human resource security policy - imam abdulrahman bin ...€¦ · human resource security policy...

INSPIRING BUSINESS INNOVATION

HUMAN RESOURCE SECURITY POLICY

Version 1.1

Policy Number:


/13

1. Table of Contents

1. Table of Contents ........................................................................................................................ 2

2. Property Information .................................................................................................................. 3

3. Document Control ...................................................................................................................... 4

3.1. Information ............................................................................................................ 4

3.2. Revision History ................................................................................................... 4

3.3. Review, Verification and Approval ...................................................................... 4

3.4. Distribution List .................................................................................................... 4

4. Policy Overview ........................................................................................................................... 5

4.1. Purpose ................................................................................................................. 5

4.2. Scope ..................................................................................................................... 5

4.3. Terms and Definitions .......................................................................................... 5

4.4. Change, Review and Update ............................................................................... 7

4.5. Enforcement / Compliance .................................................................................. 7

4.6. Waiver .................................................................................................................... 7

4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 8

4.8. Relevant Documents ............................................................................................ 9

4.9. Ownership ............................................................................................................. 9

5. Policy Statements ...................................................................................................................... 10

5.1. Screening ............................................................................................................ 10

5.2. Terms and Conditions of Employment ............................................................. 11

5.3. Management Responsibilities ........................................................................... 11

5.4. Information Security Awareness, Education and Training ............................. 12

5.5. Disciplinary Process .......................................................................................... 13

5.6. Termination or Change of Employment Responsibilities ............................... 14


/13

2. Property Information

This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The

content of this document is Confidential and intended only for the valid recipients. This document is not

to be distributed, disclosed, published or copied without ICT Deanship written permission.


/13

3. Document Control

3.1. Information

Title Classification Version Status

HUMAN RESOURCE SECURITY POLICY Confidential 1.1 validated

3.2. Revision History

Version Author(s) Issue Date Changes

0.1 Alaa Alaiwah - Devoteam November 19, 2014 Creation

0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update

0.3 Osama Al Omari – Devoteam December 27, 2014 QA

1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update

1.1 Muneeb Ahmad – ICT, IAU 30 April 2017 Update

3.3. Review, Verification and Approval

Name Title Date

Lamia Abdullah Aljafari Quality Director

Dr. Saad Al-Amri Dean of ICT

3.4. Distribution List

Copy # Recipients Location


/13

4. Policy Overview

This section describes and details the purpose, scope, terms and definitions, change, review and update,

enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.

4.1. Purpose

The main purpose of the Human Resource Security Policy is to:

Ensure that IAU’s employees and contractors understand their responsibilities and are suitable for the roles

for which they are considered, ensure that IAU’s employees and contracts are aware of and fulfil their

information security responsibilities, and protect other IAU’s interests as part of the process of changing or

terminating employment.

4.2. Scope

The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity;

including:

All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.

Students studying at IAU.

Contractors and consultants working for or on behalf of IAU.

All other individuals and groups who have been granted access to IAU’s ICT systems and information.

This policy covers all information assets defined in Risk Assessment Scope Document and will be used as

foundation for information security management.

4.3. Terms and Definitions

Table 1 provides definitions of the common terms used in this document.

Term Definition

Accountability A security principle indicating that individuals shall be able to be

identified and to be held responsible for their actions.


/13

Asset Information that has value to the organization such as forms,

media, networks, hardware, software and information system.

Availability The state of an asset or a service of being accessible and usable

upon demand by an authorized entity.

Confidentiality An asset or a service is not made available or disclosed to

unauthorized individuals, entities or processes.

Control

A means of managing risk, including policies, procedures, and

guidelines which can be of administrative, technical, management

or legal nature.

Guideline A description that clarifies what shall be done and how, to achieve

the objectives set out in policies.

Information Security

The preservation of confidentiality, integrity, and availability of

information. Additionally, other properties such as authenticity,

accountability, non-repudiation and reliability can also be involved.

Integrity Maintaining and assuring the accuracy and consistency of asset over

its entire life-cycle.

Owner

A person or group of people who have been identified by

Management as having responsibility for the maintenance of the

confidentiality, availability and integrity of an asset. The Owner may

change during the lifecycle of the asset.

Policy

A plan of action to guide decisions and actions. The policy process

includes the identification of different alternatives such as

programs or spending priorities, and choosing among them on the

basis of the impact they will have.

Risk A combination of the consequences of an event (including changes

in circumstances) and the associated likelihood of occurrence.

Screening

A process to verify facts about individuals related to their identity,

professional credentials, previous employment, education and

skills.

System

An equipment or interconnected system or subsystems of

equipment that is used in the acquisition, storage, manipulation,

management, control, display, switching, interchange, transmission

or reception of data and that includes computer software,

firmware and hardware. Table 1: Terms and Definitions


/13

4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to

ensure that the policy remains current. Changes of this policy shall be exclusively performed by the

Information Security Officer and approved by Management. A change log shall be kept current and be updated

as soon as any change has been made.

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security

Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous

compliance monitoring within their area.

In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,

loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made

responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,

disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human

Resources Department have to be informed and deal with the handling of policy violations.

4.6. Waiver

Information security shall consider exceptions on an individual basis. For an exception to be approved, a

business case outlining the logic behind the request shall accompany the request. Exceptions to the policy

compliance requirement shall be authorized by the Information Security Officer and approved by the ICT

Deanship. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if

necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three

consecutive terms.


/13

4.7. Roles and Responsibilities (RACI Matrix)

Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for

every task that needs to be performed.

There are a couple of roles involved in this policy respectively: ICT Deanship, Information Security Officer

(ISO), Human Resources Department / Administrative Unit (HR/A) Legal Department, Recruitment Agency

(RA), Department Manager and User (Employee and Contract).

Roles

Responsibilities

ICT ISO HR/A Legal RA Dept. Mgr.

User

Managing security training and awareness programs for

IAU’s employees in coordination with Personnel Affairs

Department.

R R,A C,I

I

Providing the expert legal advice that is necessary for

other departments to provide services in a manner that

is fully compliant with existing laws and regulations.

C C R

I

Preforming personnel screen on employees in all stages

of employment. C,I C R,A

Determining and performing the appropriate disciplinary

action when there is a violation of IAU’s information

security policy.

C,I C R,A C I

Adhering to IAU’s personnel security policy while

providing candidates (e.g., background verification). I C C,I R,A

Communicating this policy to all new IAU’s employees

and contracts to ensure that they understand the

requirements and responsibilities towards information

security policies.

C C R,A

I

Adhering to information security policies, guidelines and

procedures pertaining to the protection of information. C C C

R,A,I

Singing a non-disclosure agreement. I C C R

Developing and ensuring job description require new

employee to comply with IAU’s information security

policy.

C,I C R,A

I

Cooperating with and/or informing parties that are

involved in case of changes of duties or employee

termination.

C C R,A C,I

Ensuring resigned or terminated employee return all

IAU’s assets interested before they complete

termination process.

C C R,A C,I

1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is

especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs

a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or

Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.


/13

Roles

Responsibilities

ICT ISO HR/A Legal RA Dept. Mgr.

User

Revoking access rights (logical and physical) to assets

upon employee termination or change. R,A C C I

Supporting and ensuring that employees under

supervision applied security in accordance with IAU’s

information security policy.

C C I R,A

Planning, preparing and delivering information security

awareness sessions to IAU’s employees. C R,A R I

Table 2: Assigned Roles and Responsibilities based on RACI Matrix

4.8. Relevant Documents

The followings are all relevant policies and procedures to this policy:

Information Security Policy

Human Resource Security Procedure

Information Security Incident Management Policy

Compliance Policy

4.9. Ownership

This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.


/13

5. Policy Statements

The following subsections present the policy statements in 6 main aspects:

Screening

Terms and Conditions of Employment

Management Responsibilities

Information Security Awareness, Education and Training

Disciplinary Process

Termination or Change of Employment Responsibilities

5.1. Screening

1. Human Resources Department / Administrative Unit shall establish a formal process for hiring,

resigning and terminating of all IAU’s employees.

2. Human Resources Department / Administrative Unit or appropriate third parties shall carry out

appropriate background verification checks “Screening” for all candidates for employment,

contractor status or third party user status. Such screening process shall take into consideration the

level of trust and responsibility associated with the position and where permitted by Saudi labour

laws:

a. IAU’s business needs, and relevant legal-regulatory and requirements;

b. Classification/sensitivity of the information, system, service, and infrastructure to be accessed

and the perceived risks.

c. Privacy, protection of personal information and other relevant employment legislation.

d. Where appropriate, components such as:

▪ Proof of person’s identity (e.g., national ID, passport).

▪ Proof of academic qualifications (e.g., certificates) by acquiring original documents or

through direct verification with the relevant institution.

▪ Proof of work experience (e.g., resume/CV and references).


/13

▪ Verification of two business references.

▪ Criminal record checks.

3. Recruitments agencies or third parties providing contractors / consultants directly to IAU shall

perform at least the same standard of personnel background verification checks as those indicated in

the Human Security Policy (i.e., as part of the agency’s responsibilities).

REF: [ISO/IEC 27001: A.7.1.1]

5.2. Terms and Conditions of Employment

1. The employee’s legal responsibilities and rights relevant to employment at IAU shall be made clear

to all IAU’s employees at the beginning of employment and shall be clearly stated in the signed

agreement.

2. All IAU’s employees shall sign an appropriate confidentiality agreement at the time of joining /

engagement. This agreement shall require the employee to comply with all applicable IAU’s

information security policies and procedures.

3. Contract staff or contract agency providing staff visiting sensitive areas (e.g., main datacenter and

server rooms) shall be required to sign a confidentiality agreement as required.

4. The terms and condition of employment shall include all responsibility of the users towards

information security.

REF: [ISO/IEC 27001: A.7.1.2]

5.3. Management Responsibilities

1. All Department Managers shall require all employees, who work under their area of concern, to

apply security in accordance with IAU’s information security policies and procedures.

2. All Department Managers shall ensure that employees are:

a. Appropriately brief on their information security roles and responsibilities.

b. Encouraged to fulfil IAU’s information security policies.

c. Continue to have the appropriate skills and qualifications.

d. Educated on a regular basis (especially on information security aspects).


/13

3. Mangers shall be aware of the personal circumstances of their employee; and shall be on the lookout

for any behavioral change that may lead to security breach or violation.

4. Employee vacations and leave of absences shall not affect the availability and performance of service

provision at IAU. When applying for a leave of absence, the following shall be considered:

a. Leave request shall be sent before enough time for processing.

b. Employee shall specify the followings in his leave request:

▪ List of duties and activities during his leave period.

▪ Name(s) of employee(s) that will be responsible to take care of these duties and

activities in his absence.

c. Employee shall ensure that business will continue during his absence.

REF: [ISO/IEC 27001: A.7.2.1]

5.4. Information Security Awareness, Education and

Training

1. Suitable information security awareness, training and education shall be provided to IAU’s employees,

clarifying their responsibilities relating to IAU’s information security policies and procedures and all

relevant obligations defined in job description. The security awareness may include, but not be limited

to:

a. A formal induction process that includes security training, prior to being granted access to

IAU’s network and systems.

b. Ongoing training in security control requirements, legal-regulatory responsibilities and

generally accepted information security procedures, suitable to the employees’ roles and

responsibilities.

2. Information security awareness shall cover general aspects such as:

a. IAU’s Management commitment to information security objectives.

b. Basic information security procedures (e.g., information security incident reporting) and

security standards (e.g., password security, assets handling protection, antivirus controls, and

clean and clear desks).


/13

c. Personal accountability and responsibilities towards protecting IAU’s assets.

3. Information Security Officer in coordination with ICT Deanship and Personnel Affairs Department

shall:

a. Prepare an annual information security awareness program and training plan.

b. Issue awareness material (e.g., information printouts or email communications) in order to

keep all IAU’s employees aware of their information security roles and responsibilities.

4. Management shall allocate sufficient on-the-job time for IAU’s employees to familiarize themselves

with IAU’s information security policies, procedures and the relevant ways of conducting business.

5. Every IAU’s employee shall attend an information security awareness session within three months of

the hiring date. Each employee shall sign a statement that he has attended such sessions, understood

the material presented, had an opportunity to ask questions, and agree to perform his work according

to IAU’s information security policies and procedures.

REF: [ISO/IEC 27001: A.7.2.2]

5.5. Disciplinary Process

1. Disciplinary process shall provide a gradual response taking into consideration factors such as:

a. Nature and severity of the security breach.

b. Impact on the business.

c. If it is a repeated offence.

d. Whether or not the violator was properly trained.

e. Relevant legislations.

2. A formal disciplinary action shall be taken in accordance with IAU’s personnel policies, procedures,

guidelines and instructions memos.

3. IAU’s information and infrastructure (e.g., network, systems and services) shall not be used for

purposes other than IAU’s business needs. Any such fraudulent activities detected shall be dealt as

per IAU’s personnel disciplinary action procedure.

REF: [ISO/IEC 27001: A.7.2.3]


/13

5.6. Termination or Change of Employment

Responsibilities

1. Responsibilities and practices for performing employment termination or change of employment shall

be clearly defined and assigned. This may include, but not be limited to:

a. Termination processes that ensure removal of access to all information resources.

b. Changes of responsibilities and duties within IAU’s processed as a termination (of the old

position) and re-hire (to the new position), using transfer policy controls for those processes

unless otherwise indicated.

c. Processes ensuring that employees are appropriately informed of a person’s changed status;

and any post-employment responsibilities are specified in the terms and conditions of

employment, or contractor’s or third party’s contract.

2. Human Resources Department / Administrative Unit (HR/A) in cooperation with employee’s

supervisors shall promptly ICT Deanship about employee transfers or job duty changes, so that all

necessary measures are taken with regard to the revocation or change of access rights (logical and/or

physical) to assets.

3. In the event that an employee is terminated, the followings shall be considered:

a. Releasing the employee of all IAU related duties and terminating all work-related privileges

at the time of termination.

b. Ensuring all IAU’s A’s property and information in the concerned employee’s custody is

returned before the employee leaves IAU premises.

c. Notifying all administrators handling user accounts used by the employee as soon as the

termination is known.

REF: [ISO/IEC 27001: A.7.3.1]

-------------------------------------------------------- End of Document -------------------------------------------------