3.4 KiB
6.2 Terms and conditions of employment
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human_resource_security | #Governance_and_Ecosystem |
Control The employment contractual agreements should state the personnel’s and the organization’s responsibilities for information security.
Purpose To ensure personnel understand their information security responsibilities for the roles for which they are considered.
Guidance The contractual obligations for personnel should take into consideration the organization’s information security policy and relevant topic-specific policies. In addition, the following points can be clarified and stated:
a) confidentiality or non-disclosure agreements that personnel who are given access to confidential information should sign prior to being given access to information and other associated assets (see 6.6);
b) legal responsibilities and rights [e.g. regarding copyright laws or data protection legislation (see 5.32, 5.34)];
c) responsibilities for the classification of information and management of the organization’s information and other associated assets, information processing facilities and information services handled by the personnel (see 5.9to 5.13);
d) responsibilities for the handling of information received from interested parties;
e) actions to be taken if personnel disregard the organization’s security requirements (see 6.4).
Information security roles and responsibilities should be communicated to candidates during the pre- employment process.
The organization should ensure that personnel agree to terms and conditions concerning information security. These terms and conditions should be appropriate to the nature and extent of access they will have to the organization’s assets associated with information systems and services. The terms and conditions concerning information security should be reviewed when laws, regulations, the information security policy or topic-specific policies change.
Where appropriate, responsibilities contained within the terms and conditions of employment should continue for a defined period after the end of the employment (see 6.5).
Other information
A code of conduct can be used to state personnel’s information security responsibilities regarding confidentiality, PII protection, ethics, appropriate use of the organization’s information and other associated assets, as well as reputable practices expected by the organization.
An external party, with which supplier personnel are associated, can be required to enter into contractual agreements on behalf of the contracted individual.
If the organization is not a legal entity and does not have employees, the equivalent of contractual agreement and terms and conditions can be considered in line with the guidance of this control.