Human Resources

A key component of the Information Security Program are human resources policies and procedures.

HRS Control Domains

HRS-01: Asset Returns -

  • HRS-01.1: Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally-owned assets?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-01.2: Do you have asset return procedures outlining how assets should be returned within an established period?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-02: Background Check -

  • HRS-02.1: Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-03: Employee Agreements -

  • HRS-03.1: Do your employment agreements incorporate provisions and/or terms in adherence to established information governance and security policies?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-03.2: Do you require that employment agreements are signed by newly hired or on-boarded workforce personnel prior to granting workforce personnel user access to corporate facilities, resources, and assets?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-04: Employee Termination -

  • HRS-04.1: Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-04.2: Do the above procedures and guidelines account for timely revocation of access and return of assets?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-05: Portable / Mobile Devices -

  • HRS-05.1: Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-06: Non-Disclosure Agreements -

  • HRS-06.1: Are requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details identified, documented, and reviewed at planned intervals?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-07: Roles / Responsibilities -

  • HRS-07.1: Do you provide tenants with a role definition document clarifying your administrative responsibilities versus those of the tenant?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-08: Acceptable Use -

  • HRS-08.1: Do you have policies and procedures in place to define allowances and conditions for permitting usage of organizationally-owned or managed user end-point devices and IT infrastructure network and systems components?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-08.2: Do you define allowance and conditions for BYOD devices and its applications to access corporate resources?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-09: Training / Awareness -

  • HRS-09.1: Do you provide a formal, role-based, security awareness training program for cloud-related access and data management issues (e.g., multi-tenancy, nationality, cloud delivery model, segregation of duties implications, and conflicts of interest) for all persons with access to tenant data?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-09.2: Do you specifically train your employees regarding their specific role and the information security controls they must fulfill?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-09.3: Do you document employee acknowledgment of training they have completed?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-09.4: Is successful and timed completion of the training program(s) considered a prerequisite for acquiring and maintaining access to sensitive systems?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-09.5: Are personnel trained and provided with awareness programs at least once a year?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-09.6: Are administrators and data stewards properly educated on their legal responsibilities with regard to security and data integrity?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-10: User Responsibility -

  • HRS-10.1: Are personnel informed of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards, and applicable regulatory requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-10.2: Are personnel informed of their responsibilities for maintaining a safe and secure working environment?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-10.3: Are personnel informed of their responsibilities for ensuring that equipment is secured and not left unattended?


Policy to be referenced here is INSERT
*Action item: INSERT

HRS-11: Workspace -

  • HRS-11.1: Are all computers and laptops configured such that there is lockout screen after a pre-defined amount of time?


Policy to be referenced here is INSERT
*Action item: INSERT

  • HRS-11.2: Are there policies and procedures to ensure that unattended workspaces do not have openly visible (e.g., on a desktop) sensitive documents?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

New Employee