Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
human_resources [2016/05/27 14:24] jillian_nadette_de_leon [Prior to Employment] |
human_resources [2016/06/14 16:30] wikiadmin updated links |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | #Human Resources | ||
| ##Prior to Employment | ##Prior to Employment | ||
| * All candidates for employment, contractors and third party users shall be adequately screened,especially for sensitive jobs.\\ | * All candidates for employment, contractors and third party users shall be adequately screened,especially for sensitive jobs.\\ | ||
| Line 25: | Line 26: | ||
| //Management Responsibilities//\\ | //Management Responsibilities//\\ | ||
| * Management responsibilities should be defined to ensure that security is applied throughout an individual's employment within the organization.\\ | * Management responsibilities should be defined to ensure that security is applied throughout an individual's employment within the organization.\\ | ||
| - | * Management responsibilities should ensuring that employees, contractors and third party users: \\ | + | * Management responsibilities shall ensure that employees, contractors and third party users: \\ |
| (a) are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;\\ | (a) are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;\\ | ||
| (b) are provided with guidelines to state security expectations of their role within the health care facility;\\ | (b) are provided with guidelines to state security expectations of their role within the health care facility;\\ | ||
| Line 34: | Line 35: | ||
| //Awareness and Training//\\ | //Awareness and Training//\\ | ||
| - | * An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users. A formal disciplinary process for handling security breaches should be established. \\ | + | * An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users. A formal disciplinary process for handling security breaches shall be established. \\ |
| * All employees of the health care facility and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organization policies and procedures, as relevant for their job function.\\ | * All employees of the health care facility and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organization policies and procedures, as relevant for their job function.\\ | ||
| * Awareness training should commence with a formal induction process designed to introduce the health care facility's security policies and expectations before access to information or services is granted.\\ | * Awareness training should commence with a formal induction process designed to introduce the health care facility's security policies and expectations before access to information or services is granted.\\ | ||
| Line 40: | Line 41: | ||
| * The security awareness, education, and training activities should be suitable and relevant to the person's role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.\\ | * The security awareness, education, and training activities should be suitable and relevant to the person's role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.\\ | ||
| //Disciplinary Process//\\ | //Disciplinary Process//\\ | ||
| - | * There should be a formal disciplinary process for employees who have committed a security breach.\\ | + | * There shall be a formal disciplinary process for employees who have committed a security breach.\\ |
| - | * The disciplinary process should not be commenced without prior verification that a security breach has occurred.\\ | + | * The formal disciplinary process shall ensure correct and fair treatment for employees who are suspected of committing breaches of privacy and security, and shall not be commenced without prior verification that a privacy breach has occurred |
| - | * The formal disciplinary process should ensure correct and fair treatment for employees who are suspected of committing breaches of security.\\ | + | |
| * The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of breach and its impact on business, whether or not it is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required. | * The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of breach and its impact on business, whether or not it is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required. | ||
| * In serious cases of misconduct the process should allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary.\\ | * In serious cases of misconduct the process should allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary.\\ | ||
| - | * The disciplinary process should also be used as a deterrent to prevent employees, contractors and third party users in violating organizational security policies and procedures, and any other security breaches.\\ | + | * The disciplinary process shall be used as a deterrent to prevent employees, contractors and third party users in violating organizational security policies and procedures, and any other security breaches.\\ |
| ##Termination or Change of Employment | ##Termination or Change of Employment | ||
| - | * Responsibilities for performing employment termination or change of employment should be clearly defined and assigned.\\ | + | * Responsibilities for performing employment termination or change of employment should be clearly defined and assigned. Responsibilities and duties still valid after termination of employment shall be contained in employee's, contractor's or third party user's contracts.\\ |
| * The communication of termination responsibilities should include ongoing security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement, and the terms and conditions of employment continuing for a defined period after the end of the employee's contractor's, or third party user's employment.\\ | * The communication of termination responsibilities should include ongoing security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement, and the terms and conditions of employment continuing for a defined period after the end of the employee's contractor's, or third party user's employment.\\ | ||
| - | * Responsibilities and duties still valid after termination of employment should be contained in employee's, contractor's or third party user's contracts.\\ | + | * The Human Resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving to manage the security aspects of the relevant procedures. In the case of a contractor, this termination responsibility process may be undertaken by an agency responsible for the contractor, and in case of another user this might be handled by their organization.\\ |
| - | * The Human Resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving to manage the security aspects of the relevant procedures. In the case of a contractor, this termination responsibility process may be undertaken by an an agency responsible for the contractor, and in case of another user this might be handled by their organization.\\ | + | |
| //Return of Assets//\\ | //Return of Assets//\\ | ||
| - | * All employees, contractors and third party users should return all of the health care facility's assets in their possession upon termination of their employment, contract, or agreement.\\ | + | * All employees, contractors and third party users shall return all of the health care facility's assets in their possession upon termination of their employment, contract, or agreement.\\ |
| - | * The termination process should be formalized to include the return of all previously issued software, corporate documents, and equipment. Other organizational assets such as mobile computing devices, credit cards, access cards, software, manuals, and information stored on electronic media also need to be returned.\\ | + | * The termination process shall be formalized to include the return of all previously issued software, corporate documents, and equipment. Other organizational assets such as mobile computing devices, credit cards, access cards, software, manuals, and information stored on electronic media also need to be returned.\\ |
| - | * In cases where an employee, contractor or third party user has knowledge that is important to ongoing operation, that information should be documented and transferred to the organization.\\ | + | * In cases where an employee, contractor or third party user has knowledge that is important to ongoing operation, that information shall be documented and transferred to the organization.\\ |
| //Access Rights//\\ | //Access Rights//\\ | ||
| * The access right of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.\\ | * The access right of all employees, contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.\\ | ||
| - | * If a departing employee, contractor or third party user has known password for accounts remaining active, these should be changed upon termination or change of employment, contract or agreement.\\ | + | * If a departing employee, contractor or third party user has known password for accounts remaining active, these shall be changed upon termination or change of employment, contract or agreement.\\ |
| - | * Access rights for information assets and information processing facilities should be reduced or removed before the employment terminates or changes, depending on the evaluation risk factors such as:\\ | + | * Access rights for information assets and information processing facilities shall be reduced or removed before the employment terminates or changes, depending on the evaluation risk factors such as:\\ |
| (a) whether the termination or change is initiated by the employee, contractor or third party user, or by management and the reason of termination;\\ | (a) whether the termination or change is initiated by the employee, contractor or third party user, or by management and the reason of termination;\\ | ||
| (b) the current responsibilities of the employee, contractor or any other user;\\ | (b) the current responsibilities of the employee, contractor or any other user;\\ | ||
| Line 75: | Line 74: | ||
| ##See Also | ##See Also | ||
| + | * [[Administrative Security]] | ||
| * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]] | * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]] | ||