Introduction
An organization’s security posture is only as good as the personnel that work for the company. As such, the organization must define policies that ensure the safety, and security of its personnel. The policy should include physical security, as well as processes that ensure that personal data is protected. The company should only collect personal information when required, and disclose how the personal information is going to be used. Personnel security should be a top-down approach, with all levels of management in agreement on how best to administer the policy, and enforce it.
Personnel Security Policy
A personnel security policy begins before employment with an organization. The policy should include mechanism that outline the …show more content…
Most states have an at-will employment guideline; however, if an organization fails to terminate properly, the organization is open to litigation for failing to comply with labor laws. The termination process should include exit interviews, as well as returning company owned equipment, such as laptops, or mobile phones (Miller & Gregory, n.d.).
Personnel security should also extend to third parties, as well as physical security of employees. Most organizations require some form of identification that states the individual is an employee or contractor with the organization. This badge should be required before entry into employee specific locations. Vendors and contractors should be included in the personnel security policy, which includes access control procedures, and the type of information that can be exchanged with the third party. Non-disclosure agreements should be in place whenever proprietary or confidential information needs to be exchanged.
Roles and …show more content…
One way to ensure a policy is working as expected is to conduct periodic assessments of the policy, and its associated procedures. Internal Audit plays an important role in this aspect by providing an independent assessment of how effective the policy is. The review can test the controls in place by the policy, and make recommendations where there are areas of weakness.
The policy should also include penalties where the gap in controls is the individual employee. Most organizations include provisions that state the possibility of termination when company policies are not followed. While termination may sound a bit drastic, it is a good motivator to ensure that only those individuals who want to work for the company are employed.
There could also be penalties assessed to the company for failure to comply with government regulations, such as HIPAA. If patient information is breached because of a failure by the company, fines could be levied until the situation is addressed. Personnel security should include customer security as well, and how customer information is handled. There are evolving threats, and the decision makers of the policy have to evolve to the threats. The policy should not be considered a static document, and should be a living document that changes as the threat landscape changes (Rohmeyer, Healey, & Bayuk, 2012).
An organization’s security posture is only as good as the personnel that work for the company. As such, the organization must define policies that ensure the safety, and security of its personnel. The policy should include physical security, as well as processes that ensure that personal data is protected. The company should only collect personal information when required, and disclose how the personal information is going to be used. Personnel security should be a top-down approach, with all levels of management in agreement on how best to administer the policy, and enforce it.
Personnel Security Policy
A personnel security policy begins before employment with an organization. The policy should include mechanism that outline the …show more content…
Most states have an at-will employment guideline; however, if an organization fails to terminate properly, the organization is open to litigation for failing to comply with labor laws. The termination process should include exit interviews, as well as returning company owned equipment, such as laptops, or mobile phones (Miller & Gregory, n.d.).
Personnel security should also extend to third parties, as well as physical security of employees. Most organizations require some form of identification that states the individual is an employee or contractor with the organization. This badge should be required before entry into employee specific locations. Vendors and contractors should be included in the personnel security policy, which includes access control procedures, and the type of information that can be exchanged with the third party. Non-disclosure agreements should be in place whenever proprietary or confidential information needs to be exchanged.
Roles and …show more content…
One way to ensure a policy is working as expected is to conduct periodic assessments of the policy, and its associated procedures. Internal Audit plays an important role in this aspect by providing an independent assessment of how effective the policy is. The review can test the controls in place by the policy, and make recommendations where there are areas of weakness.
The policy should also include penalties where the gap in controls is the individual employee. Most organizations include provisions that state the possibility of termination when company policies are not followed. While termination may sound a bit drastic, it is a good motivator to ensure that only those individuals who want to work for the company are employed.
There could also be penalties assessed to the company for failure to comply with government regulations, such as HIPAA. If patient information is breached because of a failure by the company, fines could be levied until the situation is addressed. Personnel security should include customer security as well, and how customer information is handled. There are evolving threats, and the decision makers of the policy have to evolve to the threats. The policy should not be considered a static document, and should be a living document that changes as the threat landscape changes (Rohmeyer, Healey, & Bayuk, 2012).