Human Resources and Information Security

The HR department may not be the first group that comes to mind when the Information Security topic surfaces.  However, Human Resources plays a significant role in the protection of sensitive information in all stages of an employment life-cycle.

Typically, Human Resources’ activities related to Information Security are categorized in the following ways:

1. Prior to Employment:
   1. Definition of information security roles and responsibilities and clear communication of those expectations during the recruiting process
   2. Establishment of screening criteria during the recruiting process proportional to the business requirements and the classification of the information to be accessed
   3. Conducting background checks and screenings on all candidates for employment to ensure that once access is granted, it is done so appropriately
2. Onboarding
   1. Assure that new employees agree to and sign the terms and conditions of their employment contract, which includes responsibilities for information security, confidentiality, acceptable use, granted access and entitlements, and possible penalties for violations.
   2. Request system, information, and physical access for new employees
3. During Employment
   1. Enforce penalties related to information security violations
   2. Ensure that security awareness training is delivered, attended, and recorded on a regular basis
4. Post-employment or Change in Status
   1. Ensure that access rights and entitlements are deactivated for workforce members who have changed employment
   2. Ensure that appropriate rights are deactivated and new rights established when an employee changes status

Collection of company assets when an individual’s employment ends or the status change requires such action.