Control objective: to ensure that all employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
8.1 Prior to Employment
8.1.1 Roles and responsibilities
Security roles and responsibilities of employees, contractors and third party users have been defined and documented as required by the Organisation’s information security policy.
8.1.1.1 The Civil Service Bureau is responsible for ensuring that the Organisation has standard job descriptions for all roles, that contain defined security roles and responsibilities, and that these apply to all users of Organisational information assets. Job descriptions are provided to all prospective users prior to their recruitment.
8.1.1.2 The Information Security Manager is responsible for ensuring that information security and IT staff have specific information security responsibilities and that these are detailed in their job descriptions.
8.1.1.3 The Civil Service Bureau is responsible for ensuring that all users sign User Agreements (see 11.2) before they are allowed to access Organisational information assets; these User Agreements contain specific information security responsibilities.
8.1.1.4 Owners of information assets have specific responsibilities, and these are documented in sub section 7.1.2 above.
8.1.1.5Other responsibilities are identified as necessary throughout the ISMS.
8.1.2 Screening
Background verification checks on all candidates for employment, contractors and third party users are carried out in line with DOC 8.1 and in accordance with the laws, regulations and ethics of the Kingdom of Bahrain, and proportional to the Organization business requirements, the classification of the information to be accessed, and the perceived risks
8.1.3 Terms and conditions of employment
Employees, contractors and third party users must agree and sign the terms and conditions of their employment contract, which state their and the Organization responsibility for information security
8.2 During Employment
Control objective: to ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error.
8.2.1 Management responsibilities
Management requires employees, contractors and third party users to apply security in accordance with the policies and procedures of the Organization ISMS
8.2.1.1 Management ensures that employees, contractors and third parties are appropriately briefed prior to being granted access to Organizational information assets (see 8.2.2).
8.2.1.2 Management ensures that employees, contractors and third parties receive guidelines on security expectations (User Agreement, job descriptions and terms and conditions of employment).
8.2.1.3 Management provides personal leadership and example in information security and ensures that the Organization policies and procedures are followed (see 6.1.8).
8.2.2. Information security awareness, education and training
All employees of the Organization and, where relevant, contractors and third party users receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
8.2.2.1 The Information Security Manager is responsible for ensuring that all users receive standard information security induction and awareness training before they are allowed to access Organizational information assets. This includes the incident reporting procedure.
8.2.2.2 The Information Security Manager is responsible fore ensuring that all users receive regular updates and alerts on information security issues as and when necessary, and that additional security-related training is made available as and when required.
8.2.2.3 The Information Security Manager is responsible for ensuring that specialized information security staff receive appropriate specialist training in line with their job requirements.
8.2.3 Disciplinary process
The Organisation has a formal disciplinary process for employees who have committed a security breach
8.2.3.1 Breaches of the Organisation’s ISMS may be treated as misconduct in terms of the Organisation’s disciplinary policy as issued by the Civil Service Bureau (which is set out in [where?]) and serious breaches may lead to dismissal.
8.3 Termination or Change of Employment
Control objective: to ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner
8.3.1 Termination responsibilities
Responsibilities for performing employment termination have been clearly defined and assigned by the Civil Service Bureau.
8.3.2 Return of assets
All employees, contractors and third party users are required to return all Organisational assets in their possession upon termination of their employment, contract or agreement.
8.3.3 Removal of access rights
The access rights of all employees, contractors and third party users to information and information processing facilities are removed upon termination of their employment, contract or agreement, or adjusted upon change
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
