Presentation is loading. Please wait.

Presentation is loading. Please wait.

Human Resource Security ISO/IEC 27001:2013

Published byJerome Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "Human Resource Security ISO/IEC 27001:2013"— Presentation transcript:

1 Human Resource Security ISO/IEC 27001:2013
Pham Minh Man

2 Agenda HR security Prior to employment During employment
Termination and change of employment Summarize

3 HR security – A.7 Human resources security should reduce the risk of theft, fraud or misuse of information facilities by employees, contractors and third-party users. Extend to all the persons within and external to the organization that do (or may) use information or information processing facilities. Be defined and documented in accordance with the organization's information privacy and security policies. 3 states: before, during, and after employment

4 Prior to employment – A.7.1 Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered Screening – A.7.1.1 Terms and conditions of employment – A.7.1.2

5 Screening – A.7.1.1 Control: Background verification checks on all candidates for employment should be carried out in accordance with relevant law, regulations, and ethics and should be proportional to the business requirements, the classification of the information to be accessed and the perceived risks

6 Screening – A.7.1.1- Implementation
Verification should take into account all relevant privacy, protection of personally identifiable info, and employment based legislation, and should, where permitted, include: Satisfactory character references Applicant’s curriculum vitae Academic and professional qualifications Independent identity verification( passport,..) Others: credit review or criminal report review

7 Screening – A.7.1.1- Implementation(Cont.)
When an individual is hired for a specific information security role, organizations should make sure the candidate: Has necessary competence to perform security role( government, Ward People’s committee,…) Can be trusted to take on the role( relationship, good CV,….) More verification when a job having access to confidential data( financial data,…)

8 Screening – A.7.1.1- Implementation(Cont.)
The procedures should define criteria and limitations for verification reviews( who can enough eligible to screen people, how, when, and why) The agreement between the organization and the contractor specify responsibility for conducting the screening and the notification procedures need to be followed if screening has not been completed or if the results give cause for doubt or concern Information on all candidates are collected and handled in any appropriate legislation existing in the relevant jurisdiction. Depending on legislation, the candidates should be informed before screening activities

9 Terms and conditions of Employment – A.7.1.2
Elements of a contract which define the relation between an employer and an employee, including information on conditions of employment, contracts of employment including fixed term, short term and temporary contracts, contractual change, probationary periods, notice periods and restrictive covenants,… Control: The contractual agreements with employees and contractors should state their and the organization’s responsibilities for information security

10 Terms and conditions of Employment – A.7.1.2 - Implementation
Contractual obligations reflects org’s policies for IS to clarify and state: Employees given access to confidential information should sign a confidentiality or non-disclosure agreement before being given access to information processing facilities(A Confidentiality or non- disclosure agreements) Employee’s or contractor’s legal responsibilities and rights( copyright laws – A or data protection legislation- A ) Responsibilities for classification of information, and management of organizational assets associated with information, information processing facilities, and information services,….(A.8)

11 Terms and conditions of Employment – A.7.1.2 – Implementation( cont.)
Responsibilities for handling information received from other companies or external parties Disciplinary/actions taken when disregards the security requirements (A.7.2.3) IS roles and responsibilities should be communicated with candidates during pre- employment process Ensure employee and contractor agree to the term and conditions concerning IS appropriate to the nature and extent of access they will have to the organization’s assets( Information system, services)

12 Terms and conditions of Employment – A.7.1.2 – Implementation( cont.)
Responsibilities should continue for a defined period after the end of employment Code of conduct may be used to state employee’s and contractor’s information security responsibilities, and reputable practices expected by org External parties associated with contractor can be required into contractual arrangements on behalf of the contracted individual

13 During employment – A.7.2 Objectives: Ensure that employees and contractors are aware of and fulfill their information security responsibilities. Management responsibilities – A.7.2.1 Information security awareness, education, and training – A.7.2.2 Disciplinary process – A.7.2.3

14 Management responsibilities – A.7.2.1
Control: Management should require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. Management responsibilities should include ensuring that employees and contractors: Are properly briefed their role and responsibilities before granted access to confidential information or system. Are provided with guidelines to state information security expectations of their role in org

15 Management responsibilities – A.7.2.1- implementation
Are motivated to fulfill the information security policies Achieve a level of awareness on information security of their role and responsibilities(A.7.2.2) Follow terms and conditions of employment( A.7.1.2) Continue to have appropriate skills, qualification, and are educated regularly Are provided anonymous reporting channel to report violations of information security policies of procedures.

16 Management responsibilities – A.7.2.1- implementation(Cont.)
If employees and contractors are not made aware of their responsibilities, they can cause remarkable damages to an organization  motivated people are likely to be more reliable and cause fewer incidents Poor management can cause personnel feeling undervalued  impact negatively to organization( neglect information security or misuse of assets)

17 Information security awareness, education, and training – A.7.2.2
Control: All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function Awareness programs should make employee aware of their responsibilities for information security

18 Information security awareness, education, and training – A. 7. 2
Information security awareness, education, and training – A Implementation Those programs should be established in line with the organization’s policies and procedures taking into consideration org’s information to be protected and the controls implemented to protect information Awareness programs should include awareness-raising activities such as “information security day”, and issuing booklets or newsletters

19 Information security awareness, education, and training – A. 7. 2
Information security awareness, education, and training – A – Implementation(Cont.) Activities in awareness programs should be repeated and cover new employees and contractors. The programs should be updated regularly, and be built on lessons learnt from information security incidents Awareness training should be performed as required. It can use different delivery media including classroom-based, web-based, distance learning and others

20 Information security awareness, education, and training – A. 7. 2
Information security awareness, education, and training – A – Implementation(Cont.) Education and training should also cover general aspects: Commitment of management to information security The need to be familiar with and comply with information security rules and obligations defined in policies, standards, laws, contract, and agreement Basic information security procedures and baseline control

21 Information security awareness, education, and training – A. 7. 2
Information security awareness, education, and training – A – Implementation(Cont.) Personal accountabilities for own action or inaction, and general responsibilities towards securing and protecting information Contact point and resources for additional information and advice on information security matters Information security education and training should take place periodically. Initial education and training to person transferring new position or role totally different with information security requirements should take place before role becomes active

22 Information security awareness, education, and training – A. 7. 2
Information security awareness, education, and training – A – Implementation(Cont.) Organization should develop education and training program which is suitable and relevant to roles, responsibilities, and skills When developing awareness program, it is important not only focus on “what” and “how”, but also “why”  employees understand deeply information security, potential impact, …. Assessment should be conducted at the end of course to test knowledge transfer to employee

23 Disciplinary process – A.7.2.3
Control: Formal and communicated disciplinary process in place to take action against employees who have committed an information security breach Implementation: Should not be started without prior verification that the breach has occurred( A collect evidences) Should ensure correct and fair treatment for employees who are suspected of committing breaches of information security

24 Disciplinary process – A.7.2.3 – Implementation(cont.)
Should take into consideration factors such as the nature and gravity of the breach and its impact on business, first or repeat offence, the violator was properly trained, relevant legislation, business contracts,… Disciplinary process should also be used as a deterrent to prevent employees from violation information security policies and procedures Deliberate( on purpose) breach may require immediate actions Process can be used as motivation or incentive if positive sanction are defined for remarkable behavior with regards to information security

25 Termination and change of employment – A.7.3
Objectives: Protect organization’s interests as part if the process of changing or terminating employment Termination or change of employment responsibilities – A7.3.1

26 Termination and change of employment – A.7.3.1
Control: information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated to the employee or contractor, and enforced

27 Termination and change of employment – A.7.3.1 - Implementation
Communication of termination responsibilities includes on-going information security requirements, legal responsibilities, responsibilities contained within any confidential agreement(A confidentiality or non- disclosure agreement), and terms and conditions of employment continuing for a defined period after the end of employment Changes of responsibilities or employment are managed as termination of current responsibilities or employment combined with the initiation of new one

28 Termination and change of employment – A.7.3.1 - Implementation
HR function is generally responsible for the overall termination process and works together with supervising manager of internal person leaving to manage information security aspects Contractors provided through external parties, the termination process is undertaken by external parties in accordance with contract between organization and external parties Inform employees, customers, and contractors of changes.

29 Summarize( video) Before employment: During working period:
Verify background, inform to candidate and secure candidate information State responsibilities, terms and conditions of employment carefully and clearly in the contract During working period: Manage responsibilities and follow policies and procedures of organization. Motivate people Have information security awareness, education, and training regularly Disciplinary process take actions against policies and procedures violation Termination and change of employment: Define in the agreement for a defined period after termination or change and enforce people to follow.

30 References ISO/IEC, 2013, “Information technology – Security techniques – Information security management systems – Requirements”, Annex A, Human resource security, pp.11. ISO/IEC, 2013, “Information technology – Security techniques – Code of practice for information security controls”, Human resource security,no.7, pp [Video source]CertificationEurope,2012, “ISO Human Resources Security (Part 11/18)”, [Online source]MILLER-School of medicine university of Miami, “Human resources security”, ‘objectives’ & ‘scope’ & ‘roles and responsibilities’,

31 References [online source]ControlCase, 2012, “Information Security Management System ISO/IEC 27001:2005”, slide 3, What is ISO/IEC standard, [online source] ISO/IEC, 2013, “ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls(second edition)”, Human resource security, section 7, [online source]CIPD, “Terms and Conditions of Employment”, employment.aspx [online source]Ibec, “During employment”, g-employment?OpenDocument#.VjBMlUajLgZ

32

Download ppt "Human Resource Security ISO/IEC 27001:2013"

Similar presentations

Managing the Health and Safety of Contractors

Managing the Health and Safety of Contractors
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
ETHICS. Business Conduct  The Agent agrees to conform to all applicable federal, state and local laws in conducting business under this agreement.

ETHICS. Business Conduct  The Agent agrees to conform to all applicable federal, state and local laws in conducting business under this agreement.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Environmental Management System (EMS)

Environmental Management System (EMS)
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
IS Audit Function Knowledge

IS Audit Function Knowledge
Code of Ethics – Discussion Question

Code of Ethics – Discussion Question
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Regulatory Body MODIFIED Day 8 – Lecture 3.

Regulatory Body MODIFIED Day 8 – Lecture 3.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Army Family Advocacy Program 1 of 16201130R APR 06 Restricted Reporting Policy for Incidents of Domestic Abuse.

Army Family Advocacy Program 1 of R APR 06 Restricted Reporting Policy for Incidents of Domestic Abuse.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.

Similar presentations

Ads by Google