Mar 28, 2024  
DMACC Policies and Procedures 
    
DMACC Policies and Procedures
Add to Portfolio (opens a new window)

IS7005 - Human Resources Security


Procedure

Section: INFORMATION SOLUTIONS PROCEDURES

SubSection: Information Security

Master List Section: Information Solutions

Purpose

All users with access to information systems of DMACC shall be aware of their responsibilities in protecting information systems of DMACC. Failure to adhere to information security responsibilities shall entail appropriate disciplinary action. Access to information systems shall be provided based on job responsibilities and revoked or modified with changes in such responsibilities.

Personnel security must be implemented to address the risks of human error, theft, fraud, or misuse of facilities and assist all personnel in creating a secure computing environment.

Scope

This procedure applies to:

  • All staff (permanent and on contractual basis) and non-employees (contractors, consultants, suppliers, vendors etc.) of DMACC and other individuals, entities or organizations that have access to and use DMACC’ s information systems and card holder data environment in order to perform their daily job-related responsibilities or meet their contractual obligations.

Procedure Statements

General Statements

All staff shall ensure that they understand all relevant information security policies, procedures, guidelines, and standards.

All staff shall ensure that their daily activities follow relevant information security policies, procedures, and standards.

All staff shall ensure that adequate security measures are considered while handling all kinds of information assets.

Personnel Screening

The HR Department / Personnel in charge of recruitment shall ensure that relevant checks are conducted during recruitment of fresh staff to verify information submitted by them. Screening process must include the following primary checks:

  • Verification of personal data (including date of birth, address and contact details)
  • Verification of relevant educational and professional qualifications
  • Verification of previous employment data
  • An assessment of reliability, by seeking professional references from previous employers
  • An assessment of personality, by seeking personal references from known sources
  • An assessment of background, by seeking criminal records or activities verifications through designated sources
  • Results of background checks shall be kept Confidential to DMACC and limited only to staff directly engaged in the staff engagement process.
Contractual Requirements

As part of the employee’s contractual obligation, employees must agree and sign the terms of their employment contract, which shall state their responsibilities regarding information security. This must form an integral part of the contract of employee.

The HR department shall include “Confidentiality agreement” or “Non-Disclosure Agreement” as part of the initial terms and conditions of employment for all prospective employees of DMACC.

The confidentiality statement shall reflect the commitment of the employee not to disclose confidential information belonging to the DMACC during or after the employment for a predefined time.

It shall accentuate that the employee has a personal responsibility to protect and maintain confidentiality of both company and employee’s information.

Roles and Responsibilities

Roles and responsibilities of each employee as part of Job Description shall be defined and documented. The HR Manager shall ensure that all the employees are aware of and understands their roles and responsibilities.

The relevant department heads in consultation with the DMACC IT Security Team (IST) shall identify information security responsibilities for employee group as per the responsibility in the employee job description.

The job description shall also include general responsibilities for implementing or maintaining security policy, legal responsibilities, and rights as well as any specific responsibilities for the protection of assets (such as employer’s data) or for the execution of particular security processes or activities, internal or external to DMACC.

During Employment

HR Manager shall ensure that all staff records are maintained up to date, accurate and complete.

HR Manager shall ensure that all staff immediately report any change related to their personal data to them (e.g. marital status, professional certifications, address, contacts etc.).

HR Manager shall ensure that day to day conduct of all staff in DMACC premises is in pursuance with their respective code of conduct.

Termination, Re-hiring, or Change of Employment

The HR Manager in consultation with the DMACC IST shall include the appropriate security clauses and procedures in Job Change/Job termination procedures for all employees of DMACC and ensure that appropriate and timely actions are taken so that internal controls and security are not impaired by such occurrences.

The procedures shall include but not be limited to:

  • Recovery of all DMACC documents, e-mail data, issued keys, tokens, records, reports, books, manuals, borrowed IT equipment (e.g. Desktop, Laptop, data media) and DMACC identity badges. (All DMACCC assets in possession)
  • Revoking/deleting all entry and access rights held by the departing staff. This includes external access authorizations over data communications equipment. If, in exceptional case, several persons shared access right to an IT system (e.g. by using a common password), the access rights must be altered upon termination of employment by one of those individuals
  • It shall be explained explicitly to the departing person that all confidentiality agreements remain in force and that no information obtained during his/her work may be disclosed
  • Third-party organization supplying staff to DMACC shall notify the owner of the contract about their staff terminations.
  • Change in employment due to a job promotion or transfer shall follow similar process for return of assets, as necessary.
Disciplinary Actions

A formal disciplinary process shall be established for users violating DMACC’s security policies and procedures. Such process shall act as a deterrent to employees who might be inclined to disregard security policies. Additionally, it would ensure imposition of suitable punishment to employees who are convicted of committing serious or persistent violations.

HR Manager in coordination with the DMACC IST shall ensure that non-compliance with the information security policies, procedures and standards are investigated and disciplinary measures are enforced. Disciplinary measures may range from reproach to dismissal, suspension, prosecution.

All staff who indulge in misconduct or security breach shall be subjected to a disciplinary process after prior verification and collection of evidence. Any misconduct or security breach of serious nature may lead to termination of employment.

The formal disciplinary process shall provide for a graduated response by considering following factors:

  • Nature and gravity of the breach
  • Its impact on business
  • Whether it is a first or repeat offence
  • Whether the violator was properly made aware and trained
  • Relevant legislation




Add to Portfolio (opens a new window)