This security-related human resources policy example describes how employee information technology should be addressed. The goal is to ensure that all staff are aware of the best practices used to protect information and how to ensure proper use of your network equipment, in accordance with organizational rules, regulations, and guidelines.
While this document covers many rules, standards, and guidelines, it is not exhaustive. Therefore, human resource managers, employees, contractors, and third parties must exercise due care regarding how employee information technology is handled.
New employees should receive information security training and occasional awareness updates to promote employee vigilance within the company. These activities ensure that employees understand and take responsibility for company information and resources.
The following minimum procedures must be clearly explained and applied.
- The employee may not download and/or install unauthorized software on the organization’s computers or connect to the network with unauthorized equipment.
- The employee may not interfere with the proper functioning of protection tools, including antivirus programs, screen savers, etc.
- The employee cannot access prohibited sites through the Internet.
- Employees should report any security incidents or malfunctions they find to their line manager and the IT department.
- The employee must be instructed in the creation of strong passwords and the proper storage of passwords. Also, the password should expire after a certain period of time depending on the sensitivity of the access.
- When an employee moves or changes roles within the organization, their access privileges must be updated accordingly.
- Upon termination of an employee, the employee’s access to technology resources must be immediately suspended.
- Once the employee has been informed of the termination, they should not be allowed to return to their office, but should be immediately escorted out of the building.
- The IT department should have a list of all user accounts and suspend the corresponding accounts immediately.
- Log files should be routinely scanned to ensure that all employee accounts have been suspended.
- The supervisor should be responsible for reviewing all electronic employee information and discarding it or forwarding it to replacements.
- The supervisor should be responsible for the return of all access cards, identification cards and handbooks of the terminated employees.
- The supervisor should be responsible for the return of all company-owned electronic equipment issued to the terminated employee, including laptop computers, wireless cards, cell phones, and PDAs.
A formal disciplinary process should be developed and published within the organization with respect to any and all users who violate security rules.
To ensure that the organization is not held ethically or legally liable for misconduct, any employee accused of malicious activity should be treated equally and not receive preferential treatment. In addition, any investigation into suspicious employee conduct must examine all of the material facts.
No Comment