Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
human_resources [2016/07/05 18:01]
jillian_nadette_de_leon
human_resources [2016/07/19 15:52] (current)
jillian_nadette_de_leon
Line 45: Line 45:
 The security awareness, education, and training activities should be suitable and relevant to the person'​s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.\\ The security awareness, education, and training activities should be suitable and relevant to the person'​s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.\\
  
-**2.3. Disciplinary Process.** There shall be a formal disciplinary process for employees who have committed a security breach.\+**2.3. Disciplinary Process.** There shall be a formal disciplinary process for employees who have committed a security breach.\\
  
 +The health facility shall ensure correct and fair treatment for employees who are suspected to have violated the privacy and security policies, and shall not be terminated without prior verification that a privacy breach has occurred. \\
 +
 +For government facilities, termination process shall be in compliance with the Civil Service Rule.\\
 +
 +A graduated response that takes into consideration factors such as the nature and gravity of breach and its impact on business, whether or not it is a first or repeat offense, whether or not the violator was properly trained, relevant legislation,​ business contracts and other factors as required shall be provided.\\
 +
 +**Section 3. Termination or Off-boarding of Employees.** Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned. Responsibilities and duties still valid after termination of employment shall be contained in employee'​s,​ contractor'​s,​ or third party'​s contracts.\\
 +
 +The communication of termination shall include ongoing security requirements and legal responsibilities contained within any confidentiality agreement, and the terms and conditions of employment continuing for a defined period after the end of the employee'​s,​ contractor'​s,​ or third party'​s engagement.\\
 +
 +The Human Resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving, the IT manager to manage the security aspects of the relevant procedures in relation to health information access. In the case of a contractor, this termination responsibility process may be undertaken by an agency responsible for the contractor, and in case of another user this might be handled by their organization.\\
 +
 +**3.1. Return of Assets.** All employees, contractors and third parties shall return all of the health care facility'​s assets in their possession upon termination of their employment, contract, or agreement.\\
 +
 +The termination process shall be formalized to include the return of all previously issued software, corporate documents, and equipment. Other organizational assets such as mobile computing devices, access cards, software, manuals, and information stored on electronic media also need to be returned.\\
 +
 +In cases where an employee, contractor, or third party has knowledge that is important to ongoing operation, the information shall be documented and transferred to the organization.\\
 +
 +**3.2. Access Rights.** The access rights of all employees, contractors and third parties to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.\\
 +
 +If a departing employee, contractor, or third party user has known password for accounts remaining active, these shall be changed upon termination or change of employment, contract or agreement.\\
 +
 +Access rights for information assets and information processing facilities shall be limited or removed before the employment terminates or changes, depending on the evaluation risk factors such as: \\
 +a.) Whether the termination or change is initiated by the employee, contractor or third party, or by management, and the reason for termination;​\\
 +b.) The current responsibilities of the employee, contractor or any other user;\\
 +c.) The value of the assets currently accessible.\\
 +
 +In certain circumstances access rights may be allocated on the bases of being available to more people than the departing employee, contractor or third party user (e.g. group IDs). In such circumstances,​ departing individuals shall be removed from any group access lists and arrangement shall be made to advise other employees, contractors and third parties involved to no longer share this information with the person departing.\\
 +
 +
 +
 +****
 ##​References:​ ##​References:​
   * PHIC Human Resources Security document.   * PHIC Human Resources Security document.