Whilst you would be forgiven for thinking that this relates to employee safety in the workplace, human resource security is actually about ensuring that key controls are in place within your organization for your employees and the security of company data and assets. Given the digital world we live in, the importance of information security couldn’t be greater.
Setting Controls
These controls include defining roles and responsibilities to ensure that employees are qualified for the role they are undertaking and understand their responsibilities and employer expectations. Ensuring that employees have an awareness of and are educated in data security; having policies in place to deal with recruitment, training, and disciplinary processes; and that the company maintains control of access to both physical and information assets.
Best Practice
Any company looking to be compliant with ISO 27002 or obtaining SOC2 certification will need to have these policies in place, however I would recommend any organization considers how they deal with Human Resource Security to protect themselves and mitigate risk.
The 8 areas I would consider best practice are detailed below. If you are looking at certification under SOC 2 or similar not only will you need policies in place but a system to record and monitor the actions of your organization and employees for your annual audit.
Defined and documented roles and responsibilities
Ensure that each role within your organization is defined and responsibilities documented. Make sure that this is communicated and understood by the relevant staff member. As an employer, you should ensure that you can provide evidence that not only do you have the roles documented but that they were shared and acknowledged by your employees.
Background checks/screening
Whether this is a reference letter from a previous employer or a full back background check with the authorities, you need to know who you are hiring. Most countries or states will have a list of required documents that you need to obtain from a new hire. Go that one step further and make sure you aren’t missing anything.
Signed agreements — NDA, Acceptable Use, Code of Conduct, Ethics, Confidentiality Agreement
Ensure that all relevant documents are issued at the start of the employment term. Work with a local HR consultant or lawyer to ensure your policies are up to date and relevant to what your organization does, it will be worth the investment.
Annual security and data protection training
The rules on data protection vary between countries and it is important to make sure your organization is not only compliant with local regulations but also with those countries you trade with. Once you understand the requirements for your organization, it is important to ensure your staff is educated and trained to follow these practices. Breaching data protection regulations can be extremely costly to any business. You need to be sure your staff understands what is expected of them.
Disciplinary policy and procedures in place
If something does go wrong, you need to have a well-defined procedure in place to deal with the issue. Both the policy and procedure in place need to protect the organization and employee’s rights. As with the agreements above, a local HR consultant or lawyer will be able to help ensure you are compliant.
Process and documented policy for termination or change of status
Any change of status is likely to change the responsibilities of an employee. After a promotion or move to a different department, they may need access to different systems or need to follow additional company policies. Don’t assume that everything that was documented at the start of their employment with you still stands. Ensure that you have processes in place to revisit and re-document any changes.
Policy and process in place for removal of access rights
Any business owner would agree that the last thing you need is a disgruntled ex-employee having access to your servers or the company Twitter account. Ensure you are recording when access is granted to your systems and most importantly, make sure access is revoked when they leave. As I mentioned before, if you are looking at SOC 2 certification your auditors will need to see proof that access has been revoked.
Return of assets
Who in your organization makes sure that laptops or other assets are returned when an employee leaves? An asset inventory is a quick and easy way to document which employees have which company assets and what needs to be returned. If employees are aware that a log is being maintained, the risk of loss or theft will be reduced.
Better is possible
By following the best practice guidelines I detailed above, your organization will have confidence in your human resource management system and ensure the integrity, reliability, and confidentiality of the information related to and used by your employees. A controlled environment for all.
