This security-related human resource policy example outlines how employee information technology should be addressed. The goal is ensure that all personnel are aware of best practices used to protect information and how to ensure proper usage of their networking equipment, according to organization rules, standards, and guidelines.
While this document covers many rules, standards, and guidelines, it is not exhaustive. So, human resource administrators, employees, contractors, and third parties should exercise due care with regard to how employee information technology is handled.
New employees should receive information security training and occasional awareness updates to promote employee vigilance within the company. These activities ensure that employees understand and take responsibility for company information and resources.
The following minimum procedures should be clearly spelled out and enforced.
The employee is not allowed to download and/or install unauthorized software onto organization computers nor should they connect to the network with unauthorized equipment.
The employee is not allowed to hinder the proper operation of protection tools including antivirus programs, screensavers, etc.
The employee is not allowed to access prohibited sites via the Internet.
Employees must inform their immediate superior and the IT department of any security incident or malfunction they encounter.
Employee should be instructed in the creation of strong passwords and proper password storage. In addition, the password should expire after a certain length of time depending on the access sensitivity.
When an employee moves or changes roles within the organization their access privileges must be updated accordingly.
When terminating an employee, the employee's access to technology resources should be immediately suspended.
Once the employee has been informed of the termination, he should not be allowed to return to his office but should be immediately escorted out of the building.
The IT department should have a list of all user accounts and suspend the appropriate accounts immediately.
Log files should be routinely scanned to ensure that all employees' accounts were suspended.
The supervisor should be responsible for reviewing all employee electronic information and either disposing of it or forwarding it to their replacements.
The supervisor should be responsible for the return of all the terminated employees access cards, ID badges, and manuals.
The supervisor should be responsible for the return of all company owned electronic equipment issued to the terminated employee including laptops, wireless cards, cell phones, and PDAs.A formal disciplinary process concerning any and all users who breach security rules must be developed and published within the organization.
In order to ensure that the organization is not ethically or legally liable for misconduct any employee accused of a malicious activity should be treated equally and not given preferential treatment. Also, any investigation into suspicious employee conduct should examine all material facts.
The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at http://www.365ComputerSecurityTraining.com.
