A7 Human Resource Security

00:02

Listen, 11.3

00:04

a seven. Human resource security

00:10

In this video, we will understand control suit a seven,

00:14

the different controls it contains

00:17

and what documentation is required, which can be used to support your SMS.

00:28

A. Seven Human resource security

00:31

consists of three control sets.

00:34

The first one,

00:36

a 7.1

00:38

prior to employment, consists of two controls.

00:42

Thes controls are

00:44

a 7.1 point one screening.

00:49

Screening pertains to

00:51

performing background checks on employees prior to their employment.

00:57

This is normally performed by HR

01:00

as well as your security department.

01:04

The chicks may be done routinely prior to employment

01:08

as well as during employment.

01:11

Some of the most common background checks include a criminal history check,

01:15

a credit check

01:18

and a verification off qualifications. Chick.

01:23

The second Control prior to employment

01:26

is a 7.1 point two.

01:30

This pertains to terms and conditions of employment.

01:36

This is ensuring

01:38

that the information, security roles and responsibilities

01:42

off personal

01:44

are included in their employment contract

01:48

and that they are made aware of this during the employment stage.

01:53

The next controls it

01:56

is a 7.2 during employment.

02:00

This consists of three controls.

02:05

The first control

02:07

is a 7.2 point one management responsibilities.

02:14

This basically means it is management's responsibility

02:16

to ensure that staff are following their information security responsibilities as they have been defined.

02:28

Management can also issue a formal management statement to employees,

02:31

which mandates their compliance with the information security policies and procedures.

02:38

This can go out in the form of an email or memo

02:42

be restated in front of the security policy

02:46

on the company Internet site

02:49

where the policies and procedures are made available.

02:53

The second control

02:57

for the during employment control set

03:00

is a 7.2 point two

03:05

information security awareness and training.

03:09

This control pertains to your organization having a robust information security awareness and training program.

03:17

Evidence of this can include posters around the workplace,

03:23

examples of emails that are sent out containing information security awareness content,

03:31

evidence of information security awareness and training sessions such as attendance registers

03:38

and training content.

03:40

Whether this was done online or in person, it does not matter

03:47

another important component off security awareness training.

03:53

His results of assessments performed

03:55

as this measures the level off success of the awareness program.

04:00

Measures of success can include assessments performed after awareness or training sessions

04:09

as well as phishing campaigns.

04:12

The third control

04:14

in the during employment controls it

04:16

is a 7.2 point three

04:20

the disciplinary process.

04:24

It is important that your disciplinary process contains specific clauses

04:30

which allow for personal to go through the disciplinary process

04:35

due to a transgression. Often information security, nature.

04:41

For example.

04:42

If a specific statement in your information security policy is not adhered, thio

04:47

this needs to be explicitly defined in the disciplinary process,

04:54

as well as all the associative information

04:57

around the levels, off transgression

05:00

and the different types of disciplinary actions that can be taken for transgressions.

05:09

The last control set

05:10

is a 7.3

05:14

termination and change of employment.

05:18

There is only one control in this section,

05:23

and it is called the same as the control set, termination or change of employment responsibilities.

05:30

This control is the control that ensures that when an employee is terminated,

05:35

all their access rights on any systems that they had access to

05:41

are appropriately terminated,

05:43

and then all company issued equipment

05:45

such as laptops or flash drives

05:48

and so forth

05:49

are returned on time to the appropriate personal in the organization.

05:59

When an employee changes roles within your organization,

06:02

it is important to ensure that the employees does not have

06:06

privilege creep on your systems.

06:11

This is when

06:12

an employee moves from, say, I t to finance

06:16

or vice versa, whatever the case is,

06:19

and they retain their privileges on the systems that they had from their previous role,

06:25

as well as gain new privileges

06:28

in the new role

06:31

when employees change roles,

06:33

any privileges they had associated with their previous role

06:38

should be revoked,

06:39

and only the privileges necessary for their current role

06:43

should be enforced.

06:51

In this video, we covered the three control areas that make up control, said a seven

06:58

which pertains to human resource security

07:00

and that there are certain controls that you need to have in place

07:04

prior to employment

07:06

during employment

07:09

as well as upon termination of employment.