditions of employment shall reflect the ID security policy in addition to clarifying and stating:
that all employees, contractors and third party users shall sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;
the employee’s, contractor’s and any other user’s legal responsibilities and rights,
responsibilities of the organization for the handling of personal information,
actions to be taken if the employee, contractor or third party user disregards the organization’s security requirements
Management shall ensure that all employees, contractors and third party users are:
Adequately informed on their information security roles and responsibilities before they are granted access to information assets at ID; and
Aware of the security policies, procedures and practices relevant to their roles and responsibilities within ID and follow them.
The Induction training for new joinees shall include information security awareness sessions.
Periodic ISMS awareness sessions shall be conducted for all ID personnel depending on the roles.
Awareness sessions related to changes in ISMS documents shall be conducted depending on the roles.
A formal feedback process shall be used to evaluate effectiveness of information security training.
All records related to education, training, experience, qualifications and skills shall be maintained.
A formal disciplinary process shall be defined for employees who have committed an information security breach.
The disciplinary action shall be decided based on the severity of the security incident.
It shall take into consideration factors like:
Nature and gravity of the security breach and its subsequent impact on business objectives of ID;
First or repeat offence;
Adequacy of training pertaining to
Policies, procedures and practices defined at ID.
Relevant business requirements, laws and regulations.
The Human Resource department at ID shall be responsible for:
The overall termination process and shall coordinate with the reporting manager of the employee leaving to manage the security aspects of the relevant procedures.
Informing users that specific aspects of responsibilities as mentioned in the NDA/terms and conditions of employment may continue for a defined period after the end of the employee’s, contractor’s or third party user’s employment with ID
Communicating to the concerned reporting managers to review access privileges on application systems in cases where there is a change in employees, third party’s employment profile.
All ID personnels shall be required to return all of the organization’s assets in their possession upon termination or change of their employment.
The termination procedure shall include but not be limited to:
To return all previously issued software, documents, and equipment by ID.
Other organizational assets such as mobile computing devices, credit cards, access cards, and information stored on electronic media shall also be returned.
The access rights of all ID resigned / transferred personnel to information and information processing facilities shall be removed.
Following practices shall be followed to:
Revoke the access rights (logical and physical).
Remove all access rights that are not required in the new job profile resulting from a change of an employment.
Immediately change common passwords for active accounts known to the departing employee.
Associated Documentation
End user Guidelines and Code of Conduct
Acceptable use of Assets policy
Non Disclosure Agreements between employee and the firm.