Tier-1 policies overview, part one: Employment and Standards of Conduct Policies

Information security is not limited to the IT department. It must be part of every facet of the organization. An effective information security professional works with the

    Requires Free Membership to View

other departments to ensure that security concepts are part of all policies within the organization. In my next four policies tips, I will examine a total of 12 Tier 1 (organization-wide) policies and identify what elements of information security should be addressed in each. I begin this series with the examination of Employment and Standards of Conduct policies.

Employment.This policy describes the processes required to ensure that all candidates get an equal opportunity when seeking a position with the organization. It discusses the organization's hiring practices and new employee orientation. It is during the orientation phase that new employees should receive their first introduction to the information security requirements. Included in this process is a Non-Disclosure Agreement or Confidentiality Agreement. These agreements require the signatory to keep confidential information secret and generally remain in effect after the employee leaves the organization.

The employment policies should also include condition-of-employment requirements such as background checks for key management levels or certain jobs. Job descriptions should also be a part of the Employment and Performance policies. These descriptions should include what is expected of employees regarding information security requirements.

  • In the second installment of Tom Peltier's Tier-1 policies overview, learn about Conflict-of-Interest, Performance Management, Employee Discipline and Information Security Policies.
  • Tom Peltier examines Corporate Communications, Work Place Security and Business Continuity Plan Policies in the third installment of this series.
  • In the fourth installment of this series, Tom examines Procurement and Contracts, Records Management and Asset Classification Policies.

Standards of conduct. This policy addresses what is expected of employees and how they are to conduct themselves when on company property or when representing the organization. This policy normally discusses examples of unacceptable behavior (dishonesty, sleeping on the job, substance abuse, introduction of unauthorized software into company systems) and the penalties for infractions. This policy should also include a statement similar to the following: "Company management has the responsibility to manage enterprise information, personnel and physical properties relevant to their business operations, as well as the right to monitor the actual utilization of these enterprise assets."

Information security should also address confidential information in the Standards of Conduct Policy: "Employees shall also maintain the confidentiality of corporate information." A discussion on unacceptable conduct is generally included in an employee code of conduct policy; this should include a discussion on unauthorized code and copyright compliance.

It will be necessary to work with the "owner" departments of these policies. Typically human resources would be responsible for the content found in the Employment and Standards of Conduct policies. Presenting a sound business case as to why these changes will help the organization will allow you to be successful.

Next month we'll go over four more Tier-1 policies. Stay tuned!

About the author
Tom Peltier has been an information security professional for more than twenty-five years. Tom has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.

This was first published in February 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.