Human Resources Security is a critical component of the Certified Information Systems Security Professional (CISSP) framework. It focuses on ensuring that employees, contractors, and other personnel contribute to an organization’s security posture while minimizing risks associated with insider threats, negligence, or malicious actions. Below are key aspects of Human Resources Security relevant to CISSP:
Key Components of Human Resources Security
1. Screening and Background Checks:
– Conduct thorough background checks and competence verification for all candidates prior to employment. These checks should align with business requirements, the classification of information accessed, and associated risks.
– Screening should also extend to contractors unless their parent organizations meet broader security controls like ISO 27001 compliance.
2. Employment Agreements:
– Employment contracts must include cybersecurity-related clauses outlining responsibilities for information security. These agreements should legally bind employees to adhere to company policies during and after employment.
– Clauses may include acceptable use policies, confidentiality agreements (NDAs), and post-employment requirements for protecting sensitive information.
3. Personnel Security Controls:
– Implement controls such as job rotation, mandatory vacation, separation of duties, least privilege, and need-to-know access principles.
– These measures help mitigate risks like fraud and unauthorized access.
4. Onboarding and Offboarding Processes:
– During onboarding, ensure employees review and agree to security policies before gaining access to systems.
– Upon termination, revoke all access credentials immediately and communicate the termination to relevant parties within the organization.
5. Continuous Training:
– Provide regular cybersecurity training throughout the employee lifecycle—from onboarding to exit—to keep personnel updated on best practices and emerging threats.
6. Disciplinary Actions:
– Establish a clear sanction process for policy violations, ranging from warnings to termination or legal action for severe breaches. This serves as both a deterrent and corrective measure.
