Information security is not limited to the IT department. It must be part of every facet of the organization. An
effective information security professional works with the other departments to ensure that security concepts are part of all policies within the organization. In my next four policies tips, I will examine a total of 12 Tier 1 (organization-wide) policies and identify what elements of information security should be addressed in each. I begin this series with the examination of Employment and Standards of Conduct policies.
This policy describes the processes required to ensure that all candidates get an equal opportunity when seeking a position with the organization. It discusses the organization's hiring practices and new employee orientation. It is during the orientation phase that new employees should receive their first introduction to the information security requirements. Included in this process is a Non-Disclosure Agreement or Confidentiality Agreement. These agreements require the signatory to keep confidential information secret and generally remain in effect after the employee leaves the organization.
The employment policies should also include condition-of-employment requirements such as background checks for key management levels or certain jobs. Job descriptions should also be a part of the Employment and Performance policies. These descriptions should include what is expected of employees regarding information security requirements.
MORE INFORMATION ON POLICIES:
- In the second installment of Tom Peltier's Tier-1 policies overview, learn about Conflict-of-Interest, Performance Management, Employee Discipline and Information Security Policies.
- Tom Peltier examines Corporate Communications, Work Place Security and Business Continuity Plan Policies in the third installment of this series.
- In the fourth installment of this series, Tom examines Procurement and Contracts, Records Management and Asset Classification Policies.
Standards of conduct
This policy addresses what is expected of employees and how they are to conduct themselves when on company property or when representing the organization. This policy normally discusses examples of unacceptable behavior (dishonesty, sleeping on the job, substance abuse, introduction of unauthorized software into company systems) and the penalties for infractions. This policy should also include a statement similar to the following: "Company management has the responsibility to manage enterprise information, personnel and physical properties relevant to their business operations, as well as the right to monitor the actual utilization of these enterprise assets."
Information security should also address confidential information in the Standards of Conduct Policy: "Employees shall also maintain the confidentiality of corporate information." A discussion on unacceptable conduct is generally included in an employee code of conduct policy; this should include a discussion on unauthorized code and copyright compliance.
It will be necessary to work with the "owner" departments of these policies. Typically human resources would be responsible for the content found in the Employment and Standards of Conduct policies. Presenting a sound business case as to why these changes will help the organization will allow you to be successful.
Next month we'll go over four more Tier-1 policies. Stay tuned!
About the author:
Tom Peltier has been an information security professional for more than twenty-five years. Tom has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.