| This security-related human resource policy example | | | | - When an employee moves or changes roles within |
| outlines how employee information technology should | | | | the organization their access privileges must be |
| be addressed. The goal is ensure that all personnel are | | | | updated accordingly. |
| aware of best practices used to protect information | | | | - When terminating an employee, the employee's |
| and how to ensure proper usage of their networking | | | | access to technology resources should be immediately |
| equipment, according to organization rules, standards, | | | | suspended. |
| and guidelines. | | | | - Once the employee has been informed of the |
| While this document covers many rules, standards, and | | | | termination, he should not be allowed to return to his |
| guidelines, it is not exhaustive. So, human resource | | | | office but should be immediately escorted out of the |
| administrators, employees, contractors, and third parties | | | | building. |
| should exercise due care with regard to how | | | | - The IT department should have a list of all user |
| employee information technology is handled. | | | | accounts and suspend the appropriate accounts |
| New employees should receive information security | | | | immediately. |
| training and occasional awareness updates to promote | | | | - Log files should be routinely scanned to ensure that |
| employee vigilance within the company. These | | | | all employees' accounts were suspended. |
| activities ensure that employees understand and take | | | | - The supervisor should be responsible for reviewing all |
| responsibility for company information and resources. | | | | employee electronic information and either disposing of |
| The following minimum procedures should be clearly | | | | it or forwarding it to their replacements. |
| spelled out and enforced. | | | | - The supervisor should be responsible for the return |
| - The employee is not allowed to download and/or | | | | of all the terminated employees access cards, ID |
| install unauthorized software onto organization | | | | badges, and manuals. |
| computers nor should they connect to the network | | | | - The supervisor should be responsible for the return |
| with unauthorized equipment. | | | | of all company owned electronic equipment issued to |
| - The employee is not allowed to hinder the proper | | | | the terminated employee including laptops, wireless |
| operation of protection tools including antivirus | | | | cards, cell phones, and PDAs.A formal disciplinary |
| programs, screensavers, etc. | | | | process concerning any and all users who breach |
| - The employee is not allowed to access prohibited | | | | security rules must be developed and published within |
| sites via the Internet. | | | | the organization. |
| - Employees must inform their immediate superior and | | | | In order to ensure that the organization is not ethically |
| the IT department of any security incident or | | | | or legally liable for misconduct any employee accused |
| malfunction they encounter. | | | | of a malicious activity should be treated equally and |
| - Employee should be instructed in the creation of | | | | not given preferential treatment. Also, any investigation |
| strong passwords and proper password storage. In | | | | into suspicious employee conduct should examine all |
| addition, the password should expire after a certain | | | | material facts. |
| length of time depending on the access sensitivity. | | | | |