An Example Human Resource Security Standard

For heads of HR in a hurry, the City University of Hong Kong Human Resource Security Standard is a public domain document that can be tailored quickly and at no cost to suit any size or type of organization.² This type of document should not remain a stand-alone document just for cybersecurity, and can be integrated on behalf of cybersecurity into any existing organization HR manual or portal.

The document’s 10 pages are straightforward. Its contents include a policy statement, objectives, types of users (including contractors and third-party users) and covers all key aspects for the three-stage cycle (akin to ISO 27000): prior to employment/engagement, during employment/engagement, and at termination or change of employment. Responsibilities are covered for the human resources office, central information technology (IT) and departmental IT service owners, information security unit, all other enterprise units and employees, and third-party users.

Capabilities to Meet a Certifiable International Standard

While the National Institute of Standards and Technology (NIST) and other voluntary information security standards are also available, the most popular and international of standards is ISO/IEC 27001:2013,³ which can be purchased at a small cost. The ISO 27000 family of standards help organizations keep information assets secure. ISO 27001 is the international standard against which an Information Security Management System (ISMS) can be certified. This standard outlines the requirements of a certified ISMS that will help you demonstrate regulatory compliance and information security risk management.

Clause 6.1.3 of this standard describes how an organization can respond to risks with a risk treatment plan. An important part of this is choosing appropriate controls. Annex A is akin to a catalog of security controls that an organization can select from and totals 114 controls. A.7 in Annex A targets six controls that are specific to Human Resource Security and covers three key areas: controls that apply before, during, or after employment. The overall objective of HR security is to ensure that all employees (including contractors and any users of sensitive data) are qualified for and understand their roles and responsibilities of their job duties and that access is removed once employment is terminated. More specific objectives and details on the six controls can be found under these sections of ISO 270001:2013:

A.7 Human Resource Security

During Employment

1. Screening. Includes background verification checks at escalating levels for different staff, contractors and third parties with different screening tests (e.g., background screen, credit check, physical examination, drug testing, sample job tasks).
2. Terms and conditions of employment. Contracts clarify mutual responsibilities between the organization and parties.

During Employment

1. Employee orientation for new employees. Includes workshops, signed acknowledgments, and manager and supervisor explicit supports to ensure that each person within the organization must be vigilant when it comes to protecting information systems.
2. Ongoing education, awareness, and training. Delivered to defined calendars (annually, biannually, etc.) appropriate to the employee’s job roles and responsibilities with a minimum requirement for all employees to undergo general training on basic information security practices and/or acknowledge their basic understanding of the organization’s security policies and procedures.
3. Disciplinary process. For security breaches.

Termination and Change of Employment

1. Responsibilities. Where the HR function is generally responsible for the overall termination process and works together with the supervising manager, with controls to protect the organization’s interests in a managed way with the appropriate return of all equipment and removal of all access rights using a checklist of actions that must be taken without exception.

A checklist for a secure employee departure is readily available in more detail online.⁴ Here is a summary of the content an organization should tailor to its own needs:

Checklist for a Secure Employee Departure

• Conduct an exit interview with the employee—with their supervisor and the IT team, including how they can be reached if the company needs to get in contact after their last day.
• Retrieve organization mobile devices and backup discs, USBs, etc.
• Deactivate organization e-mail addresses and remote access accounts—include a process for former employee e-mails to be forwarded to their supervisor to ensure continued communications with external customers.
• Change passwords—ensuring that nothing, including the organization Twitter account, is left in their name if they worked in the organization’s social media area.
• Collect all company-related keys, pass cards, and ID cards—include informing the security team.
• Change PINs or passwords to any corporate credit cards or financial accounts—include any corresponding bank statements and any other material that could contain financial information.
• Prepare for challenges—be prepared for a potentially negative reaction, so forewarn your IT and security teams, so that they can immediately implement the exit process.

Certified Professionals

Organization awareness, education, training and internal communications may all lead up to certification of professionals available in various countries with reputable institutions. In the United Kingdom for example, various certifying bodies offer a Certified Professional (CCP) scheme as an important step in creating a unified standard for those working in the U.K. Cyber Security industry according to Government Communications Headquarters (GCHQ). GCHQ is a British intelligence and security organization responsible for providing signals intelligence and information assurance to the British government and armed forces. The CESG Certified Professional (CCP) scheme is a certification framework for competent information assurance (IA) professionals. Individuals can choose to be certified in one or more specified IA roles, at several levels of competency. The CCP originated with U.K. national security, then was extended to the government sector, then the private sector.

Academia

Certain universities are increasingly becoming Centers of Excellence to enhance the cybersecurity knowledge base. In the United Kingdom, GCHQ and the Engineering and Physical Sciences Research Council (EPSRC) have recognized 11 U.K. universities as having an established cybersecurity research pedigree based on their academic excellence, impact, and scale of activity and research in areas that underpin cybersecurity.