Tier-1 policies overview, part one: Employment and Standards of Conduct Policies

Information security is not limited to the IT department. It must be part of every facet of the organization. An effective information security professional works with the other departments to ensure that security concepts are part of all policies within the organization. In my next four policies tips, I will examine a total of 12 Tier 1 (organization-wide) policies and identify what elements of information security should be addressed in each. I begin this series with the examination of Employment and Standards of Conduct policies.

Employment.This policy describes the processes required to ensure that all candidates get an equal opportunity when seeking a position with the organization. It discusses the organization's hiring practices and new employee orientation. It is during the orientation phase that new employees should receive their first introduction to the information security requirements. Included in this process is a Non-Disclosure Agreement or Confidentiality Agreement. These agreements require the signatory to keep confidential information secret and generally remain in effect after the employee leaves the organization.

The employment policies should also include condition-of-employment requirements such as background checks for key management levels or certain jobs. Job descriptions should also be a part of the Employment and Performance policies. These descriptions should include what is expected of employees regarding information security requirements.

• In the second installment of Tom Peltier's Tier-1 policies overview, learn about Conflict-of-Interest, Performance Management, Employee Discipline and Information Security Policies.
• Tom Peltier examines Corporate Communications, Work Place Security and Business Continuity Plan Policies in the third installment of this series.
• In the fourth installment of this series, Tom examines Procurement and Contracts, Records Management and Asset Classification Policies.

Standards of conduct. This policy addresses what is expected of employees and how they are to conduct themselves when on company property or when representing the organization. This policy normally discusses examples of unacceptable behavior (dishonesty, sleeping on the job, substance abuse, introduction of unauthorized software into company systems) and the penalties for infractions. This policy should also include a statement similar to the following: "Company management has the responsibility to manage enterprise information, personnel and physical properties relevant to their business operations, as well as the right to monitor the actual utilization of these enterprise assets."

Information security should also address confidential information in the Standards of Conduct Policy: "Employees shall also maintain the confidentiality of corporate information." A discussion on unacceptable conduct is generally included in an employee code of conduct policy; this should include a discussion on unauthorized code and copyright compliance.

It will be necessary to work with the "owner" departments of these policies. Typically human resources would be responsible for the content found in the Employment and Standards of Conduct policies. Presenting a sound business case as to why these changes will help the organization will allow you to be successful.

Next month we'll go over four more Tier-1 policies. Stay tuned!

About the author
Tom Peltier has been an information security professional for more than twenty-five years. Tom has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management Information Security Policies, Procedures and Guidelines Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.