2. Personnel, Recruitment and Training
This section of the toolkit adds further detail to the corresponding Personnel, Recruitment and Training sub-policy within the University's Information Security Policy.
Roles and responsibilities should include the requirement to implement and act in accordance with the information security policies and should be defined and clearly communicated during the pre-employment process. Security roles and responsibilities can be included in job definitions and/or contracts. A code of conduct or acceptable use policy may also be used to cover the responsibilities of staff, students, contractors, conference guests or others. Where appropriate, verification checks on applicants for new positions should be carried out before interview including, for example, character references. For positions that will allow access to sensitive or confidential information, further background checks and vetting may be appropriate.
All parties should sign up to the University's policies before being granted access to services. Sign up can be done as a link to terms and conditions when registering for an account, or could also be done via physical means such as inclusion in contracts of employment. It is important however to be able to demonstrate that users actively agree to abide by the policies. Similarly, means should be in place which can clearly demonstrate that all users are reminded of the policies on a regular basis. On average once a year should suffice or when any significant changes occur. For groups who have short term access to information systems (e.g. contractors) more frequent reminders may be appropriate. Regular reminders could simply be via communications such as email, or may be an interactive process as part, for example, of renewing user accounts and/or changing passwords.
Awareness, education and training should be suitable and relevant to the person's role, responsibilities and skill. They should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents. Awareness training should commence with a formal induction process designed to introduce the unit's and University policies and expectations before access to information services is granted. For registered IT support staff, ITS3 at OUCS provide inductions on a regular basis which include briefs on incident handling from OxCERT. However all staff should be made aware of their own responsibilities for the secure handling of information.
Training might include areas such as security requirements for particular dataset and/or units, legal responsibilities as well as training on technical controls that can be put in place. However it is vital (particularly when handling information classed as sensitive or confidential ) that the limitations of technical controls are widely communicated and that social and personnel controls are not overlooked. For example, when data is to be protected by encryption, all staff having authorised access to the data, must be made explicitly aware of the requirements for handling the data (e.g. copies of the data must not be made onto personal devices etc.).
Disciplinary processes can be used as a deterrent but should also ensure fair and correct treatment for users who are suspected of committing a breach of security, taking into account first offences, level of skill, training etc. In serious cases process should allow for instant removal of duties, access rights and privileges.