HRS: Human Resources

Controls

HRS-01: Background Screening Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for background verification of all new employees (including but not limited to remote employees, contractors, and third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data classification to be accessed, the business requirements, and acceptable risk. Review and…

HRS-02: Acceptable Use of Technology Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets. Review and update the policies and procedures at least annually.

HRS-03: Clean Desk Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data. Review and update the policies and procedures at least annually.

HRS-04: Remote and Home Working Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.

HRS-05: Asset returns

Establish and document procedures for the return of organization-owned assets by terminated employees.

HRS-06: Employment Termination

Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment.

HRS-08: Employment Agreement Content

The organization includes within the employment agreements provisions and/or terms for adherence to established information governance and security policies.

HRS-10: Non-Disclosure Agreements

Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements reflecting the organization's needs for the protection of data and operational details.

HRS-11: Security Awareness Training

Establish, document, approve, communicate, apply, evaluate and maintain a security awareness training program for all employees of the organization and provide regular training updates.

HRS-12: Personal and Sensitive Data Awareness and Training

Provide all employees with access to sensitive organizational and personal data with appropriate security awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.

HRS-13: Compliance User Responsibility

Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.