Policy Template for Personnel Security

This policy establishes the organization personnel security policy, for managing risks from personnel screening, onboarding, termination, transfer and management. The personnel security policy helps the organization implement security best practices with regard to personnel processes and events.

The scope of this policy is applicable to all employees, interns as well as contractors (collectively referred to as “Users” in this policy) at the {{organization.name}}. 

All recruitments shall be done after careful scrutiny and examination.

All users shall have a contractual agreement with {{organization.name}} for not divulging any confidential or sensitive information to any unauthorized parties.

Roles and responsibilities shall be defined in the relevant job descriptions and communicated to individuals. 

{{organization.name}} shall conduct periodic training and awareness programs for all users on information security responsibilities.

The organization shall carry out background and/or reference checks on all employees in accordance with relevant laws, regulations and ethics, and proportional to the business requirements. 

The terms and conditions of employment/engagement with {{organization.name}} shall mandate compliance with Information Security Policies by all users. This shall include a clause requiring the users to protect the confidentiality of information, both during and after the employment/contract is over with {{organization.name}}.

All users must be made aware of their security responsibilities through acknowledgement of acceptable use agreement and through formal security awareness training.

All terms and conditions of employment shall be in compliance with the legal requirements under the concerned jurisdiction. 

The organization shall conduct annual performance evaluations by the end of the calendar year, for employees that have been with the organization for more than a year. Respective supervisors are responsible to perform these formal performance evaluations at least annually based on a set of criteria and objectives set forth by the job description.

A review of job descriptions shall be performed and any changes shall be communicated to individuals by {{organization.name}} management. 

Users shall undergo a mandatory security awareness training at least annually. 

All employees, contractors/subcontractors and trainees shall sign a separation agreement to safeguard {{organization.name}} and its customers' Intellectual Property Rights and confidential information at the time of terminating their employment or business relationship with {{organization.name}}. The organization must upon personnel termination at least:

Remove their access from any systems or applications that processed sensitive information.

All digital certificates should be revoked.

Any tokens or smart cards issued to them should be returned.

Any keys and IDs provided to them during their employment should be returned.

All physical access to the facilities should be removed immediately.

All devices, hardware and other material provided should be returned.

 

All Contractors engaged with {{organization.name}} shall have a contractual agreement in place with {{organization.name}} for not divulging any confidential or sensitive information to any unauthorized parties both during and after the contract is over with {{organization.name}}.

The terms and conditions of engagement with {{organization.name}} shall mandate compliance with Information Security Policies. In addition, Contractors shall acknowledge their security responsibilities through acceptable use agreements.