Content library
CyberFundamentals (Belgium)
PR.IP-11: Cybersecurity is included in human resources practices (deprovisioning, personnel screening…).

How to fill the requirement

CyberFundamentals (Belgium)

PR.IP-11: Cybersecurity is included in human resources practices (deprovisioning, personnel screening…).

Task name
Priority
Status
Theme
Policy
Other requirements
Process for removing hardware and access rights at termination of employment relationship
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Changes in employment relationships
requirements

Task is fulfilling also these other security requirements

8.1.4: Return of assets
ISO27 Full
9.2.1: User registration and de-registration
ISO27 Full
9.2.6: Removal or adjustment of access rights
ISO27 Full
UAC-03: Disabling unnecessary user accounts
Cyber Essentials
PR.AC-1: Identity and credential management
NIST
1. Task description

Our organization has defined procedures for coordinating, at the time of termination of employment, e.g..:

  • Hardware recovery
  • Removal of access rights
  • Restoration of other information assets
Defining cyber security responsibilities and tasks in employment contracts
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security in contracts
requirements

Task is fulfilling also these other security requirements

7.1.2: Terms and conditions of employment
ISO27 Full
7.3: Termination and change of employment
ISO27 Full
7.3.1: Termination or change of employment responsibilities
ISO27 Full
PR.DS-5: Data leak protection
NIST
PR.IP-11: Cybersecurity in human resources
NIST
1. Task description

The employment contracts specify the responsibilities of the employee and the organization for cyber security.

Contracts should include e.g.:

  • the employee's legal responsibilities and rights, such as those related to copyright or data protection law
  • the employee's responsibility for following the instructions, e.g. related to the use of hardware and data and the classification of information
  • the employee's or temporary employee's responsibility for processing information received from other companies or other parties
  • measures if the employee or temporary worker violates the safety requirements of the organization
  • continuing obligations after termination of employment
Screenings and background checks before recruitment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Changes in employment relationships
requirements

Task is fulfilling also these other security requirements

T09: Henkilöstön luotettavuuden arviointi
Katakri
7.1.1: Screening
ISO27 Full
PR.AC-6: Proof of identity
NIST
PR.IP-11: Cybersecurity in human resources
NIST
HAL-15: Työskentelyn tietoturvallisuus koko palvelussuhteen ajan
Julkri
1. Task description

Applicants applying for cyber security should have their background checked, taking into account relevant laws and regulations.

The check may include:

  • review of recommendations
  • verification of CV accuracy
  • verification of educational qualifications
  • verification of identity from an independent source
  • other more detailed checks (e.g. credit information, review of previous claims or criminal record)

The background check may also be extended to, for example, teleworkers, contractors or other third parties. The depth of the background check can be related to the category of the accessed data.

Informing about cyber security responsibilities that continue after employment relationship has ended
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Changes in employment relationships
requirements

Task is fulfilling also these other security requirements

7.3: Termination and change of employment
ISO27 Full
7.3.1: Termination or change of employment responsibilities
ISO27 Full
PR.DS-5: Data leak protection
NIST
6.5: Responsibilities after termination or change of employment
ISO27k1 Full
CC2.2: Internal communication of information
SOC 2
1. Task description

The employment contract should distinguish between cyber security responsibilities and obligations that remain in force after the termination of the employment relationship. The employee should also be reminded of these at the end of the employment relationship to ensure compliance.

Arranging training and guidance during orientation (or before granting access rights)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

4 §: Tiedonhallinnan järjestäminen tiedonhallintayksikössä
TiHL
7.3: Termination and change of employment
ISO27 Full
7.3.1: Termination or change of employment responsibilities
ISO27 Full
9.2.2: User access provisioning
ISO27 Full
PR.IP-11: Cybersecurity in human resources
NIST
1. Task description

Before granting access rights to data systems with confidential information employees have:

  • received appropriate guidance on their security responsibilities (including reporting responsibilities and responsibility for their own devices)
  • received appropriate guidance on their security roles related to their own role (including digital security rules related to their role and information systems and their acceptable use)
  • received information from cyber security contacts who can be asked for more information
Training personnel with a changed role
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Cyber security training
requirements

Task is fulfilling also these other security requirements

7.3: Termination and change of employment
ISO27 Full
7.3.1: Termination or change of employment responsibilities
ISO27 Full
PR.IP-11: Cybersecurity in human resources
NIST
6.5: Responsibilities after termination or change of employment
ISO27k1 Full
PR.IP-11: Cybersecurity is included in human resources practices (deprovisioning, personnel screening…).
CyFun
1. Task description

Training arranged before granting access rights applies not only to new employees but also to those who move to new tasks or roles, especially when the data systems used by the person and the security requirements related to the job role change significantly with the change of job role. The training is arranged before the new job role becomes active.

No items found.