To modernise information systems and address its disadvantages, Information Technology was formed. It is a tool that was developed to grow, implement, and protect Information Systems. It is also utilised as a tool to reach business targets and business goals as well as optimise work processes.
Such processes include the human resource management process which includes recruiting, training, developing, and rewarding people in an organisation. These processes impact an organisation’s internal processes, essential competencies, relevant markets and organisational structure. Therefore, a new aspect comes into play: information security. Information security controls ensure that employees and contractors in an organisation understand their responsibilities and are fit for the roles in which they are placed.
What controls Human Resources (HR) in the workplace?
A.7.1.1 Screening
A good control covers background authentication and the checking of the competency of all applicants for employment. All the relevant regulations and ethics should be taken into consideration and should align with the business requirements, namely the classification of the information that will be retrieved and the associated risks. HR controls all stages of employment benefits in the organisation in a way that reduces the likelihood of accidental or malicious threats. It is essential to consistently have procedures in place to avoid any preference risks. Ideally this will be affiliated with the overall organisation’s hiring process.
A.7.1.2 Terms & Conditions of Employment
A contract with employees and contractors must state their and an organisation’s responsibilities with regards to information security. This contract is important and includes general and individual responsibilities which carry legal weight. This is also imperative with regards to GDPR and the new Data Protection Act of 2018.
A.7.2.1 Management responsibilities
A good control defines how employees and contractors apply information security in compliance with the policies and procedures of an organisation. The duties of managers should include requirements to:
Ensure that those they are responsible for comprehend the information security threats, vulnerabilities and controls relevant to their job roles and obtain regular training (as per A7.2.2).
Ensure buy-in to practical and suitable support for appropriate information security policies and controls; and emphasise the requirements of the terms and conditions of employment. Managers play an imperative role in ensuring security awareness and thoroughness throughout the organisation by creating an appropriate “security culture”.
A.7.2.2 Information Security Awareness, Education & Training
All employees and related contractors must obtain appropriate awareness education and training to perform their job well and securely. They must receive consistent updates in organisational policies and procedures when they are changed too, along with a good consideration of the applicable legislation that affects them in their role. Each organisation needs to be able to prove that training and compliance have been considered and note how training and awareness is delivered to give the staff and contractors the best chance of understanding.
A.7.2.3 Disciplinary Process
There needs to be a documented disciplinary process in place that is communicated (in line with A7.2.2 above) which will begin in the case of any security breaches.
A.7.3.1 Termination or change of employment responsibilities
Information security duties and responsibilities that continue to be valid after termination or change during the term of employment must be clear, communicated to the employees or contractors and implemented. Cases includes keeping information that belongs to the organisation within it and keeping it private. It is essential to ensure that information remains protected after an employee or contractor leaves the organisation, as people themselves are walking data stores. The terms and conditions of the contract should emphasise this, and the leaver’s contract termination process should serve as a reminder to individuals that they have responsibilities to the organisation even after they have left. Besides termination and exit, if an employee changes roles e.g. moving from operations to sales, it should be ensured that they no longer have access to information assets that are not mandatory in their new role. When it comes to HR departments, the most important thing to do with regards to Information security is to be proactive rather than reactive. Technology, and the potential for breaches, has entered every facet of business today. It’s not enough to rely on your IT departments to make sure staff are educated about data loss and how to prevent it. An organisation must ensure training takes place to educate employees about their roles in keeping data safe. They should be aware of what the security protocols are, how to develop and use strong passwords and what the process is should they suspect trouble or have lost a device that they also use for business. Human Resources professionals are accountable for ensuring that employees comply with security policies. The HR department is essential in ensuring that information security policies are correctly presented, documented, communicated, and enforced.