Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
human_resources [2016/05/27 15:00]
jillian_nadette_de_leon [Termination or Change of Employment]
human_resources [2016/07/05 19:58]
jillian_nadette_de_leon
Line 1: Line 1:
-##Prior to Employment +#Human Resources
-  * All candidates for employment, contractors and third party users shall be adequately screened,​especially for sensitive jobs.\\ +
-  * Security roles and responsibilities of employees, contractors and third party users shall be defined and documented in accordance with the facility'​s information security policy. This document shall be signed as an agreement by employees, contractors,​ and third party users of information processing facilities.\\ +
-  * Security roles and responsibilities shall include the requirement to:\\ +
-(a) implement and act in accordance with the health care facility'​s information security policies;​\\ +
-(b) protect assets from unauthorized access, disclosure, modification,​ destruction or interference;​\\ +
-(c) execute particular security processes of activities;​\\ +
-(d) ensure responsibility is assigned to the individual for actions taken; +
-(e) report security events or potential events or other security risks to the organization.  +
-  * Security roles and responsibilities shall be defined and clearly communicated to job candidates during the pre-employment process. \\ +
-  * Job descriptions can be used to document security roles and responsibilities. Security roles and responsibilities for individuals not engaged via the organization'​s employment process, e.g. engaged via a third party organization,​ should also be clearly defined and communicated.\\ +
-  * Background verification checks on all candidates for employment, contractors,​ and third party users shall be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements,​ the classification of the information to be accessed, and the perceived risks.\\ +
-  * Procedures should define criteria and limitations for verification checks (who is eligible to screen people, and how, when and why verification checks are carried out).\\ +
-  * A screening process shall be carried out for contractors,​ and third party users. Where contractors are provided through an agency, the contract with the agency should clearly specify the agency'​s responsibilities for screening and the notification procedures they need to follow if screening has not been completed or if the results give cause for doubt or concern. In the same way, the agreement with the third party should clearly specify all responsibilities and notification procedures for screening.\\ +
-  * Employees, contractors and third party users shall agree and sign the terms and conditions of their employment contract, which would state their and the health care facility'​s responsibilities for information security. Terms and conditions of employment should reflect the health care facility'​s security policy in addition to clarifying:​\\ +
-(a) that all employees, contractors and third party users who are given access to sensitive information should sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;​\\ +
-(b) the employee'​s contractor'​s and any other user's legal responsibilities and rights; (e.g. copyright laws or data protection legislation);​\\ +
-(c) responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee, contractor or third party user;\\ +
-(d) responsibilities of the employee, contractor or third party user for the handling of information received from other companies or external parties;​\\ +
-(e) responsibilities of the organization for the handling of personal information,​ including personal information created as a result of, or in the course of, employment with the organization;​\\ +
-(f) responsibilities that are extended outside the organization'​s premises and outside normal working hours;\\ +
-(g) actions to be taken if the employee, contractor or third-party user disregards the organization'​s security requirements.\\+
  
-##During Employment +**1. On-boarding of employees of the health care facilities.** All candidates for employment, contractors and third party shall be adequately screened, especially for sensitive ​jobs.\\
-//​Management Responsibilities//​\\ +
-  ​Management responsibilities should be defined to ensure that security is applied throughout an individual'​s employment within ​the organization.\\ +
-  ​Management responsibilities shall ensure that employees, contractors and third party users: \\ +
-(a) are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive ​information or information systems;​\\ +
-(b) are provided with guidelines to state security expectations of their role within the health care facility;​\\ +
-(c) are motivated to fulfill the security policies of the health care facility;​\\ +
-(d) achieve a level of awareness on security relevant to their roles and responsibilities within the health care facility;​\\ +
-(e) conform to the terms and conditions of employment, which includes the health care facility'​s information security policy and appropriate methods of working;​\\ +
-(f) continue to have the appropriate skills and qualifications.\\+
  
-//​Awareness ​and Training//​\\ +Security roles and responsibilities ​of employeescontractors ​, and the third party shall be defined ​and documented ​in accordance ​with the facility'​s information security ​policyThis document ​shall be signed as an agreement by employees, ​contractors, and the third party of information processing facilities.\\
-  * An adequate level of awarenesseducationand training in security procedures ​and the correct use of information processing facilities should be provided to all employees, contractors and third party users. A formal disciplinary process for handling security breaches ​shall be established. \\ +
-  * All employees of the health care facility and, where relevant, contractors and third party users should receive appropriate awareness training ​and regular updates ​in organization policies and procedures, as relevant for their job function.\\ +
-  * Awareness training should commence ​with a formal induction process designed to introduce ​the health care facility'​s ​security policies and expectations before access to information or services is granted.\\ +
-  * Ongoing training should include security requirements,​ legal responsibilities and business controls, as well as training in the correct use of information processing facilities (e.g. log-on procedure, use of software packages and information on the disciplinary process).\\ +
-  * The security awareness, education, and training activities should be suitable and relevant to the person'​s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting ​information security ​incidents.\\ +
-//​Disciplinary Process//​\\ +
-  * There shall be a formal disciplinary process for employees ​who have committed a security breach.\\ +
-  * The formal disciplinary process shall ensure correct and fair treatment for employees who are suspected of committing breaches of privacy and securityand shall not be commenced without prior verification that a privacy breach has occurred +
-  * The formal disciplinary process should provide for a graduated response that takes into consideration factors such as the nature and gravity of breach and its impact on businesswhether or not it is a first or repeat offence, whether or not the violator was properly trained, relevant legislation,​ business contracts ​and other factors as required.  +
-  * In serious cases of misconduct ​the process should allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary.\\ +
-  * The disciplinary process shall be used as a deterrent to prevent employees, contractors and third party users in violating organizational security policies and procedures, and any other security breaches.\\+
  
-##​Termination ​or Change ​of Employment+Security roles and responsibilities shall include the requirement to:\\ 
 +a.) Implement and act in accordance with the health care facility'​s information security policies;​\\ 
 +b.) Protect assets from unauthorized access, disclosure, modification,​ destruction ​or interference;​\\ 
 +c.) Execute particular security processes ​of activities;​\\ 
 +d.) Ensure responsibility is assigned to the individual for actions taken;\\ 
 +e.) Report security events or potential events or other security risks to the organization.\\
  
-  * Responsibilities for performing employment termination or change of employment should be clearly defined ​and assigned. Responsibilities and duties still valid after termination of employment ​shall be contained in employee'​s,​ contractor'​s or third party user's contracts.\\ +Security roles and responsibilities ​shall be clearly ​defined and communicated.\\
-  * The communication of termination responsibilities should include ongoing security requirements and legal responsibilities and, where appropriate,​ responsibilities contained within any confidentiality agreement, and the terms and conditions of employment continuing for a defined ​period after the end of the employee'​s contractor'​s,​ or third party user's employment.\\ +
-   * The Human Resources function is generally responsible for the overall termination process ​and works together with the supervising manager of the person leaving to manage the security aspects of the relevant procedures. In the case of a contractor, this termination responsibility process may be undertaken by  an agency responsible for the contractor, and in case of another user this might be handled by their organization.\\+
  
-//Return of Assets//​\\ +Background verification checks on all candidates for employment, contractorsand third party shall be carried out in accordance with relevant lawsregulations and ethicsand proportional ​to the business requirements,​ the classification ​of the information to be accessed, and the perceived risksProcedures shall define criteria ​and limitations for verification checks (who is eligible ​to screen people, and how, when and why verification checks are carried out).\\
-  * All employees, contractors and third party users shall return all of the health care facility'​s assets ​in their possession upon termination of their employmentcontractor agreement.\\ +
-  * The termination process shall be formalized ​to include ​the return ​of all previously issued software, corporate documents, and equipmentOther organizational assets such as mobile computing devices, credit cards, access cards, software, manuals, ​and information stored on electronic media also need to be returned.\\ +
-  * In cases where an employee, contractor or third party user has knowledge that is important ​to ongoing operationthat information shall be documented ​and transferred to the organization.\\+
  
-//Access Rights//\\  +A screening process shall be carried out for contractors and third party. ​Where contractors are provided through an agencythe contract ​with the agency should clearly specify ​the agency'​s responsibilities for the screening and the notification procedures they need to follow if screening has not been completed ​or if the results give cause for doubt or concern. In the same way, the agreement with the third party should ​clearly specify ​all responsibilities ​and notification procedures for screening.\\
-  * The access right of all employees, ​contractors and third party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.\\ +
-  * If a departing employee, contractor or third party user has known password for accounts remaining active, these shall be changed upon termination or change of employment, contract ​or agreement.\\ +
-  * Access rights for information assets and information processing facilities shall be reduced or removed before ​the employment terminates or changes, depending on the evaluation risk factors such as:\\ +
-(a) whether ​the termination or change is initiated by the employee, contractor ​or third party user, or by management and the reason of termination;​\\ +
-(b) the current responsibilities of the employee, contractor ​or any other user;\\ +
-(c) the value of the assets currently accessible.\\ +
-  * In certain circumstances access rights may be allocated on the bases of being available to more people than the departing employee, contractor or third party user (e.g. group IDs). In such circumstances,​ departing individuals ​should ​be removed from any group access lists and arrangements should be made to advise ​all other employees, contractors ​and third party users involved to no longer share this information with the person departing.\\+
  
 +Employees, contractors and third party shall agree and sign the terms and conditions of their employment contract, which would state their and the health care provider'​s responsibilities for information security. Terms and conditions of employment shall reflect the health care facility'​s security policy in addition to clarifying:​\\
 +a.) That all employees, contractors and third party users who are given access to sensitive information shall sign a confidentiality or non-disclosure agreement prior to being given access to information processing facilities;​\\
 +b.) The employee'​s,​ contractor'​s and any other user's legal responsibilities and rights (e.g. copyright laws or data protection legislation);​\\
 +c.) Responsibilities for the classification of information and management of organizational assets associated with information systems and services handled by the employee, contractor or third party user;\\
 +d.) Responsibilities of the employee, contractor or third party for the handling of information received from other companies or external parties;\\
 +e.) Responsibilities of the organization for the handling of personal information,​ including personal information created as a result of, or in the course of, employment with the organization;​\\
 +f.) Responsibilities that are extended outside the organization'​s premises and outside normal working hours;\\
 +g.) Actions to be taken if the employee, contractor or third-party user disregards the organization'​s security requirements.\\
  
 +**2. Employment Period.** During and after the employment, no information shall be disclosed without consent from the patient.\\
 +
 +**2.1. Management Responsibilities.** Management responsibilities should be defined to ensure that security is applied throughout an individual'​s employment within the organization.\\
 +
 +Management responsibilities shall ensure that employees, contractors and the third party are: \\
 +a.) Properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems;\\
 +b.) Provided with guidelines to state security expectations of their role within the health care facility.\\
 +c.) Motivated to fulfill the security policies of the health care facility;\\
 +d.) Able to achieve a level of awareness of security relevant to their roles and responsibilities within the health care facility;\\
 +e.) Able to conform to the terms and conditions of employment, which includes the health care facility'​s information security policy and appropriate methods of working;\\
 +f.) Able to continue and have the appropriate skills and qualifications.\\
 +
 +**2.2. Awareness and Training.** An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party. A formal disciplinary process for handling security breaches shall be established.\\
 +
 +Awareness training shall commence with a formal induction process designed to introduce the health care facility'​s security policies and expectations before access to information or services is granted.\\
 +
 +The security awareness, education, and training activities should be suitable and relevant to the person'​s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents.\\
 +
 +**2.3. Disciplinary Process.** There shall be a formal disciplinary process for employees who have committed a security breach.\\
 +
 +The health facility shall ensure correct and fair treatment for employees who are suspected to have violated the privacy and security policies, and shall not be terminated without prior verification that a privacy breach has occurred. \\
 +
 +For government facilities, termination process shall be in compliance with the Civil Service Rule.\\
 +
 +A graduated response that takes into consideration factors such as the nature and gravity of breach and its impact on business, whether or not it is a first or repeat offence, whether or not the violator was properly trained, relevant legislation,​ business contracts and other factors as required shall be provided.\\
 +
 +**Section 3. Termination or Off-boarding of Employees.** Responsibilities for performing employment termination or change of employment shall be clearly defined and assigned. Responsibilities and duties still valid after termination of employment shall be contained in employee'​s,​ contractor'​s,​ or third party'​s contracts.\\
 +
 +The communication of termination shall include ongoing security requirements and legal responsibilities contained within any confidentiality agreement, and the terms and conditions of employment continuing for a defined period after the end of the employee'​s,​ contractor'​s,​ or third party'​s engagement.\\
 +
 +The Human Resources function is generally responsible for the overall termination process and works together with the supervising manager of the person leaving, the IT manager to manage the security aspects of the relevant procedures in relation to health information access. In the case of a contractor, this termination responsibility process may be undertaken by an agency responsible for the contractor, and in case of another user this might be handled by their organization.\\
 +
 +**3.1. Return of Assets.** All employees, contractors and third parties shall return all of the health care facility'​s assets in their possession upon termination of their employment, contract, or agreement.\\
 +
 +The termination process shall be formalized to include the return of all previously issued software, corporate documents, and equipment. Other organizational assets such as mobile computing devices, access cards, software, manuals, and information stored on electronic media also need to be returned.\\
 +
 +In case where an employee, contractor, or third party has knowledge that is important to ongoing operation, the information shall be documented and transferred to the organization.\\
 +
 +**3.2. Access Rights.** The access rights of all employees, contractors and third parties to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.\\
 +
 +If a departing employee, contractor, or third party user has known password for accounts remaining active, these shall be changed upon termination or change of employment, contract or agreement.\\
 +
 +Access rights for information assets and information processing facilities shall be limited or removed before the employment terminates or changes, depending on the evaluation risk factors such as: \\
 +a.) Whether the termination or change is initiated by the employee, contractor or third party, or by management, and the reason for termination;​\\
 +b.) The current responsibilities of the employee, contractor or any other user;\\
 +c.) The value of the assets currently accessible.\\
 +
 +In certain circumstances access rights may be allocated on the bases of being available to more people than the departing employee, contractor or third party user (e.g. group IDs). In such circumstances,​ departing individuals shall be removed from any group access lists and arrangement shall be made to advise other employees, contractors and third parties involved to no longer share this information with the person departing.\\
 +
 +
 +
 +****
 ##​References:​ ##​References:​
   * PHIC Human Resources Security document.   * PHIC Human Resources Security document.
Line 73: Line 85:
  
 ##See Also ##See Also
 +  * [[Administrative Security]]
   * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]]   * [[consolidated_workshop_outputs|Privacy Set of Rules (SOR)]]