CHAPTER 09: Addressing personnel issues relating to security
Section 01 Contractual Documentation
Section 02 Confidential Personnel Data
Section 03 Personnel Information Security Responsibilities
Section 04 Staff Leaving Employment
Policy 090101 Preparing Terms and Conditions of Employment
POLICY STATEMENT
“The Terms and Conditions of Employment of this organization are to include requirements for compliance with Information Security.”
Policy 090102 Employing / Contracting New Staff
POLICY STATEMENT
“New employees’ references must be verified, and the employees must undertake to abide by the organization’s Information Security policies.”
Policy 090103 Contracting with External Suppliers / other Service Providers
POLICY STATEMENT
“All external suppliers who are contracted to supply services to the organization must agree to follow the Information Security policies of the organization. An appropriate summary of the Information Security Policies must be formally delivered to any such supplier, prior to any supply of services.”
Policy 090104 Using Non Disclosure Agreements (Staff and Third Party)
POLICY STATEMENT
“Non-disclosure agreements must be used in all situations where the confidentiality, sensitivity or value of the information being disclosed is classified as Proprietary (or above).”
Policy 090105 Misuse of Organization Stationery
POLICY STATEMENT
“The organization’s letter-headed notepaper, printed forms and other documents are to be handled securely to avoid misuses.”
Policy 090106 Lending Keys to Secure Areas to Others
POLICY STATEMENT
“The lending of keys, both physical or electronic, is prohibited. This requirement is also to be noted in employment contracts.”
Policy 090107 Complying with Information Security Policy
POLICY STATEMENT
“All employees must comply with the Information Security Policies of the organisation. Any Information Security incidents resulting from non-compliance will result in immediate disciplinary action.”
Policy 090108 Establishing Ownership of Intellectual Property Rights
POLICY STATEMENT
“All employees and third party contractors are to sign a formal undertaking regarding the intellectual property rights of work undertaken during their terms of employment / contract respectively.”
Policy 090109 Employees’ Responsibility to Protect Confidentiality of Data
POLICY STATEMENT
“All employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with the organization.”
Section 02: Confidential Personnel Data
Policy 090201 Respecting Privacy in the workplace
POLICY STATEMENT
“Notwithstanding the organization’s respect for employee’s privacy in the workplace, it reserves the right to have access to all information created and stored on the organization’s systems.”
Policy 090202 Handling Confidential Employee Information
POLICY STATEMENT
“All employee data is to be treated as strictly confidential and made available to only properly authorized persons.”
Policy 090203 Giving References on Staff
POLICY STATEMENT
“Only authorized personnel may give employee references.”
Policy 090204 Checking Staff Security Clearance
POLICY STATEMENT
“All staff must have previous employment and other references carefully checked.”
Section 03: Personnel Information Security Responsibilities
Policy 090301 Using the Internet in an Acceptable Way
POLICY STATEMENT
“Employees may not use the organization’s systems to access or download material from the Internet which is inappropriate, offensive, illegal, or which jeopardizes security. All Internet Use must be for university related purpose.”
Policy 090302 Keeping Passwords Confidential
POLICY STATEMENT
“All personnel must treat passwords as private and highly confidential. Non-compliance with this policy could result in disciplinary action.”
Policy 090303 Using E-Mail for Personal Reasons
POLICY STATEMENT
“The use of e-mail for personal use is discouraged, and should be kept to a minimum.”
Policy 090304 Using Telephone Systems for Personal Reasons
POLICY STATEMENT
“Personal calls on the telephone systems are to be minimized and limited to urgent or emergency use only. Personal long distance and international calls are totally discouraged.”
Policy 090305 Signing for the Delivery of Goods
POLICY STATEMENT
“Only authorized employees may sign for the receipt of goods. They are to ensure that, by signing for them, they are not considered to be verifying the quality or condition of the goods.”
Policy 090306 Signing for Work done by Third Parties
POLICY STATEMENT
“Only properly authorized persons may sign for work done by third parties.”
Policy 090307 Responding to Telephone Enquiries
POLICY STATEMENT
“Telephone enquiries for sensitive or confidential information are initially to be referred to management. Only authorized persons may disclose information classified above Public, and then only to persons whose identity and validity to receive such information has been confirmed.”
Policy 090308 Sharing Confidential Information with Family Members
POLICY STATEMENT
“All data and information not in the public domain, relating to the organization’s business and its employees, must remain confidential at all times.”
Policy 090309 Playing Games on Office Computers
POLICY STATEMENT
“The playing of games on office PCs or laptops is prohibited.”
Policy 090310 Using Office Computers for Personal Use
POLICY STATEMENT
“Using the organization’s computers for personal / private business is strongly discouraged.”
Section 04: Staff Leaving Employment
Policy 090401 Handling Staff Resignations
POLICY STATEMENT
“Upon notification of staff resignations, Human Resources management must consider with the appointed Information Security Center whether the resigned employee’s access rights have been properly revoked.”