human resource security policy - imam abdulrahman bin ...€¦ · human resource security policy...
TRANSCRIPT
HUMAN RESOURCE SECURITY POLICY
Page 2/13
1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information ............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope ..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 7
4.5. Enforcement / Compliance .................................................................................. 7
4.6. Waiver .................................................................................................................... 7
4.7. Roles and Responsibilities (RACI Matrix) .......................................................... 8
4.8. Relevant Documents ............................................................................................ 9
4.9. Ownership ............................................................................................................. 9
5. Policy Statements ...................................................................................................................... 10
5.1. Screening ............................................................................................................ 10
5.2. Terms and Conditions of Employment ............................................................. 11
5.3. Management Responsibilities ........................................................................... 11
5.4. Information Security Awareness, Education and Training ............................. 12
5.5. Disciplinary Process .......................................................................................... 13
5.6. Termination or Change of Employment Responsibilities ............................... 14
HUMAN RESOURCE SECURITY POLICY
Page 3/13
2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT Deanship. The
content of this document is Confidential and intended only for the valid recipients. This document is not
to be distributed, disclosed, published or copied without ICT Deanship written permission.
HUMAN RESOURCE SECURITY POLICY
Page 4/13
3. Document Control
3.1. Information
Title Classification Version Status
HUMAN RESOURCE SECURITY POLICY Confidential 1.1 validated
3.2. Revision History
Version Author(s) Issue Date Changes
0.1 Alaa Alaiwah - Devoteam November 19, 2014 Creation
0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update
0.3 Osama Al Omari – Devoteam December 27, 2014 QA
1.0 Nabeel Albahbooh - Devoteam December 31, 2014 Update
1.1 Muneeb Ahmad – ICT, IAU 30 April 2017 Update
3.3. Review, Verification and Approval
Name Title Date
Lamia Abdullah Aljafari Quality Director
Dr. Saad Al-Amri Dean of ICT
3.4. Distribution List
Copy # Recipients Location
HUMAN RESOURCE SECURITY POLICY
Page 5/13
4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.
4.1. Purpose
The main purpose of the Human Resource Security Policy is to:
Ensure that IAU’s employees and contractors understand their responsibilities and are suitable for the roles
for which they are considered, ensure that IAU’s employees and contracts are aware of and fulfil their
information security responsibilities, and protect other IAU’s interests as part of the process of changing or
terminating employment.
4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity;
including:
All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.
Students studying at IAU.
Contractors and consultants working for or on behalf of IAU.
All other individuals and groups who have been granted access to IAU’s ICT systems and information.
This policy covers all information assets defined in Risk Assessment Scope Document and will be used as
foundation for information security management.
4.3. Terms and Definitions
Table 1 provides definitions of the common terms used in this document.
Term Definition
Accountability A security principle indicating that individuals shall be able to be
identified and to be held responsible for their actions.
HUMAN RESOURCE SECURITY POLICY
Page 6/13
Asset Information that has value to the organization such as forms,
media, networks, hardware, software and information system.
Availability The state of an asset or a service of being accessible and usable
upon demand by an authorized entity.
Confidentiality An asset or a service is not made available or disclosed to
unauthorized individuals, entities or processes.
Control
A means of managing risk, including policies, procedures, and
guidelines which can be of administrative, technical, management
or legal nature.
Guideline A description that clarifies what shall be done and how, to achieve
the objectives set out in policies.
Information Security
The preservation of confidentiality, integrity, and availability of
information. Additionally, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
Integrity Maintaining and assuring the accuracy and consistency of asset over
its entire life-cycle.
Owner
A person or group of people who have been identified by
Management as having responsibility for the maintenance of the
confidentiality, availability and integrity of an asset. The Owner may
change during the lifecycle of the asset.
Policy
A plan of action to guide decisions and actions. The policy process
includes the identification of different alternatives such as
programs or spending priorities, and choosing among them on the
basis of the impact they will have.
Risk A combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
Screening
A process to verify facts about individuals related to their identity,
professional credentials, previous employment, education and
skills.
System
An equipment or interconnected system or subsystems of
equipment that is used in the acquisition, storage, manipulation,
management, control, display, switching, interchange, transmission
or reception of data and that includes computer software,
firmware and hardware. Table 1: Terms and Definitions
HUMAN RESOURCE SECURITY POLICY
Page 7/13
4.4. Change, Review and Update
This policy shall be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by Management. A change log shall be kept current and be updated
as soon as any change has been made.
4.5. Enforcement / Compliance
Compliance with this policy is mandatory and it is to be reviewed periodically by the Information Security
Officer. All IAU units (Deanship, Department, College, Section and Center) shall ensure continuous
compliance monitoring within their area.
In case of ignoring or infringing the information security directives, IAU’s environment could be harmed (e.g.,
loss of trust and reputation, operational disruptions or legal violations), and the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations.
A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations.
4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Deanship. Each waiver request shall include justification and benefits attributed to the waiver.
The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.
HUMAN RESOURCE SECURITY POLICY
Page 8/13
4.7. Roles and Responsibilities (RACI Matrix)
Table 2 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for
every task that needs to be performed.
There are a couple of roles involved in this policy respectively: ICT Deanship, Information Security Officer
(ISO), Human Resources Department / Administrative Unit (HR/A) Legal Department, Recruitment Agency
(RA), Department Manager and User (Employee and Contract).
Roles
Responsibilities
ICT ISO HR/A Legal RA Dept. Mgr.
User
Managing security training and awareness programs for
IAU’s employees in coordination with Personnel Affairs
Department.
R R,A C,I
I
Providing the expert legal advice that is necessary for
other departments to provide services in a manner that
is fully compliant with existing laws and regulations.
C C R
I
Preforming personnel screen on employees in all stages
of employment. C,I C R,A
Determining and performing the appropriate disciplinary
action when there is a violation of IAU’s information
security policy.
C,I C R,A C I
Adhering to IAU’s personnel security policy while
providing candidates (e.g., background verification). I C C,I R,A
Communicating this policy to all new IAU’s employees
and contracts to ensure that they understand the
requirements and responsibilities towards information
security policies.
C C R,A
I
Adhering to information security policies, guidelines and
procedures pertaining to the protection of information. C C C
R,A,I
Singing a non-disclosure agreement. I C C R
Developing and ensuring job description require new
employee to comply with IAU’s information security
policy.
C,I C R,A
I
Cooperating with and/or informing parties that are
involved in case of changes of duties or employee
termination.
C C R,A C,I
Ensuring resigned or terminated employee return all
IAU’s assets interested before they complete
termination process.
C C R,A C,I
1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs
a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or
Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.
HUMAN RESOURCE SECURITY POLICY
Page 9/13
Roles
Responsibilities
ICT ISO HR/A Legal RA Dept. Mgr.
User
Revoking access rights (logical and physical) to assets
upon employee termination or change. R,A C C I
Supporting and ensuring that employees under
supervision applied security in accordance with IAU’s
information security policy.
C C I R,A
Planning, preparing and delivering information security
awareness sessions to IAU’s employees. C R,A R I
Table 2: Assigned Roles and Responsibilities based on RACI Matrix
4.8. Relevant Documents
The followings are all relevant policies and procedures to this policy:
Information Security Policy
Human Resource Security Procedure
Information Security Incident Management Policy
Compliance Policy
4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.
HUMAN RESOURCE SECURITY POLICY
Page 10/13
5. Policy Statements
The following subsections present the policy statements in 6 main aspects:
Screening
Terms and Conditions of Employment
Management Responsibilities
Information Security Awareness, Education and Training
Disciplinary Process
Termination or Change of Employment Responsibilities
5.1. Screening
1. Human Resources Department / Administrative Unit shall establish a formal process for hiring,
resigning and terminating of all IAU’s employees.
2. Human Resources Department / Administrative Unit or appropriate third parties shall carry out
appropriate background verification checks “Screening” for all candidates for employment,
contractor status or third party user status. Such screening process shall take into consideration the
level of trust and responsibility associated with the position and where permitted by Saudi labour
laws:
a. IAU’s business needs, and relevant legal-regulatory and requirements;
b. Classification/sensitivity of the information, system, service, and infrastructure to be accessed
and the perceived risks.
c. Privacy, protection of personal information and other relevant employment legislation.
d. Where appropriate, components such as:
▪ Proof of person’s identity (e.g., national ID, passport).
▪ Proof of academic qualifications (e.g., certificates) by acquiring original documents or
through direct verification with the relevant institution.
▪ Proof of work experience (e.g., resume/CV and references).
HUMAN RESOURCE SECURITY POLICY
Page 11/13
▪ Verification of two business references.
▪ Criminal record checks.
3. Recruitments agencies or third parties providing contractors / consultants directly to IAU shall
perform at least the same standard of personnel background verification checks as those indicated in
the Human Security Policy (i.e., as part of the agency’s responsibilities).
REF: [ISO/IEC 27001: A.7.1.1]
5.2. Terms and Conditions of Employment
1. The employee’s legal responsibilities and rights relevant to employment at IAU shall be made clear
to all IAU’s employees at the beginning of employment and shall be clearly stated in the signed
agreement.
2. All IAU’s employees shall sign an appropriate confidentiality agreement at the time of joining /
engagement. This agreement shall require the employee to comply with all applicable IAU’s
information security policies and procedures.
3. Contract staff or contract agency providing staff visiting sensitive areas (e.g., main datacenter and
server rooms) shall be required to sign a confidentiality agreement as required.
4. The terms and condition of employment shall include all responsibility of the users towards
information security.
REF: [ISO/IEC 27001: A.7.1.2]
5.3. Management Responsibilities
1. All Department Managers shall require all employees, who work under their area of concern, to
apply security in accordance with IAU’s information security policies and procedures.
2. All Department Managers shall ensure that employees are:
a. Appropriately brief on their information security roles and responsibilities.
b. Encouraged to fulfil IAU’s information security policies.
c. Continue to have the appropriate skills and qualifications.
d. Educated on a regular basis (especially on information security aspects).
HUMAN RESOURCE SECURITY POLICY
Page 12/13
3. Mangers shall be aware of the personal circumstances of their employee; and shall be on the lookout
for any behavioral change that may lead to security breach or violation.
4. Employee vacations and leave of absences shall not affect the availability and performance of service
provision at IAU. When applying for a leave of absence, the following shall be considered:
a. Leave request shall be sent before enough time for processing.
b. Employee shall specify the followings in his leave request:
▪ List of duties and activities during his leave period.
▪ Name(s) of employee(s) that will be responsible to take care of these duties and
activities in his absence.
c. Employee shall ensure that business will continue during his absence.
REF: [ISO/IEC 27001: A.7.2.1]
5.4. Information Security Awareness, Education and
Training
1. Suitable information security awareness, training and education shall be provided to IAU’s employees,
clarifying their responsibilities relating to IAU’s information security policies and procedures and all
relevant obligations defined in job description. The security awareness may include, but not be limited
to:
a. A formal induction process that includes security training, prior to being granted access to
IAU’s network and systems.
b. Ongoing training in security control requirements, legal-regulatory responsibilities and
generally accepted information security procedures, suitable to the employees’ roles and
responsibilities.
2. Information security awareness shall cover general aspects such as:
a. IAU’s Management commitment to information security objectives.
b. Basic information security procedures (e.g., information security incident reporting) and
security standards (e.g., password security, assets handling protection, antivirus controls, and
clean and clear desks).
HUMAN RESOURCE SECURITY POLICY
Page 13/13
c. Personal accountability and responsibilities towards protecting IAU’s assets.
3. Information Security Officer in coordination with ICT Deanship and Personnel Affairs Department
shall:
a. Prepare an annual information security awareness program and training plan.
b. Issue awareness material (e.g., information printouts or email communications) in order to
keep all IAU’s employees aware of their information security roles and responsibilities.
4. Management shall allocate sufficient on-the-job time for IAU’s employees to familiarize themselves
with IAU’s information security policies, procedures and the relevant ways of conducting business.
5. Every IAU’s employee shall attend an information security awareness session within three months of
the hiring date. Each employee shall sign a statement that he has attended such sessions, understood
the material presented, had an opportunity to ask questions, and agree to perform his work according
to IAU’s information security policies and procedures.
REF: [ISO/IEC 27001: A.7.2.2]
5.5. Disciplinary Process
1. Disciplinary process shall provide a gradual response taking into consideration factors such as:
a. Nature and severity of the security breach.
b. Impact on the business.
c. If it is a repeated offence.
d. Whether or not the violator was properly trained.
e. Relevant legislations.
2. A formal disciplinary action shall be taken in accordance with IAU’s personnel policies, procedures,
guidelines and instructions memos.
3. IAU’s information and infrastructure (e.g., network, systems and services) shall not be used for
purposes other than IAU’s business needs. Any such fraudulent activities detected shall be dealt as
per IAU’s personnel disciplinary action procedure.
REF: [ISO/IEC 27001: A.7.2.3]
HUMAN RESOURCE SECURITY POLICY
Page 14/13
5.6. Termination or Change of Employment
Responsibilities
1. Responsibilities and practices for performing employment termination or change of employment shall
be clearly defined and assigned. This may include, but not be limited to:
a. Termination processes that ensure removal of access to all information resources.
b. Changes of responsibilities and duties within IAU’s processed as a termination (of the old
position) and re-hire (to the new position), using transfer policy controls for those processes
unless otherwise indicated.
c. Processes ensuring that employees are appropriately informed of a person’s changed status;
and any post-employment responsibilities are specified in the terms and conditions of
employment, or contractor’s or third party’s contract.
2. Human Resources Department / Administrative Unit (HR/A) in cooperation with employee’s
supervisors shall promptly ICT Deanship about employee transfers or job duty changes, so that all
necessary measures are taken with regard to the revocation or change of access rights (logical and/or
physical) to assets.
3. In the event that an employee is terminated, the followings shall be considered:
a. Releasing the employee of all IAU related duties and terminating all work-related privileges
at the time of termination.
b. Ensuring all IAU’s A’s property and information in the concerned employee’s custody is
returned before the employee leaves IAU premises.
c. Notifying all administrators handling user accounts used by the employee as soon as the
termination is known.
REF: [ISO/IEC 27001: A.7.3.1]
-------------------------------------------------------- End of Document -------------------------------------------------