Terms and conditions of employment
| Control type | Information Security Properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventative | Confidentiality, Integrity Availability | Protect | HR security | Governance and ecosystem |
Definition
The employment contractual agreements should state the personnel’s and the organizations responsibilities for information security.
What to include in the employment contract
The following can be considered:
• NDA, non-disclosure agreements • confidentiality agreements • legal rights
Additional guidance
• Classification of information • management of information • management of assets • information processing facilities • information services • handling information you get from third parties and interested parties • what actions will be taken if you don’t follow the information security requirements
Communication
You will communicate roles and responsibilities for information security during the pre-employment phase of your process.
Agreement
Information security requirements should be agreed which usually is the case of the employee signing the contract and you having a copy of the contract on file.
Appropriateness of terms
You want to make sure that any terms and requirements are appropriate to the person, their role, what they do and the access they have.
Review of terms
As a process of continual improvement be sure to review the terms you have, especially if you change your policies or the laws, or regulations change.
Non-Disclosure Agreement
There are certain things that will remain in place after employment and this is usually defined for a set period of time. Consider things like an non-disclosure agreement and confidentiality agreement that you may want in place for 12 months post-employment ending.
Employee hand book /code of conduct
Having an employee hand book or code of conduct is a fantastic way to share and communicate information security responsibilities and key messages and I have seen this work well in many organizations.
Employees that come from agency / third party
If you have employees that you do not employ directly but rather you use and agency of third party then the agency of third party should really enter into a contract on behalf of those people.