A7 Human Resource Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:02
Listen, 11.3
00:04
a seven. Human resource security
00:10
In this video, we will understand control suit a seven,
00:14
the different controls it contains
00:17
and what documentation is required, which can be used to support your SMS.
00:28
A. Seven Human resource security
00:31
consists of three control sets.
00:34
The first one,
00:36
a 7.1
00:38
prior to employment, consists of two controls.
00:42
Thes controls are
00:44
a 7.1 point one screening.
00:49
Screening pertains to
00:51
performing background checks on employees prior to their employment.
00:57
This is normally performed by HR
01:00
as well as your security department.
01:04
The chicks may be done routinely prior to employment
01:08
as well as during employment.
01:11
Some of the most common background checks include a criminal history check,
01:15
a credit check
01:18
and a verification off qualifications. Chick.
01:23
The second Control prior to employment
01:26
is a 7.1 point two.
01:30
This pertains to terms and conditions of employment.
01:36
This is ensuring
01:38
that the information, security roles and responsibilities
01:42
off personal
01:44
are included in their employment contract
01:48
and that they are made aware of this during the employment stage.
01:53
The next controls it
01:56
is a 7.2 during employment.
02:00
This consists of three controls.
02:05
The first control
02:07
is a 7.2 point one management responsibilities.
02:14
This basically means it is management's responsibility
02:16
to ensure that staff are following their information security responsibilities as they have been defined.
02:28
Management can also issue a formal management statement to employees,
02:31
which mandates their compliance with the information security policies and procedures.
02:38
This can go out in the form of an email or memo
02:42
be restated in front of the security policy
02:46
on the company Internet site
02:49
where the policies and procedures are made available.
02:53
The second control
02:57
for the during employment control set
03:00
is a 7.2 point two
03:05
information security awareness and training.
03:09
This control pertains to your organization having a robust information security awareness and training program.
03:17
Evidence of this can include posters around the workplace,
03:23
examples of emails that are sent out containing information security awareness content,
03:31
evidence of information security awareness and training sessions such as attendance registers
03:38
and training content.
03:40
Whether this was done online or in person, it does not matter
03:47
another important component off security awareness training.
03:53
His results of assessments performed
03:55
as this measures the level off success of the awareness program.
04:00
Measures of success can include assessments performed after awareness or training sessions
04:09
as well as phishing campaigns.
04:12
The third control
04:14
in the during employment controls it
04:16
is a 7.2 point three
04:20
the disciplinary process.
04:24
It is important that your disciplinary process contains specific clauses
04:30
which allow for personal to go through the disciplinary process
04:35
due to a transgression. Often information security, nature.
04:41
For example.
04:42
If a specific statement in your information security policy is not adhered, thio
04:47
this needs to be explicitly defined in the disciplinary process,
04:54
as well as all the associative information
04:57
around the levels, off transgression
05:00
and the different types of disciplinary actions that can be taken for transgressions.
05:09
The last control set
05:10
is a 7.3
05:14
termination and change of employment.
05:18
There is only one control in this section,
05:23
and it is called the same as the control set, termination or change of employment responsibilities.
05:30
This control is the control that ensures that when an employee is terminated,
05:35
all their access rights on any systems that they had access to
05:41
are appropriately terminated,
05:43
and then all company issued equipment
05:45
such as laptops or flash drives
05:48
and so forth
05:49
are returned on time to the appropriate personal in the organization.
05:59
When an employee changes roles within your organization,
06:02
it is important to ensure that the employees does not have
06:06
privilege creep on your systems.
06:11
This is when
06:12
an employee moves from, say, I t to finance
06:16
or vice versa, whatever the case is,
06:19
and they retain their privileges on the systems that they had from their previous role,
06:25
as well as gain new privileges
06:28
in the new role
06:31
when employees change roles,
06:33
any privileges they had associated with their previous role
06:38
should be revoked,
06:39
and only the privileges necessary for their current role
06:43
should be enforced.
06:51
In this video, we covered the three control areas that make up control, said a seven
06:58
which pertains to human resource security
07:00
and that there are certain controls that you need to have in place
07:04
prior to employment
07:06
during employment
07:09
as well as upon termination of employment.
07:12
To ensure that information security is maintained throughout your employees employment life cycle
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By