In our ongoing blog series on security program pitfalls, we’ve been focusing most recently on a personnel security program.
Today’s post focuses on pitfall #17 in my eBook, Security Program Pitfalls and Prescription to Avoid Them, which is all about terms and conditions of employment.
As a general rule, if organizations do not maintain proper documentation regarding the execution of a security task or control, it was never completed. Terms and conditions of employment are no different. They need to be documented and communicated to personnel to ensure organizations are protected. This supports the ability to hold personnel accountable if any issues arise during employment. If terms and conditions have not been defined and communicated, organizations may have a difficult time taking corrective action if issues arise.
As part of their contractual obligations to your organization, personnel should agree to and sign terms and conditions of their employment. This should include provisions to account for all appropriate security program responsibilities, which account for all compliance and privacy obligations.
Terms and conditions should state that all personnel provided access to protected or sensitive information are required to sign a confidentiality or non-disclosure agreement prior to being provided access to that type of information. Additionally, any security, privacy, or confidentiality requirements that survive the term of employment should be documented and acknowledged.
A documented acknowledgement from all personnel should be obtained indicating that they have read, understand, and agree to abide by the terms and conditions of employment. This may be accomplished by either a physical paper form that is signed by each individual or an electronic acknowledgement that personnel are required to complete. Either way, it is highly encouraged that this occurs prior to authorizing access to information systems.
Further, implementing an annual requirement for acknowledging terms and conditions of employment is recommended. An annual acknowledgement provides the ability to ensure all personnel acknowledge refreshed or new terms and conditions of employment that have been adopted by your organization.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.