HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
ISO 27002 Control Clause :
Human Resource
Security
©2014 HISPI
Topics of This Control Clause
Prior to Employment
Screening
Terms and conditions of employment
During Employment
Management responsibilities
Information security awareness, education, and training
Disciplinary process
Termination and Change of Employment
Termination or change of employment responsibilities
©2014 HISPI 2
10-1
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Prior to Employment
Objective
“To ensure that employees and contractors understand
their responsibilities and are suitable for the roles for
which they are considered.“
Source: ISO/IEC 27002:2013
©2014 HISPI 3
Screening
Control
Background verification checks on all candidates for employment
should be carried out in accordance with relevant laws, regulations
and ethics and should be proportional to the business requirements,
the classification of the information to be accessed and the perceived
risks.
Verification should take into account all relevant privacy, protection of personally
identifiable information and employment based legislation.
Specifics of the verification should be in line with the position for which the
candidate is being considered.
Credentials should be verified.
Procedures should define criteria and limitations for verification checks.
Source: ISO/IEC 27002:2013
©2014 HISPI 4
Verification should, where permitted, include the following:
Availability of satisfactory character references, e.g. one business and one personal;
A verification (for completeness and accuracy) of the applicant’s curriculum vitae;
Confirmation of claimed academic and professional qualifications;
Independent identity verification (passport or similar document);
More detailed verification, such as credit review or review of criminal records.
10-2
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
When an individual is hired for a specific information security role, organizations should make
sure the candidate:
Has the necessary competence to perform the security role;
Can be trusted to take on the role, especially if the role is critical for the organization.
Where a job, either on initial appointment or on promotion, involves the person having access
to information processing facilities, and if these are handling confidential information, e.g.
financial information or highly confidential information, the organization should also consider
further, more detailed verifications.
Procedures should define criteria and limitations for verification reviews, e.g. who is eligible to
screen people and how, when and why verification reviews are carried out.
A screening process should also be ensured for contractors. In these cases, the agreement
between the organization and the contractor should specify responsibilities for conducting the
screening and the notification procedures that need to be followed if screening has not been
completed or if the results Give cause for doubt or concern.
Information on all candidates being considered for positions within the organization should be
collected and handled in accordance with any appropriate legislation existing in the relevant
jurisdiction. Depending on applicable legislation, the candidates should be informed beforehand
about the screening activities.
Terms and conditions of employment
Control
The contractual agreements with employees and contractors should
state their and the organization’s responsibilities for information
security.
The organization should ensure that employees and contractors agree to terms and
conditions concerning information security appropriate to the nature and extent of
access they will have to the organization’s assets associated with information
systems and services.
The obligations for employees or contractors should reflect the organization’s
policies for information security.
Where appropriate, responsibilities contained within the terms and conditions of
employment should continue for a defined period after the end of the employment.
Source: ISO/IEC 27002:2013
©2014 HISPI 5
The contractual obligations for employees or contractors should reflect the organization’s
policies for information security in addition to clarifying and stating:
10-3
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
That all employees and contractors who are given access to confidential information
should sign a confidentiality or non-disclosure agreement prior to being given access to
information processing facilities;
The employee’s or contractor’s legal responsibilities and rights, e.g. regarding copyright
laws or data protection legislation and);
Responsibilities for the classification of information and management of organizational
assets associated with information, information processing facilities and information
services handled by the employee or contractor;
Responsibilities of the employee or contractor for the handling of information received
from other companies or external parties;
Actions to be taken if the employee or contractor disregards the organization’s security
requirements.
Information security roles and responsibilities should be communicated to job candidates
during the pre-employment process.
The organization should ensure that employees and contractors agree to terms and conditions
concerning information security appropriate to the nature and extent of access they will have to
the organization’s assets associated with information systems and services.
Where appropriate, responsibilities contained within the terms and conditions of employment
should continue for a defined period after the end of the employment.
A code of conduct may be used to state the employee’s or contractor’s information security
responsibilities regarding confidentiality, data protection, ethics, appropriate use of the
organization’s equipment and facilities, as well as reputable practices expected by the
organization. An external party, with which a contractor is associated, can be required to enter
contractual arrangements on behalf of the contracted individual.
10-4
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
During Employment
Objective
“To ensure that employees and contractors are aware
of and fulfil their information securityresponsibilities.“
Source: ISO/IEC 27002:2013
©2014 HISPI 6
Management responsibilities
Control
Management should require all employees and contractors to apply
information security in accordance with the established policies and
procedures of the organization.
Management should demonstrate support of information security policies,
procedures and controls, and act as a role model.
If employees and contractors are not made aware of their information security
responsibilities, they can cause considerable damage to an organization. Motivated
personnel are likely to be more reliable and cause fewer information security
incidents.
Poor management can cause personnel to feel undervalued resulting in a negative
information security impact on the organization. For example, poor management
can lead to information security being neglected or potential misuse of the
organization’s assets.
Source: ISO/IEC 27002:2013
©2014 HISPI 7
Management responsibilities should include ensuring that employees and contractors:
Are properly briefed on their information security roles and responsibilities prior to
being granted access to confidential information or information systems;
Are provided with guidelines to state information security expectations of their role
within the organization;
Are motivated to fulfil the information security policies of the organization;
10-5
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Achieve a level of awareness on information security relevant to their roles and
responsibilities within the organization;
Conform to the terms and conditions of employment, which includes the organization’s
information security policy and appropriate methods of working;
Continue to have the appropriate skills and qualifications and are educated on a regular
basis;
Are provided with an anonymous reporting channel to report violations of information
security policies or procedures (“whistle blowing”).
Information security awareness, education and
training
Control
All employees of the organization and, where relevant, contractors
should receive appropriate awareness education and training and
regular updates in organizational policies and procedures, as relevant
for their job function.
Security Awareness training should be included in Induction courses for new
employees. The basic training should include:
The organization’s security policies for the use of information services (log-on, use of
Internet/e-mail);
Use of software packages;
Information on disciplinary process;
Incident reporting;
Typical security threats.
Source: ISO/IEC 27002:2013
©2014 HISPI 8
An information security awareness program should aim to make employees and, where
relevant, contractors aware of their responsibilities for information security and how those
responsibilities are discharged.
An information security awareness program should be established in line with the organization’s
information security policies and relevant procedures, taking into consideration the
organization’s information to be protected and the controls that have been implemented to
protect the information.
The awareness program should include several awareness-raising activities such as campaigns
(e.g. an “information security day”) and issuing booklets or newsletters.
The awareness program should be planned taking into consideration the employees’ roles in the
organization, and, where relevant, the organization’s expectation of the awareness of
contractors. The activities in the awareness program should be scheduled over time, preferably
regularly, so that the activities are repeated and cover new employees and contractors. The
awareness program should also be updated regularly so it stays in line with organizational
10-6
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
policies and procedures, and should be built on lessons learned from information security
incidents.
Awareness training should be performed as required by the organization’s information security
awareness program. Awareness training can use different delivery media including classroom-
based, distance learning, web-based, self-paced and others.
Information security education and training should also cover general aspects such as:
Stating management’s commitment to information security throughout the
organization;
The need to become familiar with and comply with applicable information security rules
and obligations, as defined in policies, standards, laws, regulations, contracts and
agreements;
Personal accountability for one’s own actions and inactions, and general responsibilities
towards securing or protecting information belonging to the organization and external
parties;
Basic information security procedures (such as information security incident reporting)
and baseline controls (such as password security, malware controls and clear desks);
Contact points and resources for additional information and advice on information
security matters, including further information security education and training materials.
Information security education and training should take place periodically. Initial education and
training applies to those who transfer to new positions or roles with substantially different
information security requirements, not just to new employees and should take place before the
role becomes active.
The organization should develop the education and training program to conduct the education
and training effectively. The program should be in line with the organization’s information
security policies and relevant procedures, taking into consideration the organization’s
information to be protected and the controls that have been implemented to protect the
information. The program should consider different forms of education and training, e.g.
lectures or self-studies.
When composing an awareness program, it is important not only to focus on the ‘what’ and
‘how’, but also the ‘why’. It is important that employees understand the aim of information
security and the potential impact, positive and negative, on the organization of their own
behavior.
Awareness, education and training can be part of, or conducted in collaboration with, other
training activities, for example general IT or general security training. Awareness, education and
training activities should be suitable and relevant to the individual’s roles, responsibilities and
skills.
An assessment of the employees’ understanding could be conducted at the end of an
awareness, education and training course to test knowledge
10-7
©2017 HISPI
�HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Training on New Technology and Changes
New technology brings with it new risks and users should be trained on the safe use
of new technologies:
Server operating systems Windows Server 2008, 2012 or 2016 or change to Linux;
Desktops operating systems Windows 7 – 8 – 10;
Software: Wireless technology;
Hardware: Computers with CD-RW, DVD-RW, USB;
Consumerization/BYOD
Devices and gadgets
Mobile/Smart phones with cameras
USB drives
Tablets (iPad/Windows/Android)
Digital cameras
©2017 HISPI 9
Updates Delivered by Intranet or Notice Boards
Creativity in providing on-going information security awareness sessions is
essential. Employees are busy, some ideas for increasing participation are:
Make participation easy
Make the sessions entertaining
Make the information relevant.
Subsequent training can be delivered in a cost-effective manner using
Intranets
Notice boards (bulletin boards)
Team meetings/briefings
Newsletters
“Lunch and Learn” sessions (consider using Live Meeting/GoToMeeting, etc.)
©2014 HISPI 10
10-8
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Disciplinary process
Control
There should be a formal and communicated disciplinary process in
place to take action against employees who have committed an
information security breach.
The disciplinary process should not begin without verification that a security breach
has actually occurred and that evidence has been collected in an ‘admissible’ manner.
The disciplinary process should ensure correct and fair treatment of suspected
employees. Always include Human Resources in this process. They are familiar with
relevant employment law.
In serious cases of misconduct the process should allow for instant removal of:
Access rights and privileges;
Collection of assets;
Removal from premises.
Source: ISO/IEC 27002:2013
©2017 HISPI 11
The formal disciplinary process should provide for a graduated response that takes into
consideration factors such as:
Nature and gravity of the breach and its impact on business;
Whether this is a first or repeat offence;
Whether the violator was properly trained;
Relevant legislation, business contracts and other pertinent factors.
The disciplinary process should also be used as a deterrent to prevent employees from violating
the organization’s information security policies and procedures and any other information
security breaches. Deliberate breaches may require immediate actions.
The disciplinary process can also become a motivation or an incentive if positive sanctions are
defined for remarkable behavior with regards to information security.
10-9
©2017 HISPI
�HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Termination and Change of Employment
Objective
“Information security responsibilities and duties that
remain valid after termination or change of
employment should be defined, communicated to
the employee or contractor and enforced.”
Source: ISO/IEC 27002:2013
©2014 HISPI 12
Termination or Change of Employment
Processes should be in place to ensure that an employee’s employment status
(termination or position change) is managed and carried out in an orderly manner.
These processes should be outlined in the terms and conditions of employment.
©2014 HISPI 13
10-10
©2017 HISPI
� HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Termination or change of employment responsibilities
Control
Information security responsibilities and duties that remain valid after termination
or change of employment should be defined, communicated to the employee or
contractor and enforced.
For employees the Human Resources function is generally responsible for the
overall termination process. For contractors and third parties this may be handled
by a variety of parties including:
Project/program managers;
Unit managers;
Contracts section or even someone in accounting.
The Human Resources Department or contract manager should work with the
supervising manager to carry out the security aspects of the relevant procedures.
Source: ISO/IEC 27002:2013
©2014 HISPI 14
The communication of termination responsibilities should include on-going information security
requirements and legal responsibilities and, where appropriate, responsibilities contained
within any confidentiality agreement and the terms and conditions of employment continuing
for a defined period after the end of the employee’s or contractor’s employment.
Responsibilities and duties still valid after termination of employment should be contained in
the employee’s or contractor’s terms and conditions of employment.
Changes of responsibility or employment should be managed as the termination of the current
responsibility or employment combined with the initiation of the new responsibility or
employment.
The human resources function is generally responsible for the overall termination process and
works together with the supervising manager of the person leaving to manage the information
security aspects of the relevant procedures. In the case of a contractor provided through an
external party, this termination process is undertaken by the external party in accordance with
the contract between the organization and the external party.
It may be necessary to inform employees, customers or contractors of changes to personnel and
operating arrangements.
10-11
©2017 HISPI
�HOLISTIC INFORMATION SECURITY PRACTITIONER COURSE
Questions
©2014 HISPI 15
Case Study/Group Exercise
Exercise 5 – Human Resources Security, Page 14
45 Minutes
©2014 HISPI 16
10-12
©2017 HISPI
