Purpose

Prior to employment, to ensure that employees understand their responsibilities and are suitable for the roles for which they are considered. During employment, to ensure that employees are aware of, and fulfil their information security responsibilities. At termination or change in employment, to protect the company’s interests as part of the process of changing or terminating employment.


Scope

This Human Resource Security Policy applies to all employees.


Policy Statements

Prior to Employment:

  • All candidates for employment must undergo background verification checks, which includes:
    • Identity
    • Education, skills, and experience
    • Employment history
    • Character references
  • A criminal record check must be conducted if the employee is to be dealing with personal data
  • Contractual agreements with all employees will clearly outline the responsibility of the individual to information security. The terms and conditions include:
    • A confidentiality or non-disclosure agreement
    • Legal responsibilities and rights
    • Responsibilities for the classification of information
    • Responsibilities for the handling of external information
    • Responsibilities will be reviewed and updated regularly.
  • All personnel must be made aware of and agree to the company's expectations related to information security.
  • The terms and conditions for employees are described in the RBS Mentor Portal.


During Employment:

  • Management must require and ensure all employees adhere to applicable information policies and procedures within the organisation. Managers must ensure that personnel apply security in accordance with standards, policies, and procedures by:
    • Briefing all personnel on their security roles and responsibilities prior to granting access to sensitive data and systems
    • Ensuring all personnel have access to these Information Security Standards
    • Ensuring all personnel conform to the terms and conditions of employment.
  • All employees must be made aware of the protection provided by the Whistle Blowing policy regarding the reporting of wrongdoings.
  • All employees must undergo awareness training based on their role, as well as relevant updates in policies and procedures applicable to their jobs:
    • Safeguarding sensitive information
    • Known threats to Information security.
    • Legal responsibilities
    • Information security standards, policies, directives, and guidelines
    • How to report information security events
    • Appropriate use information and assets
    • Related disciplinary processes
    • How to obtain security advice
    • The management should require employees, contractors, and third party users to apply security in accordance with established policies and procedures of the organisation.
    • Training must be accompanied by an assessment procedure based on the cyber security training content presented to determine comprehension of key cyber security concepts and procedures.
  • There must be a formal and communicated disciplinary process in place to act against employees who have committed an information security breach.
  • If it is determined that an employee was responsible for a security breach or a violation of standards or policies, they must make the Managing Director aware.


Termination and Change of Employment:

  • Managers must advise personnel of their information security responsibilities when employment changes or is terminated. Terminated employees must be made aware of:
    • Ongoing security requirements including the need to not disclose sensitive information.
    • Legal responsibilities.
    • Responsibilities described in confidentiality or non-disclosure agreements.
    • Any other applicable policy standards or contract.
    • This process includes exit interviews and removal of documents (and all copies thereof) and other property and materials in their possession or control.
  • Managers can find the applicable instructions and forms in the RBS Mentor system.


Non-Compliance

In cases where it is determined that a breach or violation of policies has occurred, the management team will initiate corrective measures including restricting access to services or initiating disciplinary action up to and including dismissal.


Exceptions

In certain circumstances, exceptions to this policy may be allowed based a review and acceptance of risk by the Managing Director, and must be formally documented.